Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. Penetration testing can be carried out in several different ways, including zero knowledge, full knowledge, or partial network knowledge. Regardless of what is known about the network, the penetration test team typically starts with basic user access. Its goal is to advance to root or administrator and control the network or systems. Probably the most important step of a penetration test is the approval. Without a signed consent of the network owner, the penetration test team could very well be breaking the law. A generic model of a penetration test is listed here:
Penetration testing can be performed with the full knowledge of the security staff, as a blind test, or a double-blind test. A blind test is one in which only publicly available information is used. A double-blind test is one in which only publicly available information is used and the security staff is not notified of the event. A double-blind test allows the organization to observe the reactions of the security staff.
These other types of tests should be considered beyond basic penetration tests:
Various guides are available to help the penetration test team members follow a structured methodology for any of the testing scenarios described. The Open Source Security Testing Methodology Manual (OSSTMM) (www.isecom.org) is a good example of a test guide. The Open Web Application Security Project (www.owasp.org) is another source for testing methodologies and tips.
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2