Penetration Test
Penetration tests focus on infrastructures and systems with an idea of outside and inside.
Outside: out of the domain (other domain or the internet).
Inside: in the domain.
Tests the capability of entering a domain and its impact.
How an attacker entered (which flaws or bugs were used).
How/if an attacker moved laterally.
What other systems it may have reached?
What data/systems were impacted?
Was data exfiltrated?
Why
An essential process in current organizations, products, and systems.
Two distinct views: Internal and External.
The current organizational landscape is complex.
Heterogeneous computing environment.
Servers, desktops, laptops, BYOD…
Multiple applications.
From multiple vendors.
Developed over time, using different tools, languages, and stacks.
Rely on communication networks.
Not all are confined (e.g. Wi-Fi).
Rely on external services and actors.
Important to understand what are the risks, what to address, and what processes should be in place.
Standard defensive measures are not enough.
They help create/operate the software with greater security.
They are also limited to the mindset of the developers/ops.
Defensive technologies are limited in capabilities.
Firewall: Filter packets, and connections.
mostly used as perimeter control devices (but do not supervise internal networks).
inspect packets in clear, or publicly available data (ports, IP Addresses, protocols), but struggles with TLS.
WAF: Filter HTTP requests.
matches profiles of known attacks (deny list), or allowed requests (allow list), but may be circumvented.
IDS: Network/Host Intrusion Detection Systems monitor network or OS changes.
Matches profiles of known attacks, but may be circumvented.
May detect and block an attack AFTER it was done.
Last updated