Penetration Testing: Ethical Hacking, and Why That’s Not an Oxymoron!
Ethical hacking, also known as penetration testing, is the process of legally breaking into computers and devices to test an organization’s defenses.
Companies implement this process to test its defenses and identify any system flaws or weaknesses. If penetration testers hack into and beyond the current defenses, this process offers the client a chance to close the gap before a real attacker discovers it. If during the penetration testing, you do not discover anything, this goes to show the system is secure.
Penetration testing allows your organization to shrink the window between discovering the vulnerabilities within a system, and implementing effective techniques and procedures to protect against future attacks.
All professional penetration testers must follow a code of ethics to guide these processes. The creators of the Certified Ethical Hacker (CEH) exam, The EC-Council, have one of the best public code of ethics available.
4 Steps for Penetration Testing
1.Scope and goal setting.
It is important for a penetration tester to document an agreed upon scope and goals. Consider the computer assets, platforms, applications, and services that will be included. Determine the dates for testing, whether the testing should include automated vulnerability scanning, and more.
Penetration testers should also offer clients a Letter of Authorization during this stage. This document provides permission for penetration testers to perform malicious attacks on an organization’s systems and controls.
2. Learn about your target.
Learn as much about the penetration test targets beforehand to include:
- IP addresses
- OS platforms
- Version numbers
- Patch levels
- Advertised network ports
This information will be used to effectively and efficiently plan the simulated attack.
3. Break into the target asset.
The penetration tester needs to exploit a vulnerability to gain unauthorized access to a system. Depending on the details of the scope, the vulnerability discovery can be automated using exploitation or vulnerability scanning software. Next, the tester will determine if horizontal or vertical movement is necessary, depending on whether the attacker moves within the same class of system or outward to non-related systems.
4. Document the pen-test effort.
Finally, the tester should write up and present the final report to include findings and conclusions. This information can be used to implement security upgrades to any vulnerabilities discovered during testing.
Penetration testers have a keen attention to detail and accuracy. No organization is like any other, and professional penetration testers are prepared for the unique challenges each organization’s systems present.
Recovering from a security breach can cost an organization millions of dollars in remediation efforts, protection, retention programs, and legal activities. By participating in penetration testing, your organization can discover and remediate potential risks before they occur.
H2L Solutions, Inc. is proud to offer penetration testing, cyber threat analysis and mitigation, vulnerability assessment, system security plan, and disaster recovery planning services to its clients.
H2L Solutions implements, tests, administers, and sustains cybersecurity solutions. We have a staff of information security professionals skilled in the development and management of cybersecurity programs. Our professionals assist our clients with multiple layers of information assurance and cybersecurity requirements.