The term "penetration testing" is an industry buzzword, which used to mean something quite specific, but is now commonly used by customers to refer to just about any type of security testing. The general process tends to be that your systems get tested, and then at the end you receive a report of the insecure areas that need attention, along with advice on how to fix them.The organizations is the following list provides standards and certifications for both the data and systems that are the subject of regulation, and the consultants and vendors that deliver penetration testing.
Penetration Testing Definitions:
Network penetration test – A method that evaluates the security of a network system by conducting an analysis and subsequent examination of potential gaps or “holes” within security operations, flaws within hardware or software configuration or other operational weaknesses that may exist. Once completed these tests expose security vulnerabilities, assess the impact should a potential security threat occur and follow with a proposal of a technical solution. The outcome of these tests allows businesses to make sound security decisions under certain circumstances such as setting up a new office, deployment of a new network infrastructure or upgrading existing or new applications.
Web application penetration test – Unlike a network penetration test, a web application penetration test focuses on the security and potential risks present with a web application. Using methods attackers use to infiltrate web applications to obtain financial, personal and even medical information, these tests allow programmers to assess weaknesses in both server and client-side applications Web application penetration tests can be performed manually or with automated software applications to identify possible security breach points, simulate the actual breach and report the final conclusion and resolutions of the test.
Ethical hacking – With increasing concerns about the security of consumer information and private medical records, and as more organizations migrate towards digital systems for greater efficiency and lower costs, the need for computer experts who conduct ethical hacking is increasing. Unlike a black hat, (a slang term for computer hacker) who exploits the vulnerabilities of systems to obtain personal information illegally, ethical hacking is performed to secure the safety of computer systems with the sole purpose of preventing non-ethical hackers from access.
Black box testing – This software testing technique, also known as functional testing, is conducted by a tester who has no knowledge of how a software program produces its results. This type of testing has certain advantages. Since both the developer and tester are independent of one another the test remains unbiased. Based upon requirements and specifications, test cases can be designed as soon as the specifications are complete and the tester does not need to know any specific programming language to perform the testing.
White box testing – The purpose of a white box penetration test is to simulate a malicious computer hacker who may have some knowledge and credentials to target a particular system. With white box testing, the tester has direct knowledge of the internal structure of the code, including network diagrams and IP address information just like a potential “hacker” would.
White hat – This term refers to an ethical hacker or a penetration tester. Utilizing a variety of methods, these ethical hackers ensure that an organization’s network system or web applications are secure. Specializing in penetration testing these “hackers” may employ social engineering attacks and use hacking tools to identify and expose potential “vulnerable” entry points where intruders can gain entry into secured systems.
Penetration Testing Definitions:
Network penetration test – A method that evaluates the security of a network system by conducting an analysis and subsequent examination of potential gaps or “holes” within security operations, flaws within hardware or software configuration or other operational weaknesses that may exist. Once completed these tests expose security vulnerabilities, assess the impact should a potential security threat occur and follow with a proposal of a technical solution. The outcome of these tests allows businesses to make sound security decisions under certain circumstances such as setting up a new office, deployment of a new network infrastructure or upgrading existing or new applications.
Web application penetration test – Unlike a network penetration test, a web application penetration test focuses on the security and potential risks present with a web application. Using methods attackers use to infiltrate web applications to obtain financial, personal and even medical information, these tests allow programmers to assess weaknesses in both server and client-side applications Web application penetration tests can be performed manually or with automated software applications to identify possible security breach points, simulate the actual breach and report the final conclusion and resolutions of the test.
Ethical hacking – With increasing concerns about the security of consumer information and private medical records, and as more organizations migrate towards digital systems for greater efficiency and lower costs, the need for computer experts who conduct ethical hacking is increasing. Unlike a black hat, (a slang term for computer hacker) who exploits the vulnerabilities of systems to obtain personal information illegally, ethical hacking is performed to secure the safety of computer systems with the sole purpose of preventing non-ethical hackers from access.
Black box testing – This software testing technique, also known as functional testing, is conducted by a tester who has no knowledge of how a software program produces its results. This type of testing has certain advantages. Since both the developer and tester are independent of one another the test remains unbiased. Based upon requirements and specifications, test cases can be designed as soon as the specifications are complete and the tester does not need to know any specific programming language to perform the testing.
White box testing – The purpose of a white box penetration test is to simulate a malicious computer hacker who may have some knowledge and credentials to target a particular system. With white box testing, the tester has direct knowledge of the internal structure of the code, including network diagrams and IP address information just like a potential “hacker” would.
White hat – This term refers to an ethical hacker or a penetration tester. Utilizing a variety of methods, these ethical hackers ensure that an organization’s network system or web applications are secure. Specializing in penetration testing these “hackers” may employ social engineering attacks and use hacking tools to identify and expose potential “vulnerable” entry points where intruders can gain entry into secured systems.
OWASP
The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.
ISACA
ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
OSSTMM
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.
PCI
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.
CHECK
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.
CREST
The Council for Registered Ethical Security Testers (CREST) exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. It provides globally recognized, up to date certifications for organizations and individuals providing penetration testing services.
Tiger
Tiger Scheme is a commercial certification scheme for technical security specialists, backed by University standards and covering a wide range of expertise. The Tiger Scheme was founded in 2007, on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring in a recognized and reputable company.
No comments:
Post a Comment