Thursday, December 30, 2010

bench3

Using Penetration Testing For IT Security Audit

Penetration testing seeks to find out how effective the security measures you have in place to protect your corporate IT infrastructure really are by putting them to the test. It may involve a number of stages including:
  • Information gathering: using Google and other resources to find out as much as possible about a company, its employees, their names, and so on
  • Port scanning: to establish what machines are connected to a network and what services they have running that may be vulnerable to attack
  • Reconnaissance: contacting particular servers that an organization may be running and getting information from them (like the usernames of employees, or the applications that are running on a server)
  • Network sniffing: to find usernames and passwords as they travel over the network
  • Password attacks: to decrypt passwords found in encrypted form, or to guess passwords to get access to computers or services
Defending a network and attacking a network are two different disciplines that require different mindsets, so it follows that the people best qualified to carry out a penetration test are not corporate security staff – who are experts at defending a network – but hackers, who are experts at attacking them. The best penetration tests involve using the services of "ethical hackers" who are engaged to attempt to break in to the network and discover as much information and get access to as many computers as possible.

A cheaper option is to use penetration-testing software, which searches for vulnerabilities, and in some cases even carries out attacks automatically. A skilled human is more likely to be successful than any software tool, but using penetration- testing software to carry out your own penetration tests is still a good idea.

The software allows you to carry out these tests yourself on a monthly or even weekly basis, or whenever you make significant infrastructure changes, without incurring the costs associated with repeated tests carried out by a consultant. If you use many of the free penetration testing tools that are available you will almost certainly be using the same ones that many hackers use as hacking tools. If you can successfully compromise your organization's security with these tools then so can hackers – even relatively unskilled hackers who know how to use the software.
A skilled human is more likely to be successful than any software tool, but using penetration-testing software to carry out your own penetration tests is still a good idea.

bench3

About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :