Penetration testing or pen testing is a cool job. I’m telling you this before even we take a look at what it is and how it can be done. It’s a kind of white hat hacking practice. Another wacky jargon? Trust me that’s a cool job too. Now, really how many of us will want to get paid legitimately for hacking? This simply means to hack a corporate network and expose its vulnerabilities and security flaws to the company’s IT authorities. Penetration testing is exactly this. You hack a computer or network of a third-party after being officially invited to hack their IT system and expose their security vulnerabilities so that they can enhance their network security and protect their IT infrastructure and corporate data from the real hackers – the ones who hack malignantly and illegally, the black hatters of course!

 

Penetration testing is actually a popular security practice carried out by companies to simulate real hacking scenarios by hiring third-party hackers and IT security experts. All you got to do is to carry out an unexpected hack attack and test the IT infrastructure for known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.

 

Think of yourself as a legitimate professional hacking consultant and practitioner. Instead of inflicting harm via hacking, you actually do good to your clients and help them identify vulnerabilities and protect their IT systems.

Mad Hatter 4.png  

GOALS OF PEN TESTING [1]

  • To determine the feasibility of a particular set of attack vectors
  • To identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
  • To identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
  • To assess the magnitude of potential business and operational impacts of successful attacks
  • To test the ability of network defenders to successfully detect and respond to the attacks
  • To provide evidence to support increased investments in security personnel and technology

 

PENETRATION TESTING & PCI

The new PCI DSS security standard 3.0 calls for penetration testing as one if its mandatory requirements for cardholder data management organizations.

 

Requirement #11: New requirement is to implement a methodology for penetration testing.

  

Take a look at the various requirements of the pen testing process for PCI: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf

 

TYPES OF PENETRATION TESTING [2]

  • External Pen Testing: This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access.
  • Internal Pen Testing: This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

  

To evaluate how the penetration testing has impacted your organization and to respond to threat vectors in real time, try using security information & event management (SIEM) systems that scan event logs from across your IT infrastructure and provide you a wealth of insight into the security events and non-compliant occurrences on your network and network computers.

 

If you are a street smart hacker who would want to settle for the right and legitimate career which provides rewards for your super genius hacking skills, penetration testing is your cup of tea. Proud to be a white hatter!