Performing a Penetration Test

Many ethical hackers acting in the role of security professionals use their skills to perform security evaluations or penetration tests. These tests and evaluations have three phases, generally ordered as follows:


  • Preparation This phase involves a formal agreement between the ethical hacker and the organization. This agreement should include the full scope of the test, the types of attacks (inside or outside) to be used, and the testing types: white, black, or gray box.
  • Conduct Security Evaluation During this phase, the tests are conducted, after which the tester prepares a formal report of vulnerabilities and other findings.
  • Conclusion The findings are presented to the organization in this phase, along with any recommendations to improve security.
Notice that the ethical hacker does not "fix" or patch any of the security holes they may find in the target of evaluation. This is a common misconception of performing security audits or penetration tests. The ethical hacker usually does not perform any patching or implementation of countermeasures. The final goal or deliverable is really the findings of the test and an analysis of the associated risks. The test is what leads to the findings in the final report and must be well documented.
Contrary to popular belief, ethical hackers performing a penetration test must be very organized and efficient, and they must document every finding by taking screenshots, copying the hacking tool output, or printing important log files. Ethical hackers must be very professional and present a well-documented report to be taken seriously in their profession. 

No comments:

Post a Comment

Popular Posts