We're always trying to simplify how you go about pen-testing your organization. Anytime you make something too complicated there becomes unnecessary barriers to completion. Enjoy this free Guide to Penetration Testing to ensure you complete your penetration tests quickly and efficiently.
1. Project Scope
Before starting your pen-test, you need to determine you plan of attack. This will consist of what to include in the test and will spell out your goals.
Next, you want to start investigating the organization’s online presence to help identify the information that an attacker may look to leverage during their attack. Some typical targets are email address, LinkedIn, and domain name information.
Each discovered network, host, or application is carefully assessed to identify potential entry points, or in some cases, known vulnerabilities for the next stage.
4. The Penetration Test
It’s time to do the actual testing, here’s what you will be able to accomplish in your pen-test:
- Identify vulnerabilities
- Found vulnerabilities are exploited to confirm they are vulnerable
- Passwords are tested, ensuring controls are in place
When a bad actor breaches your machine, they are attempting to gain as much control of the device as possible and obtain the sensitive data you are storing. Attackers will try to escalate their privilege as they obtain access through their penetration test.
This is a technique used to route traffic through a compromised machine in order to access other machines on the network. A pivot point could be a computer that has been compromised from social engineering.
At the end of all of this, you want to have a detailed, yet concise report documenting what occurred during the pen-test. Depending on the original scope, this may include: technical descriptions, steps to produce, collected evidence, and remediation instructions.