After more than twenty years of performing professional security testing, I find it is amazing to know how many are confused about what a penetration test is. I have, on many occasions, been to a meeting and the client is convinced that they want a penetration test. However, when I explain exactly what one is, they look at me with a shocked look. So, what exactly is a penetration test? Remember our abstract methodology had a step for intrusive target search and part of that step was another methodology for scanning? Well, the last item in the scanning methodology, that being exploitation, is the step that is indicative of a penetration test. That one step is the validation of vulnerabilities, and this is what defines penetration testing. Again, it is not what most clients think when they bring a team in. The majority of them in reality want a vulnerability assessment. When you start explaining to them that you are going to run some exploit code and all these really cool things on their systems and/or networks, they usually are quite surprised. Most often, the client will want you to stop at the validation step. On some occasions, they will ask you to prove what you have found and then you might get to show the validation. I once was in a meeting with the stock market IT department of a foreign country, and when I explained what we were about to do with validation of vulnerabilities, the IT Director's reaction was "that is my stock broker records, and if we lose them, we lose a lot of money!". Hence, we did not perform the validation step in that test.
Building Virtual Pentesting Labs for Advanced Penetration Testing
By :
Building Virtual Pentesting Labs for Advanced Penetration Testing
By:
Overview of this book
Table of Contents (20 chapters)
Building Virtual Pentesting Labs for Advanced Penetration Testing
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Free Chapter
Introducing Penetration Testing
Choosing the Virtual Environment
Planning a Range
Identifying Range Architecture
Identifying a Methodology
Creating an External Attack Architecture
Assessment of Devices
Architecting an IDS/IPS Range
Assessment of Web Servers and Web Applications
Testing Flat and Internal Networks
Attacking Servers
Exploring Client-side Attack Vectors
Building a Complete Cyber Range
Index
Customer Reviews