Chapter 8 - 05 - Understand Fundamentals Of Penetration Testing and its Benefits - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Copyright © by EC All Rights Reserved. Reproduction Understand Fundamentals of Penetration Testing and its Benefits This section introduces penetration testing and discusses including the types, phases, and methodologies of testing. Module 08 Page 1093 various concepts related to it, Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 What is Penetration 5 3 = L Testing? Penetration testing is a type of security testing that evaluates an organization’s ability to protect its infrastructure such as network, applications, systems, and users against external as well as internal threats It is an effective way of determining the efficacy of the organization’s security policies, controls, and technologies It involves the active evaluation of the security of the organization’s infrastructure by simulating an attack similar to those performed by real attackers Copyright © by til. All Rights Reserved. Reproduction is Strictly Prohibited What is Penetration Testing? Penetration testing, also called pen testing, goes a step ahead of vulnerability scanning in security assessment. Unlike vulnerability scanning, which examines the security of individual computers, network devices, or applications, penetration testing assesses the security model of the network as a whole. Penetration testing can reveal the potential consequences of a real attacker breaking into the accounts of network-to-network light on administrators, the security weaknesses It also sheds Penetration testing is a type of security testing that evaluates an organization’s ability to applications, systems, and in typical and executives. scanning. protect its infrastructure such as network, missed IT managers, users from vulnerability external as well as internal threats. It is an effective way of determining the efficacy of the organization’s security policies, controls, and technologies. It involves the active evaluation of the security of the organization’s infrastructure by simulating an attack similar to those performed by real attackers. During a penetration test, security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities. The test results are documented and delivered in a comprehensive report to executive management and technical audiences. Module 08 Page 1094 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Benefits of Conducting a Penetration Test Q , \ a Reveal vulnerabilities - \\ (2 Show real risks 4 Ensure business continuity Reducing client-end attacks Establishing the status of the company in terms of security Guard the reputation of the company Benefits of Conducting a Penetration Test The following are some of the benefits of conducting a penetration test: Reveal vulnerabilities: In addition to revealing existing weaknesses in a system or application configurations, a penetration test investigates the action and behavior of an organization’s staff that could lead to a data breach. Finally, the tester provides a report containing updates on security vulnerabilities as well as recommendations and policies to improve the overall security. Show real risks: The tester exploits the identified vulnerabilities to check how a real attacker could behave. Ensure business continuity: A small interruption can have a great impact on a business. It can cost the company tens to thousands of dollars. Therefore, the availability of the network, access to the resources, and 24/7 communications are necessary to run the business operation. A penetration test discloses potential threats and recommends solutions to ensure that the business operation will not be affected by an unexpected downtime or a loss of accessibility. Reducing client-end attacks: An attacker can break into an organization’s systems from the client side, especially via web and online form services. Companies should be prepared to protect their systems from such attacks. If an organization knows which kind of attacks can be expected, then they know the signs to look out for and must be able to update the application. Establishing provides the status knowledge of the of the company security level in terms of security: of a company and Penetration its status testing in terms of security. The tester provides a report on the company’s overall security system and Module 08 Page 1095 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 areas needing improvements, and the report includes details on the protection of the protection of its infrastructure and effectiveness of existing security measures. * Guard the reputation of the company: It is important for a company to maintain a good reputation with its partners and clients. Gaining the trust and support of even loyal partners is difficult if the company is affected by a data breach or attack. Organizations should regularly perform penetration tests to protect their data and the trust of their partners and clients. Module 08 Page 1096 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 ROI for Penetration Testing Penetration testing helps companies in identifying, understanding, and addressing any vulnerabilities; this saves them a lot of money, ©000 resulting in a good ROI Demonstration of ROl is a critical process for the successful “sale” of a pen test ROI for a pen test is demonstrated with the help of a business case scenario, which includes the expenditure and involved profits Companies spend resources on a pen test only if they have proper knowledge of its benefits ROI = (Expected Returns - Cost of Investment)/Cost of Investment Copyright © by EC- il. All Rights Reserved. Reproductions Strictly Prohibited ROI for Penetration Testing Penetration testing vulnerabilities, which penetration testing is while considering the helps companies in identifying, understanding, and addressing any saves a lot of money and, in turn, yields a good ROI. The purpose of to discover and expose vulnerabilities in an organization’s security system company’s IA and how those assets are related to the business value of the organization. Through a penetration test, the company acquires knowledge of possible risks, vulnerabilities, or threats to IA, as well as the information required to mitigate those risks. Companies spend resources on penetration testing only if they have proper knowledge of its benefits. Therefore, the demonstration of ROl is a critical process for the successful “sale” of a penetration test. The ROl for penetration testing is demonstrated with the help of a business case scenario, which includes the expenditure and profits involved. Because ROl is a conventional financial measure based on historical data, it is a retrospective metric that yields no insights into how to improve business results in the future. In practice, most organizations use one or more “financial metrics” individually or collectively as “ROL.” These metrics include the following: = and refer to them Payback period: Time required for the return on an investment to “repay” the sum of the original investment = Net present value: Present value of future cash flows minus the purchase price = Internal rate of return: Benefits repeated as an interest rate = ROLI: Ratio of the net gain from a planned project divided by its total costs, i.e., ROI = (Expected Returns - Cost of Investment)/Cost of Investment Module 08 Page 1097 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 To calculate the total cost of ownership, the security investment is compared to the potential damage prevented. That is, the cost of the loss to the company’s assets is compared with the cost of preventing that loss. Module 08 Page 1098 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.