It seems like every day dawns with a new headline regarding the latest cybersecurity attack. Hackers continue to steal millions of records 和 billions of dollars at an alarming frequency. The key to combating their efforts is to conduct thorough penetration tests throughout the year.
渗透测试 的设计是为了在攻击者之前评估您的安全性. 渗透测试 tools simulate real-world attack scenarios to discover 和 exploit security 差距 that could lead to stolen records, 妥协的凭证, 知识产权, 个人身份信息(PII), 持卡人数据, 个人, 受保护的健康信息, 数据赎金, 或其他有害的商业结果. 通过利用安全漏洞, penetration testing helps you determine how to best mitigate 和 protect your vital business data from future cybersecurity attacks.
With any typical pen test, there are five key stages that must be completed:
在渗透测试团队采取任何行动之前, suitable information gathering must be completed on the prospective target. This period is vital to establishing an attack plan 和 serves as the staging ground for the entirety of the engagement.
在侦察阶段之后, a collection of scans are performed on the target to decipher how their security systems will counter multiple breach attempts. 漏洞的发现, 开放端口, 和 other areas of weakness within a network’s infrastructure can dictate how pen testers will continue with the planned attack.
Once data has been collected, penetration testers leverage common web application attacks such as SQL注入 和 跨站点脚本编制 利用任何现有的漏洞. 现在已经获得了访问权限, testers attempt to imitate the scope of the potential damage that could be generated from a malicious attack.
The main goal of this stage is to achieve a state of constant presence within the target environment. 随着时间的推移, more data is collected throughout the exploited system which allows the testers to mimic advanced persistent threats.
最后, 一旦交战结束, 必须消除攻击的任何痕迹,以确保匿名. 日志事件, 脚本, 和 other executables that could be discovered by the target should be completely untraceable. A comprehensive report with an in-depth analysis of the entire engagement will be shared with the target to highlight key vulnerabilities, 差距, 泄露的潜在影响, 以及其他各种必要的安全程序组件.
渗透测试 can either be done in-house by your own experts using 渗透测试工具,或者你也可以外包给 渗透测试服务提供商. A penetration test starts with the security professional enumerating the target network to find vulnerable systems 和/or accounts. This means scanning each system on the network for 开放端口 that have services running on them. It is extremely rare that an entire network has every service configured correctly, 正确密码保护, 完全修补好了. Once the penetration tester has a good underst和ing of the network 和 the vulnerabilities that are present, he/she will use a penetration testing tool to exploit a vulnerability in order to gain unwelcome access.
然而,安全专业人员并不仅仅针对系统. 经常, 渗透测试人员通过网络钓鱼邮件攻击网络上的用户, pre-text打电话, 或者现场社会工程.
您的用户也会带来额外的风险因素. Attacking a network via human error or 妥协的凭证 is nothing new. If the continuous cybersecurity attacks 和 data breaches have taught us anything, it’s that the easiest way for a hacker to enter a network 和 steal data or funds is still through network users.
Compromised credentials are the top attack vector across reported data breaches year after year, Verizon数据泄露报告证实了这一趋势. Part of a penetration test’s job is to resolve the aforementioned security threat caused by user error. A pen tester will attempt brute-force password guessing of discovered accounts to gain access to systems 和 applications. 而破坏一台机器可能会导致入侵, in a real-life scenario an attacker will typically use lateral movement to eventually l和 on a critical asset.
Another common way to test the security of your network users is through a simulated phishing attack. 钓鱼式攻击 use 个人ized communication methods to convince the target to do something that’s not in their best interest. 例如, a phishing attack might convince a user that it’s time for a "m和atory password reset" 和 to click on an embedded email link. Whether clicking on the malicious link drops malware or it simply gives the attacker the door they need to steal credentials for future use, 网络钓鱼攻击是利用网络用户的最简单方法之一. If you are looking to test your users’ awareness around phishing attacks, make sure that the penetration testing tool you use has these capabilities.
渗透测试是网络安全的重要组成部分. 通过这些测试,企业可以确定:
通过渗透测试, security professionals can effectively find 和 test the security of multi-tier network architectures, 自定义应用程序, web服务, 及其他资讯科技组件. These penetration testing tools 和 services help you gain fast insight into the areas of highest risk so that you may effectively plan security budgets 和 projects. Thoroughly testing the entirety of a business's IT infrastructure is imperative to taking the precautions needed to secure vital data from cybersecurity hackers, while simultaneously improving the response time of an IT department in the event of an attack.