Ethical Hacking: Penetration Testing
Cyber security risk analysisThere are a number of different methods for estimating and analysing the cyber risks associated with the organisation’s assets. The more detailed and formal ones are used in environments requiring a high degree of security, such as critical infrastructure or financial institutions. Here we’ll discuss a relatively straightforward method which can be used during meetings to try to quantify the risk in front of management. First, we need to introduce a few terms: Asset is an entity in the organisation with an estimated value. This is what we will be looking to protect. An asset can be anything, such as the intellectual property, databases, servers critical for business operations, as well as the employee (who we will need to protect against social engineering attacks). Risk is the potential of compromising the security controls of an asset, leading to its damage or loss. This is what we will be looking to estimate and eventually control and minimise. Threat is an event that has the potential to materialise the risk and compromise the security of an asset. There are a number of threats we might need to consider, ranging from accidental events, such as equipment malfunction and employee mistakes, to deliberate cyber attacks and insider threats.
Want to keep
Coventry University online course,
Ethical Hacking: An Introduction
Choosing your penetration testing teamLet’s briefly discuss the commissioning of a penetration test from a company perspective. When an organisation begins planning a penetration testing project, there are a number of factors they need to consider. First, they need to determine the security areas to be addressed. For example, if a new piece of software has been developed, the company will need to decide whether they want a full source code audit and a white-box pentest, or black-box testing on the full deployment stack. Alternatively, the organisation might need to evaluate the security posture of their environment – in this case, they’ll need to decide which parts of their infrastructure should be included in the scope (software, hardware, networking etc) as well as whether to test the employees’ security awareness. Based on this draft plan, we’ll be able to draw some requirements for the expertise and experience of the pentesting teams and build a shortlist of consultancies able to do the assignment. The organisation also needs to determine what kind of threats it will face – thinking about things like the type, sophistication and determination levels of any attackers. This will guide the penetration testers into the type of attacks they need to simulate. In general, we should avoid pentesting live production systems and aim to emulate the full deployment stack as close as possible in a visualised environment. In some cases, however, that is not feasible and we have to target the actual systems, so we need to ensure that the pentesting team has the required expertise and experience allowing them to test production systems. Following that, they will be able to identify the technology areas to be covered as well as the expertise areas required. You should also be able to obtain good references from the pentesters’ past and present clients. Sometimes, the consultants might not be able to give you detailed references for all recent projects they have done, particularly if these were for government, law enforcement or intelligence services. However, the fact that they have worked on such classified assignments is a good indication that they know what they are doing and have already been vetted. It is never a good idea to employ a former malicious hacker unless you know what you are doing and really need their expertise. The final project plan will be drawn together with the consultants. It will include the scope of the test, engagement terms, communication channels, set of deliverables, and form the basis for the formal contract. The contract with the consultants should also include liability for damage (accidents or negligence): they should have insurance covering that. Ideally, the contract should also specify who the members of the pentesting team are, ensuring that the team as a whole will cover the required expertise, and the team members are experienced, competent and hold relevant degrees and/or certifications. This will also provide some assurance that the work will be done by the experienced professionals promised, rather than only by inexperienced ones. Finally, the contract should include guarantees that all assets (information and items) accessed in the test will be kept confidential and disposed of at the end of the test. Sometimes the consultants might want to retain part of the data which was collected during the project – for example, if they have discovered that the organisation has been compromised and have collected some evidence (eg malware samples, network traffic, etc). In such cases, we need to make sure that the retained data does not include any sensitive information and is sufficiently anonymised.
Ethical Hacking: An Introduction
Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.