We live in an era in which hackers target organizations to steal whatever info they can get their hands on.To begin with hackers don’t have to spend much to conduct these cyber attacks even those who don’t have much technical skills or knowledge can do it by hiring hackers or botnets for a fair price but the companies hit by these do have a lot to lose.The companies don’t just get their sensitive info compromised they also lose their reputation and also in some cases face huge sum as fine so it is important to ensure the security posture of the organization.
Since attacks like these are increasing as you read this article it is important guard against such attacks.In order to do so the organizations have to build high walls against the hackers.And how to make sure if the walls are damage resistant against their attacks? That’s where penetration testing comes in.
Penetration testing is basically a monitored and controlled form of hacking conducted by a professional pen-tester(White-hat) who simulates a hacking scenario and uses the same method a hacker would use to break into the organization. And by doing so analyses and makes a detailed report on the vulnerabilities in the organization’s network and applications.
Web application penetration tests
It is done to ensure that there are no vulnerabilities in the organization’s connection to the internet and connection with other external systems such as servers, hosts, devices and network services.
Common security issues include :
- 1.Unpatched OS,apps and server management systems.
- 2.Misconfigured software,firewalls and apps.
- 3.Unused and insecure network protocols.
If the network penetration test identifies any of these problems,organizations can fix the issues by installing appropriate patches or by re-configuring the firewall and softwares, or adding a more secure network protocol.
Web application penetration tests
Applications are the most vital business function of many organizations, being used to process credit card data and other sensitive and personal data.And pen-testing is done on web apps to make sure there are no security issues from insecure practices in the design and coding of the software.
Some common issues are:
- 1.Potential for injection caused by lack of validation which let’s attacker control user’s browser.
- 2.Privilege escalation which lets users have access to more parts of the site or app than they are suppose to.
- 3.Cross-site scripting is caused when the app takes un-trusted data and sends it without proper validation.
Wireless network penetration tests
It is done to identify rogue devices and detect access points in organization’s secured environment.
Common wireless security issues include:
- Rogue and open access points.
- Miconfigured of duplicated wireless networks.
- Insecure encryption standards, such as WEP.
If the wireless network penetration test identifies any of these problems, organizations should find the open access point and disable it, adjust security settings and update the wireless protocol.
Phishing and social engineering penetration tests
It is done to access employees’ susceptibility to break security rules or give access to sensitive information.
Common social engineering issues include:
- Susceptibility to phishing emails;
- Willingness to hand over sensitive information to people without knowing who they are; and
- Giving people physical access to a restricted part of the organization.
If such a problem is identified the organization should invest in staff awareness training to make the understand how social engineering works and how to avoid it.
Originally written for RedTeam Hacker Academy
