Do you know that several millions of WordPress sites are hacked daily? As bogus as the number may seem, WordPress sites are not the only sites that are attacked by hackers, other sites and personal computers equally are. One reason why some of these sites get so easily hacked is because a “penetration testing” wasn’t done to ascertain the level of vulnerability.Here is an overview about Penetration testing, why it necessary, types and steps involved etc. Also refer the PDF tutorial version.
What is penetration testing?
Penetration testing otherwise referred to as “pen testing” or “security testing” is the act of attacking your own or your clients’ IT systems to mimic an attack by a hacker, in order to detect security flaws within the system and then take appropriate measures to get them fixed.
Before carrying out a penetration testing
It should be noted that hacking is illegal in most countries and it attracts serious punishment if one is caught hacking into another person’s system. Therefore, before performing penetration testing, it is required that you inform the owner of the IT system about what you intend to do, and be sure that he/she grants you the ‘Go ahead’.
Why penetration testing is necessary
Penetration testing is necessary for the following reasons:
- Penetration testing is needed to guarantee the security of data in the financial sectors like stock trading exchanges, banks, and Investment banking.
- Doing penetration testing proactively is the best way to ensure your system is not hacked.
- In a situation whereby the software system has already been hacked, penetration testing becomes the best way to determine whether there are still loopholes that potential hackers can cash in on to repeat a future hack.
Types of penetration testing
Essentially, there are three types of penetration testing. The type of test carried out depends on the type of attack that is anticipated from within or from without. The three types of testing include
In a black box testing, the tester has no prior knowledge of the system he is to test. He does the collection of data about what is to be tested by himself.
In white box penetration testing, the complete information that the tester needs to perform the test is provided to him. It is intended to mimic an attack from an insider or an employee.
In grey box penetration testing, partial knowledge of the system is provided to the tester. This is taken as an attack by an external hacker who has already gained unpermitted access to the database of an organization.
Steps in penetration testing
In order to effectively perform a penetration testing, the following activities are required:
- Planning phase
- To determine the scope and strategy of the test
- The scope is defined through existing security policies and standards
- Discovery phase
- All necessary information – data, usernames, passwords, etc are collected. This is equally referred to as FINGERPRINTING
- Scan, as well as probe into the ports
- Check the system for vulnerabilities
- Attack phase
- Get necessary security privileges and then look for exploits for the various vulnerabilities
- Reporting phase
- Your report must contain comprehensive discoveries
- Risks of vulnerabilities detected and the possible impact on business
- Advice and solutions (if there are any)
Penetration testing is ‘a must’ for any business that wishes to operate in a healthy and risk-free environment. It is the best way to act proactively to keep your databases free from attacks.