PENETRATION TESTING

Penetration testing by ethical hackers is among the most thorough methods for finding vulnerabilities and increasing protection for a dynamic network of computers. Correctly performed, a penetration test is a covert test in which a paid consultant or ethical hacker plays the role of a hostile attacker who tries to compromise system security. Since the ultimate goal is penetration, the ethical hacking is ideally performed without warning systems administrators – but upper management must approve the testing.

Incorrectly performed, penetration testing also has a potential for creating damage. While other types of testing are usually performed cooperatively with an organization's staff, damage caused by penetration testing may go unnoticed for some time.

 

Crackers routinely scan networks of computers for security flaws that can be exploited (exploits) and then post this sensitive information on the Internet for others to take advantage of. This is one reason why ethical hackers regularly browse known cracker websites and mailing lists to monitor cracker activity. Finding security flaws before crackers do lowers the risk exposure of an organization:

  
o  Even a single incident could cost significantly
           -both financial and reputation damage.
o  It reduces vulnerabilities and points of intrusion.
o  A tight system reduces the probability of attack
   -the attackers will go to easier and more attractive
     targets,
o  An on-going program lowers insurance rates.

Penetration testing using ethical hacking provides both assurance and insurance: assurance that the given environment will resist attack and insurance that the organization is acting in a prudent manner. Because penetration testing invariably ends up discovering security holes on client networks/computers, most clients do not want to talk on record about the results of such tests. However, numerous generic examples exist where penetration testing has saved businesses embarrassment and loss of reputation:

·      Online services organization always tested prior to new releases.

-     Financial institutions saved embarrassment prior to release of a new online brokerage offering.

·      Another financial institution has a policy of testing before any internet application goes live

Ethical Hacking services work on the principle of Challenge/Response.The ethical hacking service uses every possible, probable and plausible attack on the security system to expose often hidden vulnerabilities. These can then be comprehensively addressed with GTL Security Solutions. The steps that are included in the Penetration service include: Auditing web applications,Code and design reviews.Vulnerability exploitation (simulation of known attacks),Host Based,Network Based. Our four-step implementation methodology includes:

 

 

·      Information Gathering

·      Detect services running on the system

·      Estimate network topology

·      Determine entry points into the system

·      Developing the attack process

 

Penetration testing is an accepted technique. The National Institute for Standards and Technology (NIST) has recently released a document describing a methodology for using network-based tools for testing. Although ethical hacking is an effective measurement tool and a crucial component of any security program, it should only be part of a larger security program. A comprehensive security program incorporating ethical hacking can be used to discover and correct frequent errors early in the design, implementation, and test process which shortens development time and cost. Ethical hackers provide feedback to system designers and discover problems that may otherwise go undetected. The problem is that crackers can do their own penetration testing and do it more frequently. The best a penetration test can do is to provide a snapshot in time. Periodic testing is necessary to ensure compliance against a baseline. Tools are evolving to do continuous monitoring of security configurations.

Penetration testing is recommended as a recurring activity so that the system is constantly monitored and field-tested against threats. This is especially useful for companies that add new applications to their system. Given the fact that all applications are expected to work seamlessly - vulnerability in one application can expose the system to malicious attacks.

 

The various benefits to Clients are

 

·      Increased preparedness

·      Robust security infrastructure that is regularly field-tested.

·      Enhanced security against new threat perceptions.

·      Continual uptime of your IT system without any un-wanted outages.

·      Enhanced ROI as the serviceability of the IT infrastructure is lengthened.