渗透测试, 也被称为渗透测试或道德黑客, 是对计算机系统的授权攻击吗, 网络, 或应用程序来识别安全漏洞. The test is performed by certified security professionals trained to think like a hacker.
执行渗透测试有很多原因. Some are motivated by security compliance standards such as SOC, NIST, or PCI. Other reasons are due to shareholder, supplier, or partner influence. The goal of a pen test is to identify and document vulnerabilities and weaknesses within the 网络 being tested. 报告包括所采用的方法, 对系统的影响或严重程度, 最重要的是, the remediation recommendations that will help direct your team on how to take the corrective measures to secure the discovered issues.
因为每个组织都有特定的目标和威胁概况, the scope of a pen testing project may vary from one to another. 通常, the first step is to have an initial meeting to determine and identify key players from your team who will be involved in the pen testing, followed by a comprehensive pre-testing questionnaire to gather specific technical information. 典型的渗透测试包括以下几个阶段:
发现阶段- Gather information from a variety of sources to gain familiarity with your 网络.
威胁识别阶段- Perform a complete analysis of the exposed attack surface identified in the discovery phase and examine software and configuration information that can be leveraged in an attack.
考试阶段- Perform automated vulnerability testing to identify potential threats that exist within your 网络. Manual testing is also performed using the data discovered during the threat identification phase.
攻击向量阶段 Review the identified threats and vulnerabilities to determine their impact on your overall security posture. The goal is to provide you with a clear understanding of the overall severity associated with the identified findings.
开发后阶段—— Review the obtained access and credentials to identify paths that could identify sensitive data or intellectual property.
评核后复试 Provide a retest of the original scope within 60 days of the original test report delivery, including the specific critical and high-risk findings identified in the attack scenario phase that led to initial unauthorized access.
Determine if any 系统s can be leveraged to launch malicious attacks
Reduce the possibility of malware distribution through the 网络 系统
Determine if a hacker can compromise any administrator accounts allowing access to sensitive data
What’s the difference between a penetration test and a vulnerability scan?
Vulnerability assessments and penetration tests are often misunderstood. A vulnerability scan is like a security guard walking around a building perimeter inspecting doors and windows. It locks to ensure they are stable and functioning properly and do not show apparent damage or weaknesses. A penetration test utilizes the information found in a vulnerability scan but takes the test much further.
在渗透测试期间, a trained ethical hacker will use these documented vulnerabilities produced by a scan and search for unseen or undocumented vulnerabilities that a real hacker could exploit. They will then verify whether those vulnerabilities found by the scanner or the ones they discovered on their own can be manipulated using hacker techniques.
Penetration test standards and methodologies provide an excellent benchmark to the test result. The followings are some of the most respected and widely recognized methods used for a penetration test:
OSSTMM -开源安全测试方法手册: Provides a scientific methodology for 网络 penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.
开放Web应用程序安全项目: Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.
PTES -渗透测试方法和标准: Highlights the most recommended approach to structure a penetration test. These standards guide testers on various steps of a penetration test, 包括初始通信, 收集信息, 以及威胁建模阶段.
资讯系统安全评估架构: 本框架旨在对网络进行评估, 系统, 渗透测试方法中的应用程序控制. It consists of a three-stage approach and a nine-step evaluation.
NIST—国家科学技术研究所; A set of standards with quality principles that organizations can use to develop secure information security applications and perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing.
布莱尔科技解决方案 has a team of certified security professionals who have the skills and expertise to conduct full-scale penetration testing. We follow proven methodologies that ensure a complete and thorough audit each time. Whether the audit is part of corporate policy or required by security compliance, we provide you with the evidence you need to satisfy the most demanding requirements. -bet9九卅娱乐会员登录安排发现电话!