03- Penetration Testing Flashcards
Acceptable use policy
how to use corporate systems and for what they are allowed to be used
COPPA
Regulates the ways that website operators can interact with children under the age of 13
Core Impact
guru in automated testing. It’s the tool that every penetration tester would love to own and use.
External Testing
focused on the server’s infrastructure and underlying software pertaining to the target; can be performed with no prior knowledge of the site or with full disclosure of the topology and environment
FERPA
Governs the handling and disclosure of student educational records by educational institutions
GLBA
Requires that financial institutions develop and implement an information security program that is based upon a risk assessment and a formal written security plan
hacking
Is, unfortunately, a loaded term that in some ways defies definition. Very simply, it is an intrusion upon a system. In some cases, as with Certified Ethical Hackers, this intrusion is solicited for the purposes of defining and ultimately resolving network vulnerabilities. Still, in others, hacking denotes unauthorized access. In some cases, the term “hacker” is used synonymously with “programmer”
HIPPA
Requires that health care providers, health plans, and health care information clearinghouses follow a set of security and privacy standards for protected health information
Internal testing
simulates what an insider attack could accomplish. The targets are the same as external pentesting, but the difference is the attacker either has authorized access or is starting from a point within the internal network.
keylogger
Is a piece of software that secretly records all the keys pressed on a victims computer and then saves them to a log file. Some log files are sent automatically to the attacker or retrieved at a later date. Keystroke loggers can capture keystrokes, screenshots, and other activities on a computer. Keylogging software can be deployed to a computer by email, ftp, remote installation, or by plugging a small device (i.e. USB stick) into the back of a PC where the victim rarely looks
Metasploit
presents a manual framework with a plugin “Armitage” to automate the pen-test.
Nexpose
a sister tool to Metasploit; it is made by the same company, Rapid7
PCI DSS
Regulates merchants and service providers involved in the storage, processing, and transmission of credit and debit card information
Pen testers
Penetration tester; people who perform penetration testing, also called Ethical Hackers
Penetration testing
Is also referred to as ethical hacking; however, the validity of the term “ethical hacker” is debated still today. The primary difference between penetration testing and vulnerability scanning is that penetration testing actually exploits a vulnerability and access to a target resource is obtained to prove without a doubt that the system or resource is vulnerable to attack. As with vulnerability scanning, penetration scanning should occur routinely and only with the permission of the owner whose systems and network are being targeted. Penetration testing can be carried out using a wide range of tools or with a vendor provided solution