Pen Test Flashcards
Security Assessment
Any test performed in order to assess the level of security on a network or system
Security Audit
Tests whether an organization is following security policies and procedures
Vulnerability Assessment
Scans and tests for existing vulnerabilities but does not intentionally exploit any of them
Pen test
Scans and tests for existing vulnerabilities AND DOES intentionally exploit them. A signed agreement outlining the scopes and limitations of the pen test should be in place before the test is conducted. A service level agreement (SLA) needs to cover all possibilities.
External Pen Test
Analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter, usually from the Internet
Internal Pen Test
Performed from inside the organization
Red Team
Offensive
Blue Team
Defensive
Automated Pen Testing tools
Core Impact Pro
Codenomicon
Metasploit
CANVAS
Comprehensive PenTest Report
- An executive summary of the organizations overall security posture under the auspices of FISMA, DIACAP, RMF, HIPAA
- The name of all participants and the dates of all tests
- A list of findings, presented in order of highest risk
- An analysis of each finding and recommended mitigation steps
- Log files and other evidence with screenshots
Insider Threats
Pure Insider - an employee
Insider Associate - contractor, guard, cleaning service
Insider Affiliate - spouse, friend or client of an employee
Outside Affiliate - someone outside who uses an open channel to gain access