VAPT-1 (Penetration Testing)

Penetration Testing
https://msslinux.blogspot.com/2018/04/pavt-1.html

What is Penetration Testing?
It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. The weak points of a system are exploited in this process through an authorized simulated attack.
The purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to the system. Once the vulnerability is identified it is used to exploit the system in order to gain access to sensitive information.
A penetration test is also known as pen test and a penetration tester is also referred as an ethical hacker.

We can figure out the vulnerabilities of a computer system, a web application or a network through penetration testing.
A penetration test tells whether the existing defensive measures employed on the system are strong enough to prevent any security breaches. Penetration test reports also suggest the countermeasures that can be taken to reduce the risk of the system being hacked.

Causes of vulnerabilities:

• Design and development errors: There can be flaws in the design of hardware and software. These bugs can put your business-critical data at the risk of exposure.
• Poor system configuration: This is another cause of vulnerability. If the system is poorly configured, then it can introduce loopholes through which attackers can enter into the system & steal the information.
• Human errors: Human factors like improper disposal of documents, leaving the documents unattended, coding errors, insider threats, sharing passwords over phishing sites, etc. can lead to security breaches.
• Connectivity: If the system is connected to an unsecured network (open connections) then it comes in the reach of hackers.
• Complexity: The security vulnerability rises in proportion to the complexity of a system. The more features a system has, the more chances of the system being attacked.
• Passwords: Passwords are used to prevent unauthorized access. They should be strong enough that no one can guess your password. Passwords should not be shared with anyone at any cost and passwords should be changed periodically. In spite of these instructions, at times people reveal their passwords to others, write them down somewhere and keep easy passwords that can be guessed.
• User Input: You must have heard of SQL injection, buffer overflows, etc. The data received electronically through these methods can be used to attack the receiving system.
• Management: Security is hard & expensive to manage. Sometimes organizations lack behind in proper risk management and hence vulnerability gets induced in the system.
• Lack of training to staff: This leads to human errors and other vulnerabilities.
• Communication: Channels like mobile network, internet, telephone opens up security theft scope.

Why Penetration testing?

You must have heard of the WannaCry ransomware attack that started in May 2017. It locked more than 2 lakh computers around the world and demanded ransom payments in the Bitcoin cryptocurrency. This attack has affected many big organizations around the globe.
With such massive & dangerous cyber-attacks happening these days, it has become unavoidable to do penetration testing on regular intervals to protect the information systems against security breaches.
So, penetration testing is mainly required because:
– Financial or critical data must be secured while transferring it between different systems or over the network.
– Many clients are asking for pen testing as part of the software release cycle.
– To secure user data.
– To find security vulnerabilities in an application.
– To discover loopholes in the system.
– To assess the business impact of successful attacks.
– To meet the information security compliance in the organization.
– To implement effective security strategy in the organization