Assignment

Pen Attack and Cyber Terrorism

Introduction

Penetration testing, which is basically identified as a pen test or ethical hacking, is considered to be a simulated cyberattack that is authorized on a given system of a computer, and it is carried out in order to have the system security evaluated, it is not same as an assessment of vulnerability. It is a test that is conducted in order to find out present weaknesses inclusive of the probability of parties that are not authorized gaining entry into the features of the system in addition to data alongside strengths. This makes it possible to have a completion of an entire risk evaluation (Ayala et al., 2020)

Pen Testing

When in relation to the web application safety context, the pen test is considered to be popularly utilized in augmenting a web application firewall. This penetration testing mainly involves the given breaching that is attempted of any particular figure of the systems of application such as backend/frontend servers and application protocol interfaces, which tend to be susceptible to the attacks of code injection. This particular process mainly gets to identify the system that is targeted in addition to a specific objective, then gets to review the information that is present as well as undertaking different means into attaining the given objective. The target of a pen test might end up being a white box on how the system, as well as background information, gets to be offered prior to the tester. It might also be a black box whereby only the information that is basic of any apart from the organization Identity gets to be offered. Within a gray box pen test, it happens to be a combo of both whereby knowledge that is limited gets to be shared with a given auditor. Penetration tests are capable of identifying the vulnerabilities available in a system to attack and estimate the extent of its openness. The safety concerns that tend to be discovered through a pen test are supposed to be formally reported to the particular system owner. The reports might also evaluate the probable impacts to the specific institution and offer suggestions on countermeasures to mitigate risk. The insights offered are capable of fine-tuning the safety policies of WAF and patching the vulnerabilities that have been detected. Ethical hacking has goals that differ based on the kind of activity that is approved for any particular engagement. However, the fundamental objective is identifying vulnerabilities capable of being exploited through an actor that is nefarious alongside notifying the client regarding the vulnerabilities in addition to strategies for mitigation that are more appropriate. Pen tests are considered a component of an entire security audit (Fischer et al., 2020).

Stages of pen tests

The process involved in penetration testing might be classified into five phases. They include planning and surveillance, which mainly focus on defining the goals and scope of a given test and the systems that are to be tackled, and the methods that are to be utilized in testing. It also involves collecting intelligence such as domains and networks' identities to have an efficient understanding of how a given target operates and the weaknesses that might be present. The information acquired can be utilized in more appropriately attacking the given target. For instance, the search engine's open source can be utilized to find data that might be utilized within an attack of social engineering.

The second phase is scanning, which involves understanding how the targeted application responds to different intrusion attempts. This is carried out through static analysis that inspects a code of the application to approximate how it behaves during its operations. They are tools capable of scanning a code's entirety within a single pass. There is the dynamic analysis that inspects a code of application within an operating state. It is a way that is more practical in scanning since it offers an actual-time view into the performance of an application.

The third phase includes gaining access through the use of data collected within the scanning and surveillance stage. The hacker is capable of using a payload to exploit the targeted system. Like Metasploit is utilized in automating attacks on weaknesses that are identified. It is a phase that utilizes the attacks of web applications like backdoors besides injecting SQL in identifying the drawbacks of a target. The testers end up making attempts to have the failings exploited, which is basically through escalation of privileges, data theft, traffic interceptions, among others, among others, into knowing the damage they are capable of causing (Stolte and Cox, 2020)

The fourth phase is basically access maintenance which needs to take the steps that are required in enabling one to be persistent within the environment of the target so as to collect all the data as much as it is possible. The objective of this phase is getting to know whether the weaknesses might be utilized in attaining a presence that is persistent within the system that is exploited for a long duration so that a hacker is capable of gaining access that is in-depth. The goal behind this is imitating persistent threats that are advanced, that most times end up remaining within a system for some duration so as to steal data that is most sensitive within an institution.

The final stage is the analysis which involves the compilation of pen test to get a detailed report whereby specific weaknesses get to be exploited, any sensitive data that had earlier on being accessed in addition to the duration that the pen tester and the ability to stay within the system without getting detected. The information gets to be analyzed by safety personnel to assist in configuring the WAF settings of an enterprise as well as different safety solutions of an application into patching weaknesses in addition to safeguarding against attacks in the future. There is also a need to cover tracks whereby the attacker is supposed to ensure any traces have cleared that compromise the system of the victim, the type of collected data as well as the log events into remaining anonymous.

Methods of pen test

There are various methods used in penetration testing which include:

External testing mainly targets the visible assets of an organization. It has the objective of gaining access as well as extracting data that is valuable. Internal testing whereby a tester has access to an application behind a given firewall ends up simulating an attack through a malicious insider. Another method is blind testing, whereby a tester gets to be provided with an organization's identity that is considered the target. This is known for giving the security personnel a look at the actual time regarding how a simple assault of an application might occur. Double-blind testing, the personnel of security tend not to have any prior knowledge of the simulated attack. The last method is targeted testing, whereby the security personnel and the tester function alongside each other and ensure they appraise one another regarding their movements. It is a valuable training exercise that offers the team of security with actual-time feedback from a hacker's perception.

Testing as well as firewalls of web application

Pen tests and the WAFs are considered exclusive, though they have mutual beneficial measures of security. For most penetration testing types, apart from double-blind and blind trials, a tester has high probabilities of utilizing WAF data like logs into locating and exploiting the weak points of an application. Additionally, the administrators of WAF are capable of benefitting from data of penetration testing. After completing a test, WAF configurations were updated to secure against the weak spots identified within the performed test (Verhegge et al., 2021).

Conclusion

The pen testing tends to satisfy various requirements of compliance for procedures of safety auditing, inclusive of SOC 2, the DSS, plus the PCI. Particular standards get to be satisfied via utilization of a WAF that is considered to be certified. Nevertheless, this does not guarantee an ethical hacking to be less useful because of the benefits linked to it as well as the capability to advance on the configurations of WAF.

References