Ver:
· http://en.wikipedia.org/wiki/Penetration_test
A veces
denominado pen testing o pentesting.
Las pruebas
de penetración tienen como finalidad intentar identificar maneras de aprovechar las vulnerabilidades para
evitar o rechazar las características de seguridad de los componentes del
sistema. Las pruebas de penetración incluyen pruebas de aplicaciones y de
redes, y controles y procesos de redes y aplicaciones. Se realizan tanto desde
el exterior del entorno (pruebas externas) como en el sentido contrario.
http://es.pcisecuritystandards.org
Una prueba de
penetración (pentest) es un método de evaluación de la seguridad de un sistema
informático o red mediante la simulación de un ataque de una fuente malicioso
realizado por un hacker ético. El proceso implica un análisis activo de
cualquier vulnerabilidad potencial, configuraciones deficientes o inadecuadas,
tanto de hardware como de software ,o deficiencias operativas en las medidas de
seguridad.
Este análisis
se realiza desde la posición de un atacante potencial y puede implicar la
explotación activa de vulnerabilidades de seguridad. Cualquier problema de
seguridad que se encuentran se presentará al propietario del sistema, junto con
una evaluación de su impacto, y a menudo con una propuesta de mitigación o una
solución técnica. La intención de una prueba de penetración es determinar la
viabilidad de un ataque y el impacto en el negocio de un ataque exitoso.
http://www.inteco.es/glossary/Formacion/Glosario/
Pruebas de
auditoria para comprobar la correcta aplicación y configuración de
contramedidas de seguridad en los dispositivos de información y comunicaciones
según lo especificado en la política de seguridad y así alertar de posibles
desviaciones detectadas. [CCN-STIC-401:2007]
1. Prueba
realizada por el evaluador sobre el Objeto de Evaluación para comprobar si sus
vulnerabilidades son, o no, explotables en la práctica (ITSEC).
2. Etapa del
proceso de verificación de la seguridad de un sistema en la que los evaluadores
tratan de soslayar o violar los controles de seguridad del mismo.
[Ribagorda:1997]
A Penetration
Test. A method for determining the risk to a network by attempting to penetrate
its defenses. Pentesting combines vulnerability assessment techniques with evasion
techniques and other attack methods to simulate a real attack. [knapp:2014]
A test
methodology in which assessors, typically working under specific constraints,
attempt to circumvent or defeat the security features of an information system.
[NIST-SP800-53:2013]
A test
methodology in which assessors, typically working under specific constraints,
attempt to circumvent or defeat the security features of an information system.
[CNSSI_4009:2010]
(I) A system
test, often part of system certification, in which evaluators attempt to
circumvent the security features of a system. [NCS04, SP42] (See: tiger team.)
[RFC4949:2007]
tests performed
by an evaluator on the Target of Evaluation in order to confirm whether or not
known vulnerabilities are actually exploitable in practice. [ITSEC:1991]
The portion of
security testing in which the penetrators attempt to circumvent the security
features of a system. The penetrators may be assumed to use all system design
and implementation documentation, which may include listings of system source
code, manuals, and circuit diagrams. The penetrators work under no constraints
other than those that would be applied to ordinary users. [TCSEC:1985]
Penetration tests
attempt to exploit vulnerabilities to determine whether unauthorized access or
other malicious activity is possible. Penetration testing includes network and
application testing as well as controls and processes around the networks and
applications, and occurs from both outside the network trying to come in
(external testing) and from inside the network.
https://www.pcisecuritystandards.org/security_standards/glossary.php
When trusted
hackers simulate an attack on a computer system in the hope of revealing
vulnerabilities and finding opportunities for improving its security.
http://www.getsafeonline.org/
Penetration
testing is the security-oriented probing of a computer system or network to
seek out vulnerabilities that an attacker could exploit. The testing process
involves an exploration of the all security features of the system in question,
followed by an attempt to breech security and penetrate the system. The tester,
sometimes known as an ethical hacker, generally uses the same methods and tools
as a real attacker. Afterwards, the penetration testers report on the
vulnerabilities and suggest steps that should be taken to make the system more secure.
http://searchsoftwarequality.techtarget.com/glossary/
Penetration
testing is used to test the external perimeter security of a network or
facility.
http://www.sans.org/security-resources/glossary-of-terms/
Penetration
testing goes beyond vulnerability scanning to use multistep and multivector
attack scenarios that first find vulnerabilities and then attempt to exploit
them to move deeper into the enterprise infrastructure. Since this is how
advanced targeted attacks work, penetration testing provides visibility into
aggregations of misconfigurations or vulnerabilities that could lead to an
attack that could cause serious business impact. As a minimum, penetration
testing provides a means for prioritizing the highest risk vulnerabilities.
http://www.gartner.com/it-glossary/
Penetration
testing (also called pen testing) is the practice of testing a computer system,
network or Web application to find vulnerabilities that an attacker could
exploit.
Pen tests can be
automated with software applications or they can be performed manually. Either
way, the process includes gathering information about the target before the
test (reconnaissance), identifying possible entry points, attempting to break
in (either virtually or for real) and reporting back the findings.
The main
objective of penetration testing is to determine security weaknesses. A pen
test can also be used to test an organization's security policy compliance, its
employees' security awareness and the organization's ability to identify and
respond to security incidents.
Penetration tests
are sometimes called white hat attacks because in a pen test, the good guys are
attempting to break in.
Pen test
strategies include:
Targeted testing
Targeted testing is performed by the organization's IT team and the
penetration testing team working together. It's sometimes referred to as a
"lights-turned-on" approach because everyone can see the test being
carried out.
External testing
This type of pen test targets a company's externally visible servers or
devices including domain name servers (DNS), e-mail servers, Web servers or
firewalls. The objective is to find out if an outside attacker can get in and
how far they can get in once they've gained access.
Internal testing
This test mimics an inside attack behind the firewall by an authorized
user with standard access privileges. This kind of test is useful for
estimating how much damage a disgruntled employee could cause.
Blind testing
A blind test strategy simulates the actions and procedures of a real
attacker by severely limiting the information given to the person or team
that's performing the test beforehand. Typically, they may only be given the
name of the company. Because this type of test can require a considerable
amount of time for reconnaissance, it can be expensive.
Double blind
testing
Double blind testing takes the blind test and carries it a step further.
In this type of pen test, only one or two people within the organization might
be aware a test is being conducted. Double-blind tests can be useful for
testing an organization's security monitoring and incident identification as
well as its response procedures.
http://searchsoftwarequality.techtarget.com/
Les tests de
pénétration essayent didentifier les manières dexploiter les vulnérabilités
pour contourner ou vaincre les fonctions sécuritaires des composants du
système. Le test dintrusion doit inclure le test du réseau et de
lapplication, ainsi que des contrôles et processus relatifs aux réseaux et aux
applications. Il doit être mis en uvre aussi depuis lextérieur de
lenvironnement (test externe) que de lintérieur.
http://fr.pcisecuritystandards.org/
Temas relacionados