Glen E. Clarke

CompTIA Pentest+ Certification For Dummies


Скачать книгу

rel="nofollow" href="#fb3_img_img_498dd87f-a82b-5451-874c-7eebfe938dca.png" alt="Fortheexam"/> For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test.

      A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so that by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear).

      Reasons for a pentest

      Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful.

      Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” at www.pcisecuritystandards.org to learn more about PCI DSS compliance requirements.

Requirement Title Description
11.3 Penetration testing Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities
11.3.4.1 Six-month penetration testing for segmentation Bi-annual penetration testing conducted for network segmentation controls

      Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org.

      The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infrastructure or to applications within the organization (on top of doing annual penetration testing).

      The key point here is that compliance requirements could drive the need to perform penetration tests on a regular basis.

      Fortheexam For the PenTest+ certification exam, remember the two main reasons to perform a penetration test: (1) to get an accurate picture of the results of an attack, and (2) to be in compliance with industry regulations.

      Who should perform a pentest

      Now that you know what a penetration test is, the next logical question is who should perform the penetration test? You have two choices when it comes to who performs the penetration test: internal staff or an external third-party company.

      Internal staff

      Tip The members of the internal team performing the penetration test should not be part of the team who installed, configured, or manages the systems or networks being assessed. They should also not be the persons responsible for implementing the security of the systems, as that is a direct conflict of interest. A separate team should be dedicated to assessing security within the organization and performing the penetration tests.

      Companies may also create separate internal teams — a red team and a blue team — to help assess the security of assets within the organization. The red team is an internal security group that performs attacks on company assets, such as a penetration test and social engineering attacks to validate whether there is enough protection on the company assets. The blue team is the internal security group within the company that is focused on protecting the assets. This includes monitoring the security controls, the intrusion detection systems, and the logs to protect the asset and identify when a security breach occurs. It is important to note that the red team’s job is to stay up-to-date on any new attack methods, while the blue team must be current on any new technologies used to protect assets from attacks. The red team and blue team should also meet regularly to update the other team on lessons learned so that both teams are fully aware of current attacks and mitigation strategies.

      Tip Penetration testing can be a costly affair, so having an internal team can save the company lots of money and allow for more regular pentests.

      External third party

      Going with a third-party company to perform the penetration test also has its benefits. For example, the third-party company is most likely not familiar with the organization’s environment (as a hacker would not be), so it can provide an even better picture of an attack because the third party would have to discover all the systems (depending on the type of pentest, which I talk about later in this chapter). Using third-party external testers is also beneficial because you have a fresh set of eyes looking at your network and systems. Internal staff have designed the defensive posture based on the attack vectors they are aware of, while external testers may have knowledge of different attack vectors and may take a totally different approach to exploiting systems.

      However, using a third-party company also raises some concerns. For example, what are the qualifications of the consultants doing the pentest? And how will the details and results of the pentest be kept confidential? With a third-party company involved, confidentiality