Glen E. Clarke

CompTIA PenTest+ Certification For Dummies


Скачать книгу

help assess the security of assets within the organization. The red team is an internal security group that performs attacks on company assets, such as a penetration test and social engineering attacks to validate whether there is enough protection on the company assets. The blue team is the internal security group within the company that is focused on protecting the assets. This includes monitoring the security controls, the intrusion detection systems, and the logs to protect the asset and identify when a security breach occurs. It is important to note that the red team’s job is to stay up-to-date on any new attack methods, while the blue team must be current on any new technologies used to protect assets from attacks. The red team and blue team should also meet regularly to update the other team on lessons learned so that both teams are fully aware of current attacks and mitigation strategies.

      Tip Penetration testing can be a costly affair, so having an internal team can save the company lots of money and allow for more regular pentests.

      External third party

      However, using a third-party company also raises some concerns. For example, what are the qualifications of the consultants doing the pentest? And how will the details and results of the pentest be kept confidential? With a third-party company involved, confidentiality can be a bit more challenging than if a company used internal testers.

      A final concern is cost. Going with a third-party company can be very costly, as penetration testing is a time-consuming process and requires a specialized skill.

      Qualified pentesters

      Whether you choose to use internal staff or an external third-party company to perform the penetration test, it is critical you validate the qualifications of the individuals performing the penetration test prior to the engagement.

      The first qualification to look for in a pentester is whether or not that person holds industry-standard certifications that prove his or her penetration testing knowledge. For example, you may require that all individuals performing a penetration test have their CompTIA PenTest+ certification.

      However, certification is not enough. The pentester should also have prior experience performing penetration testing. Following are some questions to ask when hiring a third-party company to perform a penetration test:

       Does the penetration testing team have experience with prior penetration tests?

       Has the penetration testing team performed a penetration test against a similarly sized organization before?

       Does the penetration testing team have experience with the types of systems and platforms being used by the company?

       Does the penetration testing team have experience with network-layer testing (networking systems and configuration)?

       Does the penetration testing team have experience with performing application layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten methods hackers are using to exploit web applications.)

      How often a pentest should be performed

      There is no concrete answer to how frequently you should perform a penetration test; however, it’s best to perform a pentest annually and after any major change to the infrastructure.

      Standards such as the PCI DSS state that in order to be compliant, organizations should perform external testing once a year, plus after making any major changes to the network infrastructure or application environments. The PCI DSS also states that you should perform internal testing once a year and after any major changes.

      Regular schedule

      If your organization is not governed by regulations that dictate when you need to perform a penetration test, you can create your own schedule that works for you. Hiring an external team of penetration testers can be expensive, so one option may be to create a schedule that uses internal staff to test internal and external assets more frequently than an external company. For example, a schedule could look like this:

       Every 12 months: Penetration testing of internal assets is performed by internal staff.

       Every 12 months: Penetration testing of external assets is performed by internal staff.

       Every 24 months: Penetration testing of internal and external assets is performed by a third-party company.

      Tip Using internal staff for penetration testing can help you reduce costs of penetration testing while still performing them on a regular basis. However, you should have a third-party company perform a penetration test at some point because it is a great way to get a real-world picture of your assets’ vulnerabilities.

      After major changes

      You should also perform a penetration test after making any major changes to the network infrastructure or application environments, such as upgrades to software. Some examples of infrastructure changes could be adding a new server to the network, replacing a server with a new server, or adding a new network segment. These changes could introduce new ways for hackers to get into the network, so you want to make sure you perform a penetration test to verify all is secure.

      Fortheexam For the PenTest+ certification exam, remember that a penetration test should be performed annually and after any major change to the infrastructure.

      Other considerations

      A few additional considerations should be taken into account when discussing when a penetration test should occur. For example, one of the risks of a penetration test is that you could end up crashing a system or network. So, to ensure your pentests are successful in providing you with the information you want, you want to make sure you follow these recommendations when possible:

       Perform pentests in a mockup environment. When performing penetration testing, you run the risk of crashing systems or networks due to the nature of the attacks. If possible, create copies of systems inside a test environment and perform the penetration test on the test system. It is critical that the test systems are an exact copy so that the penetration test accurately reflects the test of the real system.

       Perform pentests before deploying the system or application into production. If possible, before a system or application is put into production, perform a penetration test on that component before it goes live. This will help reduce the cost of maintaining the system, as it is more costly to fix security issues once the system or application is in production.

       Perform