ความหมายของ penetration testA penet

ความหมายของ penetration test
A penetration test, or sometimes pentest, is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer's features and data.[1][2]
[1]The CISSP® and CAPCM Prep Guide: Platinum Edition. John Wiley & Sons. ISBN 978-0-470-00792-1. A penetration test can determine how a system reacts to an attack, whether or not a system's defenses can be breached, and what information can be acquired from the system"
[2]Kevin M. Henry. Penetration Testing: Protecting Networks and Systems. IT Governance Ltd. ISBN 978-1-849-28371-7. Penetration testing is the simulation of an attack on a system, network, piece of equipment or other facility, with the objective of proving how vulnerable that system or "target" would be to a real attack.

CISSP 4th Edition
>>Domain1 - Security & Risk Management
>>Risk Management Concepts
>>Controls Assessment/Monitoring and Measuring
>>Vulnerability Assessment
>>Penetration testing

Penetration Testing
The next level in vulnerability assessments seeks to exploit existing vulnerabilities to
determine the true nature and impact of a given vulnerability. Penetration testing goes by
many names, such as ethical hacking, tiger teaming, red teaming, and vulnerability
testing. It is the use of exploitive techniques to determine the level of risk associated
with a vulnerability or collection of vulnerabilities in an application or system. The primary
goal of penetration testing is to simulate an attack on a system or network to evaluate
the risk profile of an environment. This includes understanding the level of skill required,
the time needed to exploit a given vulnerability, and the level of impact, such as depth of
access and attainable privileges.
Penetration testing can be employed against any system or service. However,
because of the time, expense, and resources required to properly execute a penetration
test, most companies seek penetration testing to focus on Internet systems and services,
remote-access solutions, and critical applications.
The key to successful and
valuable penetration testing is clearly defined objectives,
scope, stated goals, agreed-upon limitations, and acceptable activities. For example, it
may be acceptable to attack an FTP server but not to the point where the system is
rendered useless or data are damaged. Having a clear framework and management
oversight during a test is essential to ensure that the test does not have adverse effects
on the target company and the most value is gained from the test.
Penetration Test Strategies
Strategies for penetration testing, based on specific objectives to be achieved, are a
combination of the source of the test, how the company’s assets are targeted, and the
information (or lack thereof) provided to the tester. One of the first steps in establishing
the rules of engagement for a penetration test is determining the amount of information
to provide the tester about the target. No matter the scope or scale of a test, how
information flows initially will set in motion other attributes of planning, ultimately
defining factors by which the value of the test will be measured. Usually some form of
information is provided by the target, and only in the most extreme cases is absolutely no
information offered. Some cannot be avoided, such as the name of the company, while
others can be easily kept from the testers without totally impeding the mechanics of the
test.
External testing refers to attacks on the organization’s network perimeter using
procedures performed from outside the organization’s systems, for example, from the
Internet. To conduct the test, the testing team begins by targeting the company’s
externally visible servers or devices, such as the domain name server (DNS), email
server, Web server, or firewall.
Internal testing is performed from within the organization’s technology environment.
The focus is to understand what could happen if the network perimeter was successfully
penetrated or what an organization insider could do to penetrate specific information
resources within the organization’s network.
In a blind testing strategy, the testing team is provided with only limited information
concerning the organization’s information systems configuration. The penetration testing
team must use publicly available information (such as the company website, domain
name registry, and Internet discussion boards) to gather information about the target and
conduct its penetration tests. Blind testing can provide information about the organization
that may have been otherwise unknown, but it can also be more time consuming and
expensive than other types of penetration testing (such as targeted testing) because of
the effort required by the penetration testing team to research the target. However, in
blind testing the “attackers” (the test team) have little or no knowledge about the target
company, but the “defenders” (the company’s IT and security teams) know the attack is
coming and are prepared to defend against it.
Double-blind testing presents a more real-life attack scenario because the
organization’s IT and security teams are not notified or informed before the test and are
“blind” to the planned testing activities. In addition to testing the strength of a network or
application, double-blind testing can test the organization’s security monitoring and
incident identification, escalation, and response procedures. In double-blind testing
engagements, very few people within the organization are made aware of the testing,
perhaps only the project sponsor, and double-blind testing requires careful monitoring by
the project sponsor to ensure that the testing procedures and the organization’s incident
response procedures can be terminated when the objectives of the test have been
achieved or the test threatens to affect production systems or networks.
In a targeted testing environment (often referred to as the “lights on” approach), both
the organization’s IT team and the penetration testing team are made aware of the
testing activities and are provided with information concerning the target and the
network design. A targeted testing approach may be more efficient and cost-effective
when the objective of the test is focused more on the technical setting, or on the design
of the network, than on the organization’s incident response and other operational
procedures. A targeted test typically takes less time and effort to complete than blind
testing, but it may not provide as complete a picture of an organization’s security
vulnerabilities and response capabilities.
There are three basic categories of penetration test separated by how much
information is provided to the tester or test team: zero knowledge, partial knowledge,
and full knowledge. In zero knowledge testing, the tester is provided no information
about the target’s network or environment. The tester is simply left to his abilities to
discover information about the company and use it to gain some form of access. This is
also called black box or closed testing, depending on who is scoping the test. Zero
knowledge testing is particularly appropriate when executing a test from outside the
organization because this is the position most attackers will be in when they start to
attack an organization.
In a partial knowledge test scenario, the tester is provided with some knowledge
about the environment. The information provided is high-level public (or near-pubic)
information that would be trivial for a real attacker to find without much effort, including
phone numbers and IP addresses to be tested, domain information, and application
names. It is assumed that a competent attacker would be able to obtain this level of
information rather quickly, so this information is given to the tester to speed up the
testing process a bit. The interesting aspect of getting some information and not all is the
assumption of scope. Organizations can use limited information to define boundaries of
the test as opposed to simply providing all the initial data to support the test. For
example, exposing the organization’s IP address range is an attempt to speed up the
gathering of easily obtained information, while exposing the fact that the network has
intrusion detection systems can shape the way the tester goes about performing the test.
Full knowledge testing provides every possible piece of information about the
environment to the tester. This type of test is typically employed when there is greater
focus on what can be done as opposed to what can be discovered. The assumption is that
an attacker can easily discover what is in the environment and the test needs to focus on
how much damage can be done with that information. This is particularly appropriate
when testing for internal penetrations. In that situation, the tester is taking the role of an
informed insider (e.g., an employee or contractor) with existing inside knowledge of the
environment, architecture, and information paths. The insider has all the knowledge he or
she needs to find the target. The question the tester needs to answer is whether the
target’s defenses will withstand such an attack.
The organization must determine the area of the organization or the service to be
tested. This is important when defining the scope of the test because it will determine
the boundaries and limits of acceptable testing practices. More than one target may be
defined for a test, but each must be well defined and clearly understood by all involved.

Application Security Testing
The objective of application security testing is to evaluate the controls within an
application and its information process flow. Topics to be evaluated may include the
application’s use of encryption to protect the confidentiality and integrity of information,
the authentication of users, the integrity of the Internet user’s session with