Ver:
·
http://en.wikipedia.org/wiki/Penetration_test
A veces
denominado “pen testing” o “pentesting”.
Las pruebas
de penetración tienen como finalidad intentar identificar maneras de aprovechar las vulnerabilidades para
evitar o rechazar las características de seguridad de los componentes del
sistema. Las pruebas de penetración incluyen pruebas de aplicaciones y de
redes, y controles y procesos de redes y aplicaciones. Se realizan tanto desde
el exterior del entorno (pruebas externas) como en el sentido contrario.
http://es.pcisecuritystandards.org
Una prueba de
penetración (pentest) es un método de evaluación de la seguridad de un sistema
informático o red mediante la simulación de un ataque de una fuente malicioso
realizado por un hacker ético. El proceso implica un análisis activo de
cualquier vulnerabilidad potencial, configuraciones deficientes o inadecuadas,
tanto de hardware como de software ,o deficiencias operativas en las medidas de
seguridad.
Este análisis
se realiza desde la posición de un atacante potencial y puede implicar la
explotación activa de vulnerabilidades de seguridad. Cualquier problema de
seguridad que se encuentran se presentará al propietario del sistema, junto con
una evaluación de su impacto, y a menudo con una propuesta de mitigación o una
solución técnica. La intención de una prueba de penetración es determinar la
viabilidad de un ataque y el impacto en el negocio de un ataque exitoso.
http://www.inteco.es/glossary/Formacion/Glosario/
Pruebas de
auditoria para comprobar la correcta aplicación y configuración de
contramedidas de seguridad en los dispositivos de información y comunicaciones
según lo especificado en la política de seguridad y así alertar de posibles
desviaciones detectadas. [CCN-STIC-401:2007]
1. Prueba
realizada por el evaluador sobre el Objeto de Evaluación para comprobar si sus
vulnerabilidades son, o no, explotables en la práctica (ITSEC).
2. Etapa del
proceso de verificación de la seguridad de un sistema en la que los evaluadores
tratan de soslayar o violar los controles de seguridad del mismo.
[Ribagorda:1997]
A Penetration Test. A method
for determining the risk to a network by attempting to penetrate its defenses.
Pentesting combines vulnerability assessment techniques with evasion techniques
and other attack methods to simulate a “real attack.” [knapp:2014]
A test methodology in which
assessors, typically working under specific constraints, attempt to circumvent
or defeat the security features of an information system. [NIST-SP800-53:2013]
A test methodology in which
assessors, typically working under specific constraints, attempt to circumvent
or defeat the security features of an information system. [CNSSI_4009:2010]
(I) A system test, often
part of system certification, in which evaluators attempt to circumvent the
security features of a system. [NCS04, SP42] (See: tiger team.) [RFC4949:2007]
tests performed by an
evaluator on the Target of Evaluation in order to confirm whether or not known
vulnerabilities are actually exploitable in practice. [ITSEC:1991]
The portion of security
testing in which the penetrators attempt to circumvent the security features of
a system. The penetrators may be assumed to use all system design and
implementation documentation, which may include listings of system source code,
manuals, and circuit diagrams. The penetrators work under no constraints other
than those that would be applied to ordinary users. [TCSEC:1985]
Penetration tests attempt to
exploit vulnerabilities to determine whether unauthorized access or other
malicious activity is possible. Penetration testing includes network and
application testing as well as controls and processes around the networks and
applications, and occurs from both outside the network trying to come in
(external testing) and from inside the network.
https://www.pcisecuritystandards.org/security_standards/glossary.php
When trusted hackers
simulate an attack on a computer system in the hope of revealing
vulnerabilities and finding opportunities for improving its security.
http://www.getsafeonline.org/
Penetration testing is the
security-oriented probing of a computer system or network to seek out
vulnerabilities that an attacker could exploit. The testing process involves an
exploration of the all security features of the system in question, followed by
an attempt to breech security and penetrate the system. The tester, sometimes
known as an ethical hacker, generally uses the same methods and tools as a real
attacker. Afterwards, the penetration testers report on the vulnerabilities and
suggest steps that should be taken to make the system more secure.
http://searchsoftwarequality.techtarget.com/glossary/
Penetration testing is used
to test the external perimeter security of a network or facility.
http://www.sans.org/security-resources/glossary-of-terms/
Penetration testing goes
beyond vulnerability scanning to use multistep and multivector attack scenarios
that first find vulnerabilities and then attempt to exploit them to move deeper
into the enterprise infrastructure. Since this is how advanced targeted attacks
work, penetration testing provides visibility into aggregations of misconfigurations
or vulnerabilities that could lead to an attack that could cause serious
business impact. As a minimum, penetration testing provides a means for
prioritizing the highest risk vulnerabilities.
http://www.gartner.com/it-glossary/
Penetration testing (also
called pen testing) is the practice of testing a computer system, network or
Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated
with software applications or they can be performed manually. Either way, the
process includes gathering information about the target before the test
(reconnaissance), identifying possible entry points, attempting to break in
(either virtually or for real) and reporting back the findings.
The main objective of
penetration testing is to determine security weaknesses. A pen test can also be
used to test an organization's security policy compliance, its employees'
security awareness and the organization's ability to identify and respond to
security incidents.
Penetration tests are
sometimes called white hat attacks because in a pen test, the good guys are
attempting to break in.
Pen test strategies include:
Targeted testing
Targeted
testing is performed by the organization's IT team and the penetration testing
team working together. It's sometimes referred to as a
"lights-turned-on" approach because everyone can see the test being
carried out.
External testing
This
type of pen test targets a company's externally visible servers or devices including
domain name servers (DNS), e-mail servers, Web servers or firewalls. The
objective is to find out if an outside attacker can get in and how far they can
get in once they've gained access.
Internal testing
This
test mimics an inside attack behind the firewall by an authorized user with
standard access privileges. This kind of test is useful for estimating how much
damage a disgruntled employee could cause.
Blind testing
A
blind test strategy simulates the actions and procedures of a real attacker by
severely limiting the information given to the person or team that's performing
the test beforehand. Typically, they may only be given the name of the company.
Because this type of test can require a considerable amount of time for
reconnaissance, it can be expensive.
Double blind testing
Double
blind testing takes the blind test and carries it a step further. In this type
of pen test, only one or two people within the organization might be aware a
test is being conducted. Double-blind tests can be useful for testing an
organization's security monitoring and incident identification as well as its
response procedures.
http://searchsoftwarequality.techtarget.com/
Les tests de
pénétration essayent d’identifier les manières d’exploiter les vulnérabilités
pour contourner ou vaincre les fonctions sécuritaires des composants du
système. Le test d’intrusion doit inclure le test du réseau et de
l’application, ainsi que des contrôles et processus relatifs aux réseaux et aux
applications. Il doit être mis en œuvre aussi depuis l’extérieur de
l’environnement (test externe) que de l’intérieur.
http://fr.pcisecuritystandards.org/