One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8333063 |
| Date de publication | 2023-05-03 10:00:00 (vue: 2023-05-03 10:06:31) |
| Titre | En regardant un test de pénétration à travers les yeux d'une cible Looking at a penetration test through the eyes of a target |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Analyzing an organization’s security posture through the prism of a potential intruder’s tactics, techniques, and procedures (TTPs) provides actionable insights into the exploitable attack surface. This visibility is key to stepping up the defenses of the entire digital ecosystem or its layers so that the chance of a data breach is reduced to a minimum. Penetration testing (pentesting) is one of the fundamental mechanisms in this area. The need to probe the architecture of a network for weak links through offensive methods co-occurred with the emergence of the “perimeter security” philosophy. Whereas pentesting has largely bridged the gap, the effectiveness of this approach is often hampered by a crude understanding of its goals and the working principles of ethical hackers, which skews companies’ expectations and leads to frustration down the line. The following considerations will give you the big picture in terms of prerequisites for mounting a simulated cyber incursion that yields positive security dividends rather than being a waste of time and resources. Eliminating confusion with the terminology Some corporate security teams may find it hard to distinguish a penetration test from related approaches such as red teaming, vulnerability testing, bug bounty programs, as well as emerging breach and attack simulation (BAS) services. They do overlap in quite a few ways, but each has its unique hallmarks. Essentially, a pentest is a manual process that boils down to mimicking an attacker’s actions. Its purpose is to find the shortest and most effective way into a target network through the perimeter and different tiers of the internal infrastructure. The outcome is a snapshot of the system’s protections at a specific point in time. In contrast to this, red teaming focuses on exploiting a segment of a network or an information / operational technology (IT/OT) system over an extended period. It is performed more covertly, which is exactly how things go during real-world compromises. This method is an extremely important prerequisite for maintaining OT cybersecurity, an emerging area geared toward safeguarding industrial control systems (ICS) at the core of critical infrastructure entities. Vulnerability testing, in turn, aims to pinpoint flaws in software and helps understand how to address them. Bug bounty programs are usually limited to mobile or web applications and may or may not match a real intruder’s behavior model. In addition, the objective of a bug bounty hunter is to find a vulnerability and submit a report as quickly as possible to get a reward rather than investigating the problem in depth. BAS is the newest technique on the list. It follows a “scan, exploit, and repeat” logic and pushes a deeper automation agenda, relying on tools that execute the testing with little to no human involvement. These projects are continuous by nature and generate results dynamically as changes occur across the network. By and large, there are two things that set pentesting aside from adjacent security activities. Firstly, it is done by humans and hinges on manual offensive tactics, for the most part. Secondly, it always presupposes a comprehensive assessment of the discovered security imperfections and prioritization of the fixes based on how critical the vulnerable infrastructure components are. Choosing a penetration testing team worth its salt Let’s zoom into what factors to consider when approaching companies in this area, how to find professionals amid eye-catching marketing claims, and what pitfalls this process may entail. As a rule, the following criteria are the name of t |
| Envoyé | Oui |
| Condensat | “in “perimeter “scan “what “what’s about above abreast according accuracy across actionable actions activities addition address adjacent adopt advice agenda aims all alone along also alternative always amid analysis analyzers analyzing another answer any application applications approach approaches approaching approval approvals architecture are area around article aside assess assessment assets at&t attack attacker attacker’s attackers attention audits author automatic automation awards background bas based because before behavior being better between big block blurred board boils bother bottom bounty breach bridged broad bug bureaucratic burp business but can capable case catching caveat ceh certifications certified challenging chance change changes checklist choice choosing claims clear client close cmwapt collaborating combined comes companies companies’ company company’s completed comply components comprehend comprehensive compromises conclusions condition conduct conducted conflict confusion consider considerations consuming content context continuous contract contractors contrary contrast control core corporate coupled course covers covertly cracking crew criteria critical cross crude customer customer’s cut cvss cyber cybersecurity data deal decision decisions deeper defenses depending depth description detail detailed detection different difficult digital dilemma direction discovered distinguish dive dividends does doing don’t done down draw duration during dynamically each easy ecosystem effect effective effectiveness efficiently eliminating embracing emergence emerging employees endorse engaged enhance enough ensuring entail entire entities entry environment equipped essentially established ethical evaluation even events exact exactly examples execute executive exercise expectations expertise exploit exploitable exploiting extend extended external extra extremely eye eyes factors fairly feedback find firstly fix fixes flaw flaws focus focuses folks follow following follows forensic formalize forward found foundation four from frustration fundamental furthermore game: gap gaps gauge geared general generate get gets giac give goals going goldmine good gpen hacker hackers hackers’ hallmarks hampered handle hands happens hard has helps hinges honed horizons house how human humans hunter hurdles ics idea ideally impact imperfections important importantly include increasingly incursion industrial industry information informed infrastructure insights intended interest internal introduced intruder intruder’s investigating involve involvement isn’t it’s it/ot its itself john just keep key lack large largely larger last layers leads learn learning leaving let’s leverages life light like likelihood limited line links list little logic long looking lot machine main maintaining maintains make makers makes making management manual marketing match may mean meaningful mechanisms metasploit method methods might mimicking mindset minimum misconfigurations mobile model models month months more most mounting much multiple must name nature necessary need needs network network’s newest non nor not objective objectives obstacles occur occurred oddly offensive often one only operational options orchestration organization organization’s organizations oscp out outcome outlines over overlap own part party party” password past path pay penetration pentest pentesters pentesting pentests people perform performed perimeter period periodically philosophy picture pinpoint pitfalls platform play point points polish popular portfolio positions positive possible post posture postures potential practice preparing prerequisite prerequisites presupposes primarily principles prioritization prism proactively probe problem problems procedures process professional professionals proficiency programs project projects protection protections protocol provide provided provider provides purpose pushes qualifications qualified quality question |
| Tags | Data Breach Tool Vulnerability Threat Industrial |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.