Schweitzer Fachinformationen
Wenn es um professionelles Wissen geht, ist Schweitzer Fachinformationen wegweisend. Kunden aus Recht und Beratung sowie Unternehmen, öffentliche Verwaltungen und Bibliotheken erhalten komplette Lösungen zum Beschaffen, Verwalten und Nutzen von digitalen und gedruckten Medien.
What is a pentester? Although the term may have you thinking of someone who works in quality assurance for an ink pen manufacturing plant, it's actually short for "penetration tester." Pentesters are commonly known as ethical hackers.
When you think of the term penetration tester, it makes more sense when you think about someone trying to penetrate the security of a computer, a network, the building in which a network is located, or a website. While the term ethical hacker is a little easier to understand, people are surprised to hear that such a job exists. Pentesters assess the security of computers, networks, and websites by looking for and exploiting vulnerabilities-commonly known as hacking.
To be clear, not all hackers are bad. Nevertheless, the terms hacker and hacking have been vilified for many years. Ethical hackers use their skills for good to help uncover vulnerabilities that could be exploited by malicious hackers.
The hackers you hear about in the news who are committing crimes should be labeled as cyber criminals. While they are using hacking to commit illegal activities, the intent and purpose of their efforts should be distinguished from pentesting, which is a way to see how cyberattackers can exploit a network for the benefit of security.
Before we get further into the topic, consider the wisdom of a particular philosopher:
With great power comes great responsibility.
François Voltaire
You will need permission to hack; otherwise, it would be considered illegal. This quote is a good way to ingrain that message. Prior to starting a pentest, written permission must be obtained.
Various terms are synonymous with pentesters and malicious hackers, and we will discuss them to help you understand what each means. The following terms are often used interchangeably and are useful to know.
The most common types of hackers are known as white hat, gray hat, and black hat hackers. These terms were taken from old westerns, where hats were used as a descriptor to tell the good guys from the bad guys:
Other commonly used terms for pentesting and pentesters include ethical hackers, offensive security, and adversarial security.
Pentesters are sometimes referred to as the red team, and defensive security is referred to as the blue team. Although red team is used for offensive security in general, true red teams perform adversarial simulation to emulate malicious hackers and test the blue team. Sometimes companies will also have a purple team. Mix red and blue and you get purple! A purple team is simply a small group of people who help to facilitate communication between the red team and blue team. The red team finds vulnerabilities and exploits, and the blue team uses the red team's findings to security harden their networks.
There are also commonly used terms for malicious hackers. Out of respect for good hackers, it is advised that you use these terms rather than the generic term "hacker":
Another way that hacking is used is through hacktivism. Hacktivists are activists that use their hacking skills to support social change, human rights, freedom of speech, or environmental causes. These are still cyberattacks. Even though the hacktivists' motivation may be to help a good cause, these activities are still illegal.
Pentests assess security from an adversarial perspective. This type of security assessment is the only way to uncover exploitable vulnerabilities and understand their risks. Vulnerability scanning alone or running an application to find vulnerabilities in targeted computers and devices only detects limited vulnerabilities, and by successfully exploiting or hacking the discovered vulnerabilities, it is possible to find ones that would have otherwise gone undetected.
This approach to security testing allows pentesters to mimic a malicious hacker in order to traverse the complex layers of systems to detect vulnerabilities beneath the surface. A vulnerability scan alone misses exploitable security flaws that are only visible on the surface of the system. Getting past the initial system layer allows you to assess security to see how far an attacker could get into your system, or to see if the possibility exists to access and compromise other systems or networks.
Pentesters use similar, or sometimes the same, tactics, techniques, and procedures (TTPs) as are used by cyber criminals. The emulation of an adversary can vary with the type and scope of a test, which we will cover in greater depth in the sections that follow. Pentests are performed on a variety of computers and networking devices. As humans are often fooled in order to conduct cyberattacks, sometimes you may be asked to test them as well. As technology evolves, newer technologies can become targets for testing. Too seldom, security is an afterthought when it should be considered up-front in the design phase.
The benefits and reasons for conducting pentests have become more recognized by private- and public-sector organizations, and the need to conduct them continues to grow. A decade ago, pentests were typically performed by consultants or contractors. Most companies did not employ their own pentesters, but as the need increased, more companies built their own pentesting teams.
The benefit of pentesting is that it provides a view of the security posture from an adversary's point of view. As we discussed, the best way to understand how an adversary sees security is to have a pentest performed.
Some of the most common reasons for pentests are as follows:
Knowledge of pentesting techniques is helpful to more than just pentesters. Understanding how malicious hackers think, as well as the TTPs used by cyber criminals, are helpful to defenders in all areas of information security.
Some areas that can benefit from an understanding of pentesting are as follows:
SOC analysts and network security personnel can better understand malicious network traffic with pentesting knowledge. DFIR investigators benefit from understanding cyberattacks, which can be learned from pentesting. Purple teams attack and defend digital assets, so pentesting knowledge is essential. Pentesting is useful for application security analysts, and it can be used to assess and secure applications. Knowledge of pentesting is useful throughout all areas of information security. This knowledge is helpful in defending networks, computing platforms, applications, and other technology assets. Understanding pentesting is useful for those working with pentesters. An educated consumer can better select consultants or contractors to conduct pentests or to hire permanent staff for pentesting.
Hacking is illegal without permission, so getting written permission prior to starting a pentest is absolutely necessary. Without it, if the pentest causes an outage or damage to a system, it could lead to legal problems. Without written permission, it's the pentester's word against the client's.
The statement of work (SOW) should include verbiage giving pentesters permission to perform the pentest. It is important that the pentest adhere to a well-defined scope in order to prevent legal problems and customer dissatisfaction. Such permission can also include a document referred to as a get-out-of-jail-free card, which can offer legal protection if you make certain mistakes within the scope defined by the SOW. This is especially necessary when performing pentests against buildings, as it may be useful when being questioned by building security or law enforcement.
A methodology is required in order to provide consistent and thorough pentests. A pentest methodology ensures that all of the steps were completed during a pentest. A pentest methodology is a repeatable process that other pentesters on a team can duplicate to deliver consistent quality. Methodologies are especially important when training new pentesters, giving them a checklist to follow that helps them make sure that they...
Dateiformat: ePUBKopierschutz: Adobe-DRM (Digital Rights Management)
Systemvoraussetzungen:
Das Dateiformat ePUB ist sehr gut für Romane und Sachbücher geeignet – also für „fließenden” Text ohne komplexes Layout. Bei E-Readern oder Smartphones passt sich der Zeilen- und Seitenumbruch automatisch den kleinen Displays an. Mit Adobe-DRM wird hier ein „harter” Kopierschutz verwendet. Wenn die notwendigen Voraussetzungen nicht vorliegen, können Sie das E-Book leider nicht öffnen. Daher müssen Sie bereits vor dem Download Ihre Lese-Hardware vorbereiten.Bitte beachten Sie: Wir empfehlen Ihnen unbedingt nach Installation der Lese-Software diese mit Ihrer persönlichen Adobe-ID zu autorisieren!
Weitere Informationen finden Sie in unserer E-Book Hilfe.
