May 27, 2009
Order of Contents
Order of Contents 2
Executive Summary 3
What is Penetration Testing? 4
Network Scan 6
What Penetration Testing is not? 7
Why is Penetration Testing needed? 8
Hacking Methodologies 8
Hacking Methodologies Continued 10
Future of Penetration Testing 11
Works Cited 12
Appendix: Journal Article Analysis 14
Appendix: Interview with Ryan Clark 16
“The Culture and Language of Penetration Testing” is a report concerning the multitude of opinions surrounding the field of information security technology. The report will discuss the multiple methods of penetration testing and include the necessity of each method. The report will also delve into the complex nature and culture of those involved in the penetration testing field. By investigating the mentality and passions of the different sub-cultures of hackers, the report will bring to light many questions surrounding the future of the field.
The report will conclude with assumptions that can be made about the field of penetration testing and what it is becoming in the year 2009.
Throughout the past decade technology has become more of an integral part of business. The growth of technology in business has given birth to new technological functionality by creating customized applications and implementing new creative solutions to better assist both customers and employees. Examples are things like digital telecommunications and World Wide Web access for banking institutes. So that individuals feel safe conducting business online, companies must maintain a trust with those individuals so that they know their information is safe. In a culture where a company’s biggest asset is its reputation, security is needed more than ever.
In order to insure that security is maintained in these new technologies and networking designs, companies are required to test their security. There are many ways that exist for companies to audit for security flaws. Software and hardware can be tested by means of reverse engineering and logic board designs. The most recent trend to test the security of the network engineering is penetration testing.
What is Penetration Testing?
Penetration Testing is an authorized process of completing a complex evaluation of an organizations security (Danhieux, 2006). This evaluation is usually customized around the company’s needs. Recently the terms network audit and penetration test have started to separate into different terms, though a penetration test can include network audits, a network audit is not as all-inclusive as a penetration test. Network auditing can involve the entire network or just a portion of it, where as a penetration test has networking audits and can incorporated simulated physical attacks and social engineering attacks.
In more recent years penetration testing has incorporated company compliance including the Payment Card Industry (PCI) compliance and compliance with the Sarbanes-Oxley Act. These acts list baseline security that companies must have in order to operate legally. An example of a compliance issue that is required by PCI is the use of an application level firewall. An application level firewall acts like a middle man between the company’s network and the internet. Being a middle man it filters out bad data and can prevent intruders from gaining unauthorized access to the internal network. (Brush, 2009)
A penetration test will first include an enumeration of the network. An enumeration is much like generating a blueprint of the network. This blueprint will show the networking address and location of routers, switches, firewalls, servers, general network devices and individual computers. A networking address, also known as an Internet Protocol (IP) address is much like a