Penetration Testing Defined

There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test (Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications and should occur from both outside the network trying to come in (external testing) and from inside the network.

What Is a Penetration Testing Tool?

Penetration testing tools are used as part of a penetration test (Pen Test) to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone. Two common penetration testing tools are static analysis tools and dynamic analysis tools. Utilization of Kali Linux will allow a suite of tools to perform both dynamic and static system analysis and finds security vulnerabilities that include malicious code as well as the absence of functionality that may lead to security breaches. For example, Kali contains SQLninja, cisco auditing tools and fuzzers to determine whether sufficient permissions are employed and whether SQL contains any application back doors through hard-coded user names, passwords or improperly escaped code that could allow ingress. Kali can also perform binary scanning approach produces more accurate testing results.

Manual Penetration Test

Manual penetration testing layers human expertise on top of professional penetration testing software and tools, such as automated binary static and automated dynamic analysis, when assessing high assurance applications. A manual penetration test (Pen Test) provides complete coverage for standard vulnerability classes, as well as other design, business logic and compound flaw risks that can only be detected through manual testing.

Given this information, research Kali Linux, what tools it contains, and how it can assist a penetration tester to identify vulnerabilities in the network. Once you have done that answer the following questions as though you were an internal or external penetration test firm assisting a Saudi company in strengthening their systems, framework and network.

1. How does the penetration test differ from other types of security testingsuch as a vulnerability assessment?
2. What is your process for performing the penetration test?
3. Discuss the process and tools that would be used.
4. How will you protect my data during and after testing?
5. How will you ensure the availability of my systems and services while the test is taking place?

These last two will be key. Unless you are performing the penetration test when their users are not active, it will be necessary to catalog how you will do this without disrupting business or destroying data.