Testing – Forensics – Surveillance – Red Team Assessment – Behavior Analysis – Clandestine recovery – Covert Data Acquisition – Malware Development and Analysis – Exploit Development Chuksjonia.blogspot.com • Security Analyst • Specialize in – Penetration Testing – Forensics – Surveillance – Red Team Assessment – Behavior Analysis – Clandestine recovery – Covert Data Acquisition – Malware Development and Analysis – Exploit Development October 2013 2
points where something can find or force its way into or through something else. • IT Security Penetration Testing: – This is most often used to positively identify points of vulnerabilities – Determine the genuineness of the vulnerabilities that they identify by use of exploitation. – Findings that cannot be exploited are either not reported or are reported as theoretical findings when justified • Testing and Uses – These are mostly commonly applied to Networks, Web Applications and physical Security. In theory, anything can undergo a Penetration Test. • The means to identify the presence of points where something can find or force its way into or through something else. • IT Security Penetration Testing: – This is most often used to positively identify points of vulnerabilities – Determine the genuineness of the vulnerabilities that they identify by use of exploitation. – Findings that cannot be exploited are either not reported or are reported as theoretical findings when justified • Testing and Uses – These are mostly commonly applied to Networks, Web Applications and physical Security. In theory, anything can undergo a Penetration Test. October 2013 3
and organizations • Penetration testing will exploit the vulnerabilities either physical or operational, Vulnerability Assessment wont. • Penetration testing gains access, Vulnerability testing doesn't. • Social Engineering cannot be performed in tandem with a Vulnerability Assessment. Social Engineering exploits human vulnerabilities and that exploitation crosses the boundaries of a Vulnerability Assessment. • Vulnerability Assessments cannot be applied to running Web Applications. Testing a running Web Application requires the submission of malformed and / or augmented data. When the data is received by the application, if the application is vulnerable, then an error or unexpected result is returned. This error or unintended result constitutes a degree of exploitation and as such crosses the Vulnerability Assessment boundaries. • Pivoting or rather, Distributed Metastasis cannot be performed during a Vulnerability Assessment. This is because Pivoting depends on the attackers ability to exploit vulnerabilities as a method of propagating a penetration. • Major difference, confuses clients and organizations • Penetration testing will exploit the vulnerabilities either physical or operational, Vulnerability Assessment wont. • Penetration testing gains access, Vulnerability testing doesn't. • Social Engineering cannot be performed in tandem with a Vulnerability Assessment. Social Engineering exploits human vulnerabilities and that exploitation crosses the boundaries of a Vulnerability Assessment. • Vulnerability Assessments cannot be applied to running Web Applications. Testing a running Web Application requires the submission of malformed and / or augmented data. When the data is received by the application, if the application is vulnerable, then an error or unexpected result is returned. This error or unintended result constitutes a degree of exploitation and as such crosses the Vulnerability Assessment boundaries. • Pivoting or rather, Distributed Metastasis cannot be performed during a Vulnerability Assessment. This is because Pivoting depends on the attackers ability to exploit vulnerabilities as a method of propagating a penetration. October 2013 4
hours of stake-outs – Network Mapping, Office locations, Employees names their offices and their bosses and family – Social media Intel / Data Acquisition The hardest, but always the best. Takes longer, but its worthy it. October 2013 6