Penetration test is the process of evaluating the information security of your IT department. You test your information security system to find out any security issues. You should answer two questions to determine what kind of penetration test you will perform? 1> Who is going to be the potential hacker? For exmp, if you know any grumbling employee may do it, the test has to be conducted within the wall of the company. 2> What kind of notice you will give your IT people about the testing. I emphasize the following areas to perform penetration test.
- Planning: This should be the first step of your test. You have to set an objective of the test. Which systems will be tested? How will they be tested? What testing tools will be used? Will the test take place from inside or outside the customer’s network? What does the customer want from the test? These and other objectives must be defined prior to testing
- Simulate Hacking: The next step is going to be information gathering. You have to pose yourself as an outside hacker. You only have the name of the company website. Now, you have to steal as much information possible from the company website. In other word, you have to break the network of the company.
- Actual Loopholes: The third step is to do the manual testing based upon the information gathering. You have to use hacker’s trick to assess where and why the system goes wrong. Those tricks may include spoofing, Network Sniffing, Trojan Attack, Brute Force Attack etc.
- Social Engineering: Penetration test is not going to be complete without this non-technical process. Sometimes the attacker uses the human nature to get access to the network system. This can be direct observation practice, looking Password on a stick on pad or talking different sources until the hacker gets enough information.