渗透测试的了解
A penetration test may involve attempted breaching of application systems such as frontend/backend servers and application protocol interfaces (APIs). Such targeted security breaches help expose vulnerabilities such as unsanitized inputs that are vulnerable to security breaches (e.g., code injection attacks).
渗透测试可能涉及尝试破坏应用程序系统,例如前端/后端服务器和应用程序协议接口(API)。 此类有针对性的安全漏洞有助于暴露漏洞,例如未经消毒的输入,这些漏洞很容易受到安全漏洞(例如代码注入攻击)的攻击。
With context to web application security, a pen test is often used to penetrate the application and to try to evade any web application firewall (WAF).
考虑到Web应用程序安全性 ,经常使用笔测试来渗透应用程序并试图逃避任何Web应用程序防火墙(WAF)。
A pen test uncovers different aspects of security testing that may be lacking such as having proper security policies in place, for example, the lack of strong password policies or multi-factor authentication. A pen test provides the simulated experience of dealing with a security breach or an intrusion. It is similar to a fire drill, during which employees are trained to be wary of the possibility of security attacks and threats.
笔测试揭示了可能缺少的安全测试的各个方面,例如,适当的安全策略到位,例如,缺少强密码策略或多因素身份验证。 笔测试提供了处理安全漏洞或入侵的模拟体验。 这类似于消防演习,在此期间,培训员工警惕安全攻击和威胁的可能性。
Here are some of the key benefits of penetration testing:
以下是渗透测试的一些主要优点:
- Uncovers existing weaknesses in your application(s), configurations, network infrastructure, and your system(s), etc. 发现您的应用程序,配置,网络基础结构和系统等中的现有弱点。
- Tests your cyber-defense capability to deal with cyber attackers and malicious activities 测试您的网络防御能力以应对网络攻击者和恶意活动
- It has a great impact on the operations of a business as it exposes potential threats that may cause loss of accessibility or downtime 它暴露了潜在的威胁,可能导致可访问性或宕机损失,对企业的运营产生巨大影响。
- Maintains the credibility and trust of your stakeholders 保持利益相关者的信誉和信任
All of these benefits seem to justify the effort that organizations put into penetration testing. Moreover, many companies conduct a pen test to adhere to the guidelines set by the Payment Card Industry (PCI) Security Standards Council to become PCI compliant.
所有这些好处似乎证明了组织进行渗透测试的努力是合理的。 此外,许多公司进行笔测试以遵守支付卡行业(PCI)安全标准委员会设定的准则,以使其符合PCI要求。
Penetration testing has an array of benefits and helps identify any potential vulnerabilities, however, it alone can’t prevent data breaches. In reality, even the most carefully tested and analyzed infrastructure or applications could fall victim to security breaches or attacks.
渗透测试具有一系列好处,可以帮助识别任何潜在的漏洞 ,但是,仅凭它并不能防止数据泄露 。 实际上,即使是经过最仔细测试和分析的基础架构或应用程序,也可能成为安全漏洞或攻击的受害者。
渗透测试的局限性 (The Limitations of Penetration Testing)
With the existing cyber threat landscape increasing with evolving threats, and opportunistic exploits of faulty deployments and simple misconfigurations, pen testing alone is not sufficient.
随着现有的网络威胁形势随着威胁的发展而增加,以及错误部署和简单错误配置的机会利用,仅进行笔测试是不够的。
Despite offering a gamut of benefits, there are some major limitations of penetration testing that can drastically impact your business.
尽管提供了很多好处,但是渗透测试仍然存在一些主要限制,它们可能会严重影响您的业务。
Here are some of the major limitations of penetration testing that you should know:
您应该了解以下渗透测试的主要限制:
时间限制 (Limitation of Time)
Often, penetration testing is carried out as a timeboxed assessment that needs to be completed in a predefined time period. The testing team has to identify potential threats and vulnerabilities, and produce results within this specified time period.
通常,渗透测试是作为时间盒评估进行的,需要在预定时间段内完成。 测试团队必须识别潜在的威胁和漏洞,并在指定的时间段内得出结果。
Penetration testers also have to create a report at the end of the test which includes a description of the vulnerabilities identified, the methodology used, and an executive summary. They also have to take relevant screenshots at regular intervals and add them to the final report once the test has been completed.
渗透测试人员还必须在测试结束时创建一份报告,其中包括对所发现漏洞的描述,使用的方法以及执行摘要。 他们还必须定期获取相关的屏幕截图,并在测试完成后将其添加到最终报告中。
In contrast, attackers are not constrained by time and they can have as much time as needed to identify and exploit more vulnerabilities. So timeboxed assessments like penetration testing give the attacker an edge over penetration testers, allowing them more time to exploit the application.
相反,攻击者不受时间限制,他们可以根据需要有足够的时间来识别和利用更多的漏洞。 因此,诸如渗透测试之类的定时评估可以使攻击者比渗透测试者更具优势,从而使他们有更多时间来开发应用程序。
Hence, in addition to penetration testing, we recommend a white box assessment, a testing method that evaluates the internal structure, coding, and design of the software and the network, basically, the tester has full access to how the network, applications are designed. It helps identify internal security loopholes and broken or improperly structured flows in coding processes or in the network configuration. It also tests each function, object, and statement on an individual basis.
因此,除了渗透测试之外,我们还建议您进行白盒评估,这是一种评估软件和网络的内部结构,编码和设计的测试方法,基本上,测试人员可以完全访问网络, 应用程序的设计方式 。 它有助于识别编码过程或网络配置中的内部安全漏洞以及结构中断或结构不正确的流。 它还分别测试每个函数,对象和语句。
范围限制 (Limitation of Scope)
Some organizations selectively perform security testing, which means they do not test everything. This may be due to a lack of resources, budget constraints, poor security policies, or other factors.
一些组织有选择地执行安全测试,这意味着它们不会测试所有内容。 这可能是由于缺乏资源,预算限制,安全策略不佳或其他因素造成的。
Similarly, penetration testers have limited scope and they often have to leave many parts of the system unchecked because of these constraints.
同样,渗透测试人员的范围也很有限,由于这些限制,他们常常不得不对系统的许多部分进行检查。
For instance, many times, exploits depend on the interactions of systems. So if the scope of a pen test is limited to one system, vulnerabilities that arise from the interactions of systems won’t be discovered.
例如,漏洞利用常常取决于系统的交互作用。 因此,如果笔测试的范围仅限于一个系统,则不会发现由于系统交互而产生的漏洞。
This leads to an insufficient and poor quality penetration test that may cause damage to your organization at a later stage.
这会导致渗透测试不足和质量不佳,从而可能在以后对组织造成损害。
进入限制 (Limitation of Access)
Often the testing team has restricted access to the target environment in a pen test.
测试团队通常在笔测试中限制访问目标环境。
For example, networks are often divided into segments and the penetration testing has access to only those specific segments that have servers or are accessible from the internet so that the team can simulate a real-work attack.
例如,网络通常分为多个部分,而渗透测试只能访问那些具有服务器或可以从Internet访问的特定部分,以便团队可以模拟实际攻击。
However, such a pen test with limited access will not be able to reveal configuration issues and potential vulnerabilities on its entire network.
但是,这种具有有限访问权限的笔测试将无法揭示整个网络上的配置问题和潜在漏洞。
An efficient way to detect vulnerabilities is to conduct white box testing along with penetration testing. This way, the tester will have complete information about the network, the application’s source code, the servers that it runs on, its detailed network infrastructure, and the IP addresses involved.
检测漏洞的有效方法是与渗透测试一起进行白盒测试。 这样,测试人员将获得有关网络,应用程序的源代码,运行它的服务器,其详细的网络基础结构以及所涉及的IP地址的完整信息。
White box network vulnerability assessment helps to expose security threats by attacking the network from different angles. For applications, you can conduct code reviews that will help you discover security threats and weaknesses that might not be apparent from dynamic testing such as encryption algorithms, how passwords are stored, etc.
白盒网络漏洞评估通过从不同角度攻击网络来帮助暴露安全威胁。 对于应用程序,您可以进行代码审查,以帮助您发现动态测试中可能看不到的安全威胁和弱点,例如加密算法,密码存储方式等。
方法局限性 (Limitation of Methods)
Conducting a penetration test is intended to exploit systems, typically by doing things in ways that the system was not intended to handle.
进行渗透测试旨在利用系统,通常通过以系统不希望处理的方式进行操作。
During a penetration test, it is possible that the target infrastructure or system may crash. So the penetration testing team is restricted to use only a specific set of methods that avoid downtime or system crashes.
在渗透测试期间,目标基础架构或系统可能会崩溃。 因此,渗透测试团队只能使用一组特定的方法来避免停机或系统崩溃。
For instance, creating a distributed denial of service (DDoS) flood to divert a network or system administrator by using another method of attack is usually an ideal way for an attacker to bring down an organization.
例如,通过使用另一种攻击方法来创建分布式拒绝服务(DDoS)泛洪来转移网络或系统管理员,通常是使攻击者瘫痪组织的理想方法。
However, such methods are likely to be avoided for penetration testing by teams as they tend to cause downtime of the system.
但是,对于团队的渗透测试,可能会避免使用此类方法,因为它们往往会导致系统停机。
Other times, automated techniques are off limits and this may leave the system exposed to vulnerabilities that are prone to attackers such as script kiddies (skiddies) who are waiting to exploit such automation in internet-accessible systems.
在其他时候,自动化技术是不受限制的,这可能会使系统容易受到攻击者的攻击,例如脚本小子(skiddies),他们正等待在可访问Internet的系统中利用这种自动化。
These attackers are unskilled individuals who are constantly on the lookout to exploit well-known and easy to find weaknesses in computer systems to gain access to them without comprehending the consequences.
这些攻击者是不熟练的人,他们不断地寻求利用计算机系统中众所周知的且容易发现的弱点来获取对他们的访问权限,而无需了解后果。
渗透测试仪技能的局限性 (Limitation of Skill Sets of a Penetration Tester)
The success and quality of the penetration test are directly proportional to the experience and skills of the penetration testing team. Each penetration test can be divided into three broad categories: system, network, and application penetration testing.
渗透测试的成功和质量与渗透测试团队的经验和技能成正比。 每个渗透测试可以分为三大类:系统,网络和应用程序渗透测试。
A penetration tester who is skilled and experienced in network penetration testing might not be able to perform a successful application penetration test. With continuously evolving and upgrading technologies, it is becoming more difficult to find a skillful person who can conduct a high-quality penetration test.
在网络渗透测试方面经验丰富的渗透测试人员可能无法执行成功的应用程序渗透测试。 随着技术的不断发展和升级,寻找能够进行高质量渗透测试的熟练人员变得越来越困难。
Meanwhile, more skilled attackers who have time can potentially do a lot of damage to the system.
同时,时间充裕的技术精湛的攻击者可能会对系统造成很大的损害。
While a tester may have in-depth knowledge about Apache web servers, they may be less experienced with Internet Information Services (IIS) server. Having experience with the same technology plays a vital role in the success of a penetration test.
尽管测试人员可能对Apache Web服务器有深入的了解,但他们对Internet信息服务(IIS)服务器的经验可能较少。 拥有相同技术的经验对于渗透测试的成功至关重要。
自定义漏洞的局限性 (Limitation of Custom Exploits)
Often times, the penetration testing team is required to think out-of-the-box and create custom exploits. For instance, in some highly secure environments, normal pen testing tools and frameworks are of little use.
通常,渗透测试团队需要开箱即用地思考并创建自定义漏洞。 例如,在某些高度安全的环境中,普通的笔测试工具和框架很少使用。
So the penetration team has to build custom exploits that are effective in secure environments as well. Creating a custom exploit also entails writing scripts manually to define the path of the intrusion to reach the target for conducting a pen test.
因此,渗透团队必须构建在安全环境中也有效的自定义漏洞利用程序。 创建自定义漏洞利用还需要手动编写脚本来定义入侵路径,以达到进行笔测试的目标。
This can be extremely time consuming and it is not an efficient way to conduct regular security tests. Additionally, it is not a part of the skill set of most penetration testers. Manually writing scripts and creating custom exploit code can dramatically impact the budget and time taken to conduct the test.
这可能非常耗时,并且不是进行常规安全测试的有效方法。 此外,它不是大多数渗透测试人员技能的一部分。 手动编写脚本和创建自定义漏洞利用代码会极大地影响预算和进行测试所需的时间。
实验局限性 (Limitation to Experiment)
Penetration testers are allowed to use only client-approved exploitation frameworks and tools. Since not every tool is all-in-one and they may lack some features or miss some parts of the test, the testing team will have to find alternatives to carry out the test effectively.
渗透测试人员只能使用客户端批准的利用框架和工具。 由于并非所有工具都是一体的,并且它们可能缺少某些功能或错过了测试的某些部分,因此测试团队将不得不寻找替代方法来有效地进行测试。
Moreover, stringent instructions from the client and higher-level management can restrict the penetration team’s ability to experiment with the approved scope. On the other hand, attackers are free to work their way around security tests and create new paths to attack.
此外,来自客户和高层管理人员的严格指示可能会限制渗透小组尝试使用已批准范围的能力。 另一方面,攻击者可以自由地进行安全测试,并创建新的攻击途径。
外卖 (Takeaways)
Penetration testing plays an important role in finding security vulnerabilities. However, you should be aware of its limitations as they can have a massive impact on your organization. Eliminating penetration testing is not an ideal solution, but you can always combine it with other effective security methods and processes to carry out proper tests.
渗透测试在发现安全漏洞中起着重要作用。 但是,您应该意识到它的局限性,因为它们会对您的组织产生巨大影响。 消除渗透测试不是理想的解决方案,但是您始终可以将其与其他有效的安全方法和流程结合起来进行适当的测试。
About Author:
关于作者:
Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.
Steve Kosten是赛普拉斯数据防御部门的首席安全顾问,并且是Java / JEE:开发防御性应用程序课程中SANS DEV541安全编码的讲师。
渗透测试的了解
扫一扫
2018
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
