Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 13

Penetration testing, also known as ethical hacking, involves an information technology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized individuals out of a system or network. The act the IT professionals are performing is known as a penetration test, or pentest for short (which is where CompTIA’s term, PenTest+, came from). The penetration test follows the process the hacker would take, including the discovery of targets and the exploitation of targets.

From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful.

For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test.

A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so that by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear).