Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 45

This chapter highlights a number of concepts and terminology related to penetration testing that you should be familiar with when preparing for the CompTIA PenTest+ certification exam. Following is a quick review of some of the key points to remember from this chapter:

 Two reasons to conduct a penetration test are to better secure the company assets, or to be compliant with regulations governing your organization.

 You can have a penetration test performed by internal staff or an external third party. If internal staff is used, be sure those conducting the penetration test are not members of the team responsible for managing or configuring the systems being tested.

 You should perform a penetration test annually and be sure to test external and internal assets.

 You can follow several different strategies when performing a penetration test. You can do an unknown-environment test (black box test), for which the pentester is given no information about the target environment. You can do a known-environment test (white box test), for which the pentester is given all of the information about the environment being tested. Or you can do a partially known-environment test (gray box test), for which limited information is given to the pentester to ensure the test is focused and timely.

 A threat actor is someone or something that may perform an attack on your systems or environment.

 The OWASP Top 10 document is a listing of the ten most common security flaws found in web applications and is a great resource for pentesters.

 The four phases to the CompTIA penetration testing process are: planning and scoping, information gathering and vulnerability identification, attacks and exploits, and reporting and communication.