VAPT Certification
Vulnerability Assessment and Penetration Testing
Vulnerability Assessment and Penetration Testing Certification is the art of finding vulnerabilities and digging deep to seek out what proportion a target can be compromised, just in case of a legitimate attack. A penetration test will involve exploiting the network, servers, computers, firewalls, etc., to uncover vulnerabilities and highlight the practical risks involved with the identified vulnerabilities
Stages of Vulnerability Assessment and Penetration Testing
Penetration testing Certification can be broken down into multiple phases; this will vary depending on the organization and the type of test conducted– internal or external. Let’s discuss each phase:
- Agreement phase.
- Planning and reconnaissance.
- Gaining Access.
- Maintaining access.
- Evidence collection and report generation.
Types of Penetration testing based on knowledge of the target
Black Box
When the attacker does not know the target, it is referred to as a black box penetration test. This type requires a lot of time and the pen-tester uses automated tools to find vulnerabilities and weak spots.
White Box
When the penetration tester is given the complete knowledge of the target, it is called a white-box penetration test. The attacker has complete knowledge of the IP addresses, controls in place, code samples, operating system details, etc. It requires less time when compared to black-box penetration testing.
Grey Box
When the tester is having half info about the target, it is referred to as gray box penetration testing. In this case, the attacker will have some knowledge of the target information like URLs, IP addresses, etc., but will not have complete knowledge or access.
Types of Penetration testing based on the position of tester
- If the penetration test is conducted from outside the network, it is referred to as external penetration testing
- the attacker is present inside the network, simulation of this scenario is referred to as internal penetration testing
- Targeted testing is usually performed by the organization’s IT team and the Penetration Testing team working together
- In a blind penetration test, the penetration tester is provided with no prior information except the organization name
- In a double-blind test, at max, only one or two people within the organization might be aware that a test is being conducted.
Types of Penetration testing based on where it is performed
Network Penetration Testing
Network Penetration Testing activity aims at discovering weaknesses and vulnerabilities related to the network infrastructure of the organization. It involves, firewall configuration & bypass testing, Stateful analysis testing, DNS attacks, etc. Most common software packages which are examined during this test include:
- Secure Shell(SSH)
- SQL Server
- MySQL
- Simple Mail Transfer Protocol(SMTP)
- File Transfer Protocol
- Application Penetration Testing
In Application Penetration Testing, penetration tester checks, if any security vulnerabilities or weaknesses are discovered in web-based applications. Core application components such as ActiveX, Silverlight, and Java Applets, and APIs are all examined. Therefore this kind of testing requires a lot of time.
Wireless Penetration Testing
In Wireless Penetration Testing, all of the wireless devices which are used in a corporation are tested. It includes items such as tablets, notebooks, smartphones, etc. This test spots vulnerabilities in terms of wireless access points, admin credentials, and wireless protocols.
Social Engineering
Social Engineering Test involves attempting to get confidential or sensitive information by purposely tricking an employee of the organization. You have two subsets here.
- Remote testing – involves tricking an employee to reveal sensitive information via an electronic means.
- Physical testing – involves the use of a physical means to gather sensitive information, like threaten or blackmail an employee.
Client-Side Penetration Testing
The purpose of this type of testing is to identify security issues in terms of software running on the customer’s workstations. Its primary goal is to search and exploit vulnerabilities in client-side software programs. For example, web browsers (such as Internet Explorer, Google Chrome, Mozilla Firefox, Safari), content creation software packages (such as Adobe Framemaker and Adobe RoboHelp), media players, etc.
For more information about Penetration Testing Certification Body and the role we can play in your efforts to achieve certification to it, feel free to contact us.