SlideShare ist ein Scribd-Unternehmen logo

Vulnerability assessment & Penetration testing Basics

Als PPTX, PDF herunterladen
Mohammed Adam
Mohammed Adam

In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications makes systems vulnerable to cyber attacks. Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit a vulnerability.

Technologie
1 von 17
Vulnerability Assessment & PenetrationTesting (VAPT) Basics & Methodologies Presented by Mohammed Adam B.E (CEH) Digital Age Strategies Pvt. Ltd. Bangalore
Outline • Cyber attacks & Data Losses • Why are SystemVulnerable ? • What isVulnerability Assessment ? • What is Penetration Testing? • Steps Involved inVAPT Process • Types of Testings • VAPTTools • Automated vs ManualVAPT • Benefits ofVAPT Activities for an Organisation
Cyber Attacks & Data Losses • Cyber attacks are increasing every day with the increased use of mobile and Web applications. Globally, statistics show that more than 70 per cent of the applications either have vulnerabilities which could potentially be exploited by a hacker, or worse, they have already been exploited. • The data losses due to this are typically of two types. Either the data is confidential to the organisation or it is private to an individual. Regardless of the category, data losses result in the loss of money or reputation.
Why are systems vulnerable? • Two main reasons for systems being vulnerable — Misconfiguration and Incorrect programming practices. • Misconfiguration • In the case of network devices such as routers, switches and servers as well as firewalls and IPS systems are either misconfigured or in some cases not configured at all, thus running default settings. • As an example, almost all firewalls have a default built-in user account with the name ‘admin’. Typically, the password for it is also set to ‘admin’ by default, or something even easier to guess. Looking at the example of servers, installing a database server leaves us with an ‘sa’ account, which has a blank password.
Why are systems vulnerable? Contd. • Incorrect programming practices • As for programming errors, a user input taken from a Webapplication form may be directly sent to a backend database server without parsing it.This can lead to a parameter manipulation attack or SQL injection attack. • Another example of programming errors would be a Webservice accepting requests without performing adequate authentication, thus leaking data inadvertently.This shows us that it is human error that leads to vulnerable systems, which could be exploited easily by attackers, to compromise data confidentiality, integrity and availability.
What isVulnerability Assessment ? • Vulnerability assessment (VA) is a systematic technical approach to finding the security loopholes in a network or software system. • It primarily adopts a scanning approach which is done both manually and performed by certain tools. • The outcome of aVA process is a report showing all vulnerabilities, which are categorised based on their severity.This report is further used for the next step, which is penetration testing (PT).
What is Penetration Testing? • A Penetration test (PT) is a proof-of-concept approach to actually explore and exploit vulnerabilities. • This process confirms whether the vulnerability really exists and further proves that exploiting it can result in damage to the application or network. • The outcome of a PT is, typically, evidence in the form of a screenshot or log, which substantiates the finding and can be a useful aid towards remediation.
Steps Involved inVAPT Process • Reconnaissance • Scanning the network or application • Searching for security flaws • Exploiting the security flaws • Preparing the final report of the test
WebVAPT Process
NetworkVAPT Process
Types of Testings • Penetration testing usually falls under three categories: Black Box, Gray Box, and White Box. • Black Box does not include any knowledge of the structure of the system, so this type of testing simulates the approach of an outside attacker. • Gray Box includes only a limited knowledge of the layout of the target. • White Box testing occurs when a penetration tester has complete knowledge of the layout of the target(s).
VAPT tools • Nmap • Acunetix • Nessus • OpenVAS • Nexpose • BurpSuite (PT) • Metasploit (PT)
Automated vs ManualVAPT • An ethical hacker’s job can be made less stressful by automating certain tasks of vulnerability assessment; however, the proof-of-concept part in penetration testing mostly relies on manual ways of exploiting the loophole and gathering the required evidence. • Each network or application is different, resulting in a very wide range of vulnerability scenarios.
Steps of an Ethical hacker performs for aVAPT. • Enumerates a vulnerability • Performs an attack manually • Analyses the results of the attack • Performs similar or different attacks based on previous findings • Assimilates the results to create a customised attack • Exploits the vulnerability further to see if more attacks are possible • Repeats the above steps for all vulnerabilities
Benefits of VAPT Activities for an Organisation • Helps identify programming errors that can lead to cyber attacks • Provides a methodical approach to risk management • Secures IT networks from internal and external attacks • Secures applications from business logic flaws • Increased ROI on IT security • Protects the organisation from loss of reputation and money
Thank you! Any Queries?

Empfohlen

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 

Empfohlen

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
Prime Infoserv
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Cyber security
Cyber securityCyber security
Cyber security
Bhavin Shah
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
Aditya Jain
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingInfrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration Testing
ElanusTechnologies
 

Weitere ähnliche Inhalte

Was ist angesagt?

Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 

Was ist angesagt? (20)

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Cyber Security Introduction.pptx
Cyber Security Introduction.pptxCyber Security Introduction.pptx
Cyber Security Introduction.pptx
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Cyber security
Cyber securityCyber security
Cyber security
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Security testing
Security testingSecurity testing
Security testing
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 

Ähnlich wie Vulnerability assessment & Penetration testing Basics

threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 

Ähnlich wie Vulnerability assessment & Penetration testing Basics (20)

Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingInfrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration Testing
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdf
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testing
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
9. Vulnerability Assessments-cyber51
9. Vulnerability Assessments-cyber519. Vulnerability Assessments-cyber51
9. Vulnerability Assessments-cyber51
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
What is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptxWhat is VAPT & Why is it Important for Your Business.pptx
What is VAPT & Why is it Important for Your Business.pptx
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
 
Ethical Hacking Services
Ethical Hacking ServicesEthical Hacking Services
Ethical Hacking Services
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).ppt
 

Mehr von Mohammed Adam

Mehr von Mohammed Adam (20)

Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Android Penetration Testing - Day 1
Android Penetration Testing - Day 1Android Penetration Testing - Day 1
Android Penetration Testing - Day 1
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
Basic Foundation For Cybersecurity
Basic Foundation For CybersecurityBasic Foundation For Cybersecurity
Basic Foundation For Cybersecurity
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain Persistence
 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
 
Introduction to Network Fundamentals
Introduction to Network FundamentalsIntroduction to Network Fundamentals
Introduction to Network Fundamentals
 
Breaking out of crypto authentication
Breaking out of crypto authenticationBreaking out of crypto authentication
Breaking out of crypto authentication
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
 
Introduction to null villupuram community
Introduction to null villupuram communityIntroduction to null villupuram community
Introduction to null villupuram community
 
Internet security
Internet securityInternet security
Internet security
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Network Security
Network SecurityNetwork Security
Network Security
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Vulnerability assessment & Penetration testing Basics

  • 1. Vulnerability Assessment & PenetrationTesting (VAPT) Basics & Methodologies Presented by Mohammed Adam B.E (CEH) Digital Age Strategies Pvt. Ltd. Bangalore
  • 2. Outline • Cyber attacks & Data Losses • Why are SystemVulnerable ? • What isVulnerability Assessment ? • What is Penetration Testing? • Steps Involved inVAPT Process • Types of Testings • VAPTTools • Automated vs ManualVAPT • Benefits ofVAPT Activities for an Organisation
  • 3. Cyber Attacks & Data Losses • Cyber attacks are increasing every day with the increased use of mobile and Web applications. Globally, statistics show that more than 70 per cent of the applications either have vulnerabilities which could potentially be exploited by a hacker, or worse, they have already been exploited. • The data losses due to this are typically of two types. Either the data is confidential to the organisation or it is private to an individual. Regardless of the category, data losses result in the loss of money or reputation.
  • 4. Why are systems vulnerable? • Two main reasons for systems being vulnerable — Misconfiguration and Incorrect programming practices. • Misconfiguration • In the case of network devices such as routers, switches and servers as well as firewalls and IPS systems are either misconfigured or in some cases not configured at all, thus running default settings. • As an example, almost all firewalls have a default built-in user account with the name ‘admin’. Typically, the password for it is also set to ‘admin’ by default, or something even easier to guess. Looking at the example of servers, installing a database server leaves us with an ‘sa’ account, which has a blank password.
  • 5. Why are systems vulnerable? Contd. • Incorrect programming practices • As for programming errors, a user input taken from a Webapplication form may be directly sent to a backend database server without parsing it.This can lead to a parameter manipulation attack or SQL injection attack. • Another example of programming errors would be a Webservice accepting requests without performing adequate authentication, thus leaking data inadvertently.This shows us that it is human error that leads to vulnerable systems, which could be exploited easily by attackers, to compromise data confidentiality, integrity and availability.
  • 6. What isVulnerability Assessment ? • Vulnerability assessment (VA) is a systematic technical approach to finding the security loopholes in a network or software system. • It primarily adopts a scanning approach which is done both manually and performed by certain tools. • The outcome of aVA process is a report showing all vulnerabilities, which are categorised based on their severity.This report is further used for the next step, which is penetration testing (PT).
  • 7.
  • 8. What is Penetration Testing? • A Penetration test (PT) is a proof-of-concept approach to actually explore and exploit vulnerabilities. • This process confirms whether the vulnerability really exists and further proves that exploiting it can result in damage to the application or network. • The outcome of a PT is, typically, evidence in the form of a screenshot or log, which substantiates the finding and can be a useful aid towards remediation.
  • 9. Steps Involved inVAPT Process • Reconnaissance • Scanning the network or application • Searching for security flaws • Exploiting the security flaws • Preparing the final report of the test
  • 12. Types of Testings • Penetration testing usually falls under three categories: Black Box, Gray Box, and White Box. • Black Box does not include any knowledge of the structure of the system, so this type of testing simulates the approach of an outside attacker. • Gray Box includes only a limited knowledge of the layout of the target. • White Box testing occurs when a penetration tester has complete knowledge of the layout of the target(s).
  • 13. VAPT tools • Nmap • Acunetix • Nessus • OpenVAS • Nexpose • BurpSuite (PT) • Metasploit (PT)
  • 14. Automated vs ManualVAPT • An ethical hacker’s job can be made less stressful by automating certain tasks of vulnerability assessment; however, the proof-of-concept part in penetration testing mostly relies on manual ways of exploiting the loophole and gathering the required evidence. • Each network or application is different, resulting in a very wide range of vulnerability scenarios.
  • 15. Steps of an Ethical hacker performs for aVAPT. • Enumerates a vulnerability • Performs an attack manually • Analyses the results of the attack • Performs similar or different attacks based on previous findings • Assimilates the results to create a customised attack • Exploits the vulnerability further to see if more attacks are possible • Repeats the above steps for all vulnerabilities
  • 16. Benefits of VAPT Activities for an Organisation • Helps identify programming errors that can lead to cyber attacks • Provides a methodical approach to risk management • Secures IT networks from internal and external attacks • Secures applications from business logic flaws • Increased ROI on IT security • Protects the organisation from loss of reputation and money