Lesson video
In progress...Loading...
Hello, my name is Mrs. Holborow, and welcome to Computing.
I'm so pleased you've decided to join me for the lesson today.
In today's lesson, we're going to be looking at some of the measures and practises used to protect computer systems. In particular, we're going to be looking at how penetration testing can be used to simulate a cyber attack.
Welcome to today's lesson from the unit "Cyber threats and security." This lesson is called "Testing as a form of defence." And by the end of today's lesson, you'll be able to describe and design a penetration test.
Shall we make a start? We will be exploring these keywords in today's lesson.
Penetration testing, penetration testing, a simulated cyber attack used to test the security of a computer system, network, or application.
Security, security, the measures and practises used to protect systems, networks, and data from unauthorised access, damage, or theft.
Ethical hacker, ethical hacker, a cybersecurity professional who is authorised to break into systems in order to find and fix vulnerabilities.
Network forensics, network forensics, the process of monitoring and analysing computer network traffic to gather information and detect intrusion.
Look out for these keywords throughout today's lesson.
Today's lesson is broken down into two parts.
We'll start by describing penetration testing, and then we'll move on to design a penetration test.
Let's make a start with describing penetration testing.
Penetration testing is a type of security testing that is used to test insecure areas of a system or application.
Penetration testing is important because it helps organisations identify and fix security weaknesses before attackers can exploit them.
Penetration testing is performed by cybersecurity professionals called penetration testers or ethical hackers.
They are skilled experts who simulate cyber attacks to find vulnerabilities.
They use the same tools and methods as malicious hackers but, importantly, with permission to test and strengthen activity.
So, the organisation or person who owns the system that they're trying to hack is aware that they are doing it.
Much of penetration testing focuses on network forensics.
Network forensics involves monitoring and analysing computer network traffic to gather information and detect intrusion.
The goal of testing is to find all of the security vulnerabilities, including susceptibility of social engineering of the system being tested.
There are several areas that penetration testers may check when looking for vulnerabilities, such as physical security, so are there locks on the doors, are there CCTV cameras, that kind of thing, training, data storage, so where files and software, et cetera, are stored, and software security, so has the software been updated with recent patches and things like that? Penetration testers may test the physical security measures that are designed to deny unauthorised access to facilities, equipment, and resources, and to protect personnel and property from damage or harm.
They may try to enter a secure area by following someone with authorised access.
This is known as tailgating.
They might also pretend to be a member of staff, cleaner, or delivery person to gain access.
They may test badges and locks or even look for sensitive information thrown in the rubbish.
They may attempt to access unattended equipment, such as unlocked computers.
Penetration testers may investigate if and how the company provides training for staff to make sure they understand potential social engineering threats.
For example, do they have good network policies and user access levels in place, and are they reviewed regularly? Penetration testers may test the data storage systems and use tools to try and retrieve sensitive data from the company's systems. They may also check that software security is effective and that the company keeps up with necessary patches and uses good antivirus software and firewalls.
Penetration testers may approach their work from a variety of perspectives.
This helps to identify weaknesses and areas for improvement from a variety of perspectives that could pose a security risk.
With white box testing, the ethical hacker will approach testing with full knowledge of the systems, like a member of staff would have.
Approaching the test from this angle means the system is tested from the perspective of a malicious insider, so maybe an employee who's not very happy.
With grey box testing, the ethical hacker may have some knowledge of the system but not all.
Approaching the test from this angle provides a balanced view of the system and combines both external attacker perspective and internal system knowledge.
With black box testing, the ethical hacker has no knowledge of the system, and this tests the system from the perspective of an external hacker.
Black box testing is important because it shows how secure the system is when viewed from the outside, where most threats originate.
Penetration testers may use commercial analysis tools.
For example, the National Cyber Security Centre, or NCSC, provides a free service to public service organisations called the NCSC Web Check.
Time to check your understanding.
Which type of test gives a full knowledge of systems to the ethical hacker? Is it A, grey box, B, white box, or C, black box? Pause the video here whilst you have a think.
Did you select B, white box? Well done.
Remember, this is from the inside perspective, so somebody will know about the system.
True or false? Penetration testers only look for security weaknesses in software.
Pause the video whilst you have a think.
Did you select false? Well done.
But why is it false? There are several areas that penetration testers may check when looking for vulnerabilities, such as physical security, training, data storage, and software security.
Let's have a go at this one.
Trying to enter a secure area following an authorised member of staff is known as A, pharming, B, tailgating, or C, phishing.
Pause the video whilst you have a think of the answer.
Did you select B? Well done.
Trying to enter a secure area by following an authorised member of staff is known as tailgating.
Okay, we're moving on to our first task of today's lesson, and you've done a fantastic job so far, so well done.
I'd like you to use the word bank to fill in the blanks in these sentences.
Penetration is a type of security testing that is used to test for insecure areas of a or application.
Penetration testing is because it helps organisations identify and fix weaknesses before attackers can them.
And the word bank provided is system, security, important, testing, and exploit.
Pause the video whilst you have a go at the task.
How did you get on? Let's have a look at the sample answer together.
Penetration testing is a type of security testing that is used to test for insecure areas of a system or application.
Penetration testing is important because it helps organisations identify and fix security weaknesses before attackers can exploit them.
If you need to make any corrections, remember, you can pause your video now.
For part 2 of task A, I'd like you to write two to three sentences to describe white box and black box penetration testing.
Pause the video whilst you have a go at the task.
How did you get on? Well done.
Let's have a look at a sample answer together.
In white box penetration testing, the tester has full knowledge of the system and the testing is done from the perspective of a malicious insider.
With black box penetration testing, the tester has no internal information about the system and the testing is done from the perspective of an external hacker with no prior access.
Penetration testing is done from different perspectives to identify weaknesses and areas for improvement that could pose a security risk.
Okay, so we've described penetration testing.
We're now going to move on to design a penetration test.
Designing penetration tests is important because it ensures that the testing is effective, focused, and safe.
A well-designed test targets the right systems, uses appropriate methods, and avoids disrupting critical services that are important to the organisation and the customers that they serve.
There are several stages involved in organising and developing effective penetration tests.
These include planning, discovery, attack, and reporting.
Let's have a look at each stage in a bit more detail.
In the planning stage, testers will define the objectives and scope of the test.
They will decide upon the rules of the test as well as the type of test to be done.
For example, white, grey, or black box.
Importantly, the testers will need to get permission to perform the test in the planning stage.
Testing without permission is illegal and unethical.
Getting permission means the tester remains on the right side of the law.
The purpose of the discovery stage is to collect as much data as possible about the system's structure, software, and weaknesses without triggering alarms or being detected.
The testers may search for leaked records and information that could be used in the attack, as well as working directly on the target system to identify weaknesses.
A SQL injection attack is a type of cyber attack where a malicious user tricks a website or app into running harmful SQL, or Structured Query Language, code in a database.
This can let the attacker view, change, delete data, or even bypass login systems. In the attack stage, penetration testers will attempt to gain access to or extract data from the targeted system.
They will assess the system by simulating real-world threats, which may include attempting to crack passwords or carrying out actions such as SQL injection to compromise security.
As they undertake simulated attacks, testers are careful to avoid actually damaging the system or causing harm.
Accidental damage can be costly, so safe and responsible testing is essential for protecting systems and data.
The reporting stage is the final stage and one of the most important stages of a penetration test.
It involves putting all of the findings of the test into a clear, professional report for the organisation.
The report will outline what vulnerabilities were found and how they were exploited.
Importantly, the report will make suggestions of how to fix issues and make future recommendations to improve security.
Time to check your understanding.
In which stage would a penetration tester collect information and data on the system? Is it A, the reporting stage, B, the attacking stage, or C, the discovery stage? Pause the video whilst you think about your answer.
Did you select C, discovery? Well done.
True or false? Ethical hackers and penetration testers can just ask for permission after completing a simulated attack.
Is this true or false? Think carefully about your answer.
Did you select false? Well done.
Ethical hackers and penetration testers must gain permission before starting the simulated attack to avoid breaking the law.
Penetration testers may use types of simulated tests and attacks to expose potential vulnerabilities in the attack stage.
They may decide to focus their efforts on physical attacks, software attacks, or social engineering attacks.
Physical attacks aim to test how well an organization's physical security controls prevent unauthorised access to buildings, equipment, information, or sensitive areas.
Tailgating may be used to try and follow a member of staff to gain physical access to the offices and network room servers.
Tailgating is used to test whether staff can be exploited to bypass physical security systems. Shoulder surfing is another type of physical attack where an attacker tries to steal sensitive information by watching someone's screen or keyboard activity without them realising it.
The aim of the attack is to test whether staff are careful to shield their password and sensitive information.
Software attacks aim to exploit vulnerabilities in programmes or systems in order to gain unauthorised access, disrupt functionality, steal data, or cause damage.
Denial-of-service, or DoS, attacks might be used to register thousands of status updates to existing users.
This will test whether a DoS attack could cause services to slow down or crash.
Penetration testers may run a simulated SQL injection attack to test whether web applications properly handle user input.
Instead of submitting a username or password, they may submit two strings that trick the database into giving up all of its information.
The aim of the attack is to catch and fix flaws before attackers can exploit them.
This reduces the risk of data theft or full unauthorised database access.
Social engineering attacks aim to manipulate or deceive people into giving away confidential information or granting unauthorised access to systems, data, or physical locations.
Blagging might be used to call employees to tell them that they have just downloaded a virus, which can be fixed if they provide login details for the "IT professional" to access their account remotely.
Baiting might be used to entice victims with something appealing, like a free gift or interesting file, to trick them into compromising security.
The attack might involve tempting employees to take unsafe action by plugging in a USB drive or clicking a link to claim a fake prize or download a file infected with malware.
Simulated social engineering attacks can help identify whether training is needed to improve staff awareness and security.
Time to check your understanding.
Which of the following is an example of a social engineering attack? Is it A, baiting, B, SQL injection, or C, denial-of-service, or DoS, attack? Pause the video whilst you have a think.
Did you select A, baiting? Well done.
Okay, we're moving on to our second task of today's lesson, task B.
I'd like you to start by matching the stage to the description.
So the stages we have are the planning stage, discovery stage, attack stage, and reporting stage.
And then the descriptions we have are A, finds exploits for various vulnerabilities, B, makes suggestions of how to fix issues and make recommendations, C, defines the objectives and scope of the test, and D, searches for and collects information and data on the system.
Pause the video whilst you match the stage to the description.
How did you get on? Did you manage to correctly match the stage to the description? Well done.
Let's have a look at the answers together.
So, the planning stage should be matched with C, defines the objectives and scope of the test.
The discovery stage should be matched with D, searches for and collects information and data on the system.
The attack stage should be matched with A, finds exploits for various vulnerabilities.
And then finally, the reporting stage is matched to B, makes suggestions of how to fix issues and make recommendations.
I'm sure you had all of those correct.
Well done.
Ranter is a new social media app for angry people.
The company have little experience of penetration testing and have asked a consultant to design an example penetration attack to test their physical and software security systems. They would also like to see how they can test their vulnerability to social engineering.
For part 2, complete the table to design an example penetration test for Ranter.
So, we've got the three categories, physical, software, and social engineering.
You need to define the type of test and then some details about the test.
Pause the video whilst you have a go at the task.
How did you get on? Did you manage to design your penetration tests? Well done.
Let's have a look at some sample answers together.
Remember, there are all types of tests that you could have suggested, so if you've got something slightly different than this sample answer, then that's absolutely fine.
So for physical, the type of test is tailgating.
The details of the test.
In this test, the attacker will follow a member of staff to try and gain physical access to the offices and network room servers.
If successful, the attacker will gain unauthorised access to sensitive areas and information and expose vulnerability.
For software, we've used the type of test denial of service, or DoS.
To perform a DoS attack, the attacker will try to register thousands of status updates to existing users.
If the attack is successful, it causes the service to slow down or crash and exposes a vulnerability.
For social engineering, the type of test used has been baiting.
In this test, a number of USB sticks will be left in strategic places around the company, labelled "Ranter employee bonus scheme." If staff take the bait and use the USB sticks, this would show that the systems are vulnerable to attack.
Remember, if you need to pause your video here and add any extra detail to your responses, you can do that now.
Okay, we've come to the end of today's lesson, "Testing as a form of defence." And you've done a great job, so well done.
Let's summarise what we've learned together during today's lesson.
Penetration testing is a controlled method of testing a system's security by simulating real cyber attacks.
Penetration testing helps identify and fix vulnerabilities before attackers can exploit them.
There are different types of penetration tests, including black box, white box, and grey box.
Penetration testing is a key part of maintaining strong cybersecurity in organisations.
I hope you've enjoyed today's lesson, and I hope you'll join me again soon, bye.
