Research And Implementation Of The Penitration Testing Scheme Based On Risk Assassment

With the development of information technology, especially when the internet becomes popular, the internet brings in an unprecedented mass of information, at the same time the openness and freedom is facing a greater threat than ever. The security of network information become more important, how to understand and evaluate the information security status quo and raised demand for information systems security, choose the best risk-control measures, set up information security management system, and develop an effective security policy has become a pressing demand. Risk assessment is becoming an important part of future demand. Meanwhile how to test the security of the software and work flow in the software life cycle (requirements, design, coding, testing, maintenance) and reduce the threat posed to plug the holes becomes more rigorous. Penetration testing as a cost-effective way to measure the network status quo and weaknesses can be used to find the flaws and threats, furthermore risks associated with penetration testing is reduced amid the design, development, testing and operation phase.This paper is mainly for the above-mentioned issues, we put the penetration testing and risk assessment together from the point of view of the risk ,focusing on penetration testing based on the risk , research and discuss the main testing technology and optimize the penetration testing process and programs as well as the risk of penetration testing and evasion , in final we summed up the most common used tools .This paper is mainly to the following aspects:1)Do an in-depth analysis of the most common used penetration testing technologies such as hidden technology to circumvent ,the security scanning technology, denial-of-service technology, the buffer overflow technology, account and password cracking technology, network sniffing technology, ARP spoofing, SQL injection and cross-site scripting, social engineering, as well as wireless crack.2) Reference to international standards, following hierarchical thinking, do an analysis of the current penetration testing process, in this paper, penetration testing is divided into 5 phases with 10 steps: planning and preparation phase, the phase of the investigation (collect information, identify the target, vulnerability scanning), the attacking phase (pillage, privilege expand, set up the backdoor, clean-up), the risk assessment phase as well as the phase of the generating report. Also we discuss the mission, objectives and the method to achieve at every phase. Meanwhile, penetration tester should pay a close attention to the risk and do an evasion.3) Do a risk analysis of the actual risk of penetration testing technology (management and personnel), and measures to avoid the risk of the situation. It should be noted that the risk evasion may have a big impact on the results of penetration testing.4) Collect, sum up, classify and analysis different penetration testing platform and tools will be used at different stages , systems, applications . The effective use of the tool can be more effective sometimes.But we should take a correct attitude towards the use of tools.As the penetration testing is very complex, penetration testing methods is very technical and the results of penetration testing are closely related to the experience of the tester, so we should take a right view of the results .In addition, the testing instants and evasions will be explored in the future.In conclusion, because of the special status of penetration testing, and it is close to customers and it can be used to test customer's protection level in a most direct and cost-effective way .It will be certainly get more attention and become more popular.