In week 1, i learned more about methodology, such as:

  • Ethical hackers = employed by companies to perform penetration testing
  • Penetration tester = attempt to break into a company’s network to find its weakest link, then reports findings
  • Security tester = similar with penetration tester, but in addition, they also includes analyzing company’s security policy and procedures. They also offer solutions to secure or protect the network.

I also found new methodology such as crackers, since back then all i know about is only hackers. It is defined that:

  • Hackers =  access computer system or network without authorization
  • Crackers = aside from just trying to access computer system or network without authorization, they steal or destroy data too.

I also learned that new inexperienced hackers have their own nickname which is script kiddies, which basically means that they are inexperienced hackers that copy codes and techniques from knowledgeable hackers. This is dangerous since they don’t actually know what the code might do to the target, which is dangerous for them and their target.

There’s also something called Tiger Box which contains collection of OS and hacking tools to help penetration tester  and security tester to search for vulnerabilities and conduct attacks.

Another methodology that is used in a company’s network security team is blue team and red team, they have different roles which are:

  • Blue team = defend the system from red team and usually have knowledge of internal system, they may perform a pentest by trying to think about how surprise attacks might occur
  • Red team = perform pen-test without the knowledge and consent of IT staff of the organization, may be with or without warning

Then when trying to do a penetration testing or security testing we must first of all, make a signed agreement from both sides which is us and our client about the penetration testing procedure and verify that the target is owned by the client, or the client have the rights to the target. Without this crucial step it is actually very dangerous for us as a penetration or security tester, since we may violate the Indonesian law which is UU ITE. Furthermore i learned that there are 3 model of penetration testing methodology,

  • White Box model = tester is told everything about the network topology and technology, they are also authorized to interview IT personnel and company employees.
  • Black Box model = company staff does not know about the test and the tester is not given details about the network. This model can be used to test whether the security network are able to detect attacks.
  • Gray Box model = tester will be given partial information of the company’s network.

Lastly, i learned that there is also a certification for tester such as OPST (OSSTMM Professional Security Tester ) or CISSP (Certified Information Systems Security Professional), which is important in order to get a job as a penetration tester or security tester.