The root causes of security issues
Hierarchical thinking
Advantages: clear division of labor, high efficiency
Cons: employees no overall understanding of the system, the more one-sided safety knowledge
Security objectives
Before the attacker to detect and prevent loopholes
Attack: the attacker's thinking discovered vulnerability, an attacker system
Protection type: a huge investment, there will be omissions, not comprehensive enough, the effect is not high
Penetration Testing
Weaknesses try to crack the system's defense mechanisms, discovery system
Thoughts from an attacker's perspective, measure the effectiveness of security
Proof problems, rather than broken ring
It is not limited to a single machine problems arise, while focusing on vulnerability and harm the entire system
Penetration Testing Standard
PETS (http://www.pentest-standard.org)
The early stage of interaction (penetration testing to determine the scope of the application system penetration task division)
Intelligence gathering (information collection target systems, passive and active collection collection)
Threat Modeling (based on the information collected to determine the most effective, the most likely way to succeed attack)
Vulnerability analysis (analysis by the system software version, write exploit code)
Penetration attacks stage (not as imagined so smoothly, the target system protection system)
After penetration testing phase (to expand our coverage of penetration)
Penetration Testing Report Stage (may be controlled to customers and colleagues demonstrated that other systems, description found that the use of the process, and how to resolve)
Penetration Testing Methods
Whether to allow social engineering attacks
Whether to allow DDOS attack
Kali Linux strategy
Root user policy (different from the normal Linux system carefully use)
Network Services Policy (off by default all network services, since the launch of the script off by default)
An upgrade strategy (Debian + KALI official)
Practice is the best teacher, Kali is very powerful, but not all. This is just a starting point on penetration testing.