Skip navigation

Category Archives: Security Terminology

When vulnerability is found within a system, an “exploit” is needed to provide access to the computer. The vulnerability can be a glitch, a bug, or even a simple design weakness within the hardware or software.  Once the weakness is discovered, an attacker can use software or commands to carry out some sort of malicious intent such as a worm, virus, or a denial-of-service attack.  On many occasions, once a vulnerability is discovered by a hacker, it is immediately posted to a website or discussed in forums so others can take advantage of it.  Even though there are no known inoculations against future exploits, patches and/or fixes are our only line of defense to protect us once a weakness is discovered.  Thus, it is very important for us to update our systems often.

Advertisements

For the next few blogs, I will be discussing some common terms one might encounter if they are lucky to be working within any information security capacity. The first term that I will be discussing and most are probably already familiar with is penetration testing, or often called pen testing.

Pen testing is the practice of attacking an IT system the same way a hacker might attack in order to identify security holes. The person who carries out the testing is often called a penetration tester or pentester.  Of course, this is all done with the permission of the client and also without harming the actual network.  If the client were unaware, this would be considered hacking into the system which is considered illegal.  Most pentesters would recommend that before testing begins, it is in the tester’s best interest to obtain written permission prior in order to cover their ass if questions should arise.

To become a pentester, one could be lucky to have natural talent like HD Moore.  HD Moore, who was a high-school whiz kid, started a company in 2003 that goes by the name of Metasploit.  Both him and his company have become the de facto standard for penetration testing and exploit code development.  I highly recommend you visiting his web site www.metasploit.com if you are interested in this line of work.  Of course, if you don’t have the ‘natural” skills like Moore, you could enroll in some type of formal training to help educate yourself to become a pentester.  There are many training resources available such as Rapid7, GIAC, etc…. just make sure you do your research to find one that is reputable and is also recognized by the information security community.