{"appState":{"pageLoadApiCallsStatus":true},"categoryState":{"relatedCategories":{"headers":{"timestamp":"2022-05-17T12:31:15+00:00"},"categoryId":33537,"data":{"title":"Cybersecurity","slug":"cybersecurity","image":{"src":null,"width":0,"height":0},"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"parentCategory":{"categoryId":33512,"title":"Technology","slug":"technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"}},"childCategories":[],"description":"Batten down the (virtual) hatches with these rock-solid strategies for protecting your privacy and security.","relatedArticles":{"self":"https://dummies-api.dummies.com/v2/articles?category=33537&offset=0&size=5"}},"_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"relatedCategoriesLoadedStatus":"success"},"listState":{"list":{"count":10,"total":51,"items":[{"headers":{"creationTime":"2019-12-22T20:09:51+00:00","modifiedTime":"2022-03-15T20:59:52+00:00","timestamp":"2022-03-16T00:01:11+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"GDPR For Dummies Cheat Sheet","strippedTitle":"gdpr for dummies cheat sheet","slug":"gdpr-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"This cheat sheet answers some questions about a few major misunderstandings regarding GDPR requirements for non-EU organizations and Article 27.","noIndex":0,"noFollow":0},"content":"The <a href=\"https://www.dummies.com/education/politics-government/general-data-protections-regulation-gdpr/\" target=\"_blank\" rel=\"noopener\">General Data Protection Regulation</a> (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?\r\n\r\n[caption id=\"attachment_266834\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-266834\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-concept-image.jpg\" alt=\"GDPR concept image\" width=\"556\" height=\"371\" /> © Wright Studio/Shutterstock.com[/caption]","description":"The <a href=\"https://www.dummies.com/education/politics-government/general-data-protections-regulation-gdpr/\" target=\"_blank\" rel=\"noopener\">General Data Protection Regulation</a> (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?\r\n\r\n[caption id=\"attachment_266834\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-266834\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-concept-image.jpg\" alt=\"GDPR concept image\" width=\"556\" height=\"371\" /> © Wright Studio/Shutterstock.com[/caption]","blurb":"","authors":[],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":267867,"title":"GDPR and Data Security","slug":"gdpr-and-data-security","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267867"}},{"articleId":267864,"title":"The GDPR and Data Subject Access Rights (DSARs)","slug":"the-gdpr-and-data-subject-access-rights-dsars","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267864"}},{"articleId":267861,"title":"How to Create and Communicate Your Opt-In Wording","slug":"how-to-create-and-communicate-your-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267861"}},{"articleId":267858,"title":"Data Protection: When to Use Opt-In Wording","slug":"data-protection-when-to-use-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267858"}},{"articleId":267854,"title":"How to Create and Communicate Your Cookie Policy","slug":"how-to-create-and-communicate-your-cookie-policy","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267854"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":282224,"slug":"gdpr-for-dummies","isbn":"9781119546092","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119546095-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/gdpr-for-dummies-cover-9781119546092-203x255.jpg","width":203,"height":255},"title":"GDPR For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33258\">Suzanne Dibble</b>, LLB, CIPP/E, is a business lawyer who has advised huge multinational corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. Learn more at suzannedibble.com.</p>","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":"Suzanne Dibble, LLB, CIPP/E, is a business lawyer who has advised huge multinational corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. Learn more at suzannedibble.com.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-623128c7101fc\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-623128c710b62\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Does the GDPR apply to non-EU organizations?","thumb":null,"image":null,"content":"<p>One of the sources of confusion regarding the GDPR is whether or not non-EU organizations meet GDPR requirements. There are two scenarios where the GDPR may apply to you:</p>\n<ul>\n<li>Your business is established within the EU.</li>\n<li>Your business is established outside of the EU but you either:\n<ul>\n<li>Offer goods or services to data subjects who are in the European Union, or</li>\n<li>You monitor the behavior of data subjects, as far as that behavior takes place within the EU.</li>\n</ul>\n</li>\n</ul>\n<p>So, is your business established in the EU?</p>\n<p>This is a straightforward enough question to answer if your business is entirely based in Spain, France or Italy, but what if your main business is located outside of the EU and you have a very small presence in an EU country?</p>\n<p>What does “established” actually mean? We have to look at the “effective and real exercise of activity through stable arrangements” to see what that means.</p>\n<p>The following factors by themselves do not determine establishment within the EU:</p>\n<ul>\n<li>Your organization has a single server in an EU country.</li>\n<li>Your website is accessible by people within the EU.</li>\n<li>You have an Article 27 Representative in the EU.</li>\n<li>You use a data processor within the EU (a service provider who processes personal data on your behalf and under your instruction, in other words).</li>\n<li>Your data subjects (the individuals whose personal data you hold) are based in the EU.</li>\n</ul>\n<p>Equally, the place of incorporation of your business or the fact that you have a branch or subsidiary in certain countries is not the deciding factor in where your business is established.</p>\n<p>Yet, if you have just one sales agent, one employee, or other such representative in an EU country and this constitutes an effective and real exercise of activity through stable arrangements, then you will have an establishment within an EU country.</p>\n<p>You don’t have to be processing personal data within the EU for the GDPR to apply. If you are processing personal data “in the context of the activities” of the EU establishment (remember that this may be a single sales rep), then GDPR will apply to you whether the processing takes place within the EU or not.</p>\n<p>Hence, if your business is mainly based outside of the EU and this is where the processing of personal data takes place, but you have an establishment within the EU and the processing carried out is in the context of the activities of the entity based outside of the EU, then the GDPR will apply regardless of the fact that the processing is being carried out outside of the EU.</p>\n<p>For the processing of personal data to be “in the context of the activities of the establishment,” there needs to be an inextricable link between the activities of the establishment based outside the EU (the one carrying out the processing) and the establishment based in the EU. Inextricable means that the two establishments are connected and cannot be separated.</p>\n<p>If processing by a non-EU entity is inextricably linked to the activities of an establishment in the EU, then the GDPR applies to all processing (even of data subjects outside of the EU), even though the EU establishment isn’t carrying out (or taking any part in) the data processing itself.</p>\n<p>If you have decided you definitely don’t have an establishment in the EU, then you need to look at whether you:</p>\n<ul>\n<li>Offer goods or services to data subjects who are in the European Union; or</li>\n<li>Monitor the behavior of data subjects, as far as that behaviour takes place within the EU.</li>\n</ul>\n<p>In terms of offering goods or services, it is irrelevant whether payment is made for these or not.</p>\n<p>When considering whether you’re offering goods or services to data subjects within the EU, you need to look at whether it was actually an active part of your business plan to offer goods or services to data subjects within the EU. If you have a few one-off sales in the EU or sign-ups to your newsletter from data subjects in the EU, for example, you may not be subject to the GDPR.</p>\n<p>The following factors are considered in determining whether you are offering goods or services in such a way that the GDPR applies to you:</p>\n<ul>\n<li>Your text is in an EU language.</li>\n<li>You&#8217;re displaying prices in an EU currency.</li>\n<li>You&#8217;ve enabled the ability for people to place orders in EU languages.</li>\n<li>You make references to the country of EU users or customers.</li>\n<li>You have advertisements directed to people within EU member states.</li>\n<li>You display telephone numbers with international codes.</li>\n<li>You&#8217;re using a domain of the European member state (for example, .de or .eu).</li>\n<li>You mention clients or customers in European member states.</li>\n</ul>\n<p>This list isn’t exhaustive and all circumstances need to be considered.</p>\n<p>The data processing must relate to data subjects located in the EU at the moment when the goods or services are offered or when the behavior is monitored. The citizenship, place of residence, or other legal status of the data subject has no relevance.</p>\n<p>One example is that of an app offered by a United States-based start-up that provides city mapping and targeted advertising for tourists from the US visiting European cities such as London, Paris and Rome. These US citizens who are in the EU when the service is offered and their behavior is monitored are “in the EU” and therefore the GDPR applies to this data processing. If, however, a US tourist downloads a US news app that targets US residents while on vacation in a country within the EU, this data processing is not subject to the GDPR.</p>\n<p>If you monitor or profile EU individuals’ behavior, where that behavior is occurring within the EU, then the GDPR applies to you.</p>\n<p>Monitoring includes the tracking of individuals online to create profiles, particularly where this is in order to make decisions concerning that individual or for analyzing or predicting the individual’s preferences, behaviors, and attitudes. For example, if you’re using cookies to track an individual’s activity on the Internet and that individual is within the EU, the GDPR applies to you.</p>\n"},{"title":"Can non-EU organizations be fined for non-compliance?","thumb":null,"image":null,"content":"<p>You will no doubt have heard of the headline fines introduced by the GDPR — a maximum of 20 million euros (about $24 million USD) or 4 percent of your worldwide turnover for the previous financial year, whichever is the higher.</p>\n<p>In 2019, British Airways faced a £183 million (about $229.72 million USD) fine and Marriott faced a £99 million (about $124 million USD) fine for security breaches. Google was fined 50 million euros (about $57 million USD) for a failure to follow the principles of the GDPR. Many other serious investigations into GDPR compliance failures are ongoing.</p>\n<p>But if your business is mainly based outside of the EU, you may be thinking, &#8220;Well, why should I bother complying with the GDPR, as surely EU regulators can’t take action against my business?&#8221;</p>\n<p>Such an approach may not be the smartest. Let’s look at the reasons why.</p>\n<h3>The regulatory consequences and the huge fines</h3>\n<p>Article 50 of the GDPR anticipates attempts by non-EU organizations to avoid compliance and makes specific provision for the EU’s data protection authorities to establish international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data.</p>\n<p>As was demonstrated by the United Kingdom’s enforcement notice against a Canadian company with no physical presence in the EU that was not in compliance with the GDPR, EU regulators will not be shy to take action against organizations outside of the EU.</p>\n<h3>Your EU customer and prospects won’t trust you</h3>\n<p>Aside from the regulatory consequences, your customers and prospects are much more informed about the GDPR than they were when it came to the old data protection laws and may not trust you with their personal data if they see examples of non-compliance.</p>\n<p>Supervisory authorities have run public awareness campaigns, so your prospects and customers in the EU will be much more savvy about their rights and how you should be complying with the GDPR. They will know, for example, that you should be providing them with your Privacy Notice and if you don’t do so, they will be suspicious and may decide not to entrust you with their personal data. In many cases, EU customers will vote with their feet and will move to a new supplier who is compliant with the GDPR.</p>\n<h3>Your EU customers will leave you</h3>\n<p>If you are processing personal data on behalf of data controllers within the EU — perhaps because you are an email services provider, a technology company, a marketing company or similar — and the data controllers transfer the personal data to you for to process in some way, then you need to comply with the GDPR. If not, the data controller is not legally allowed to hire you as they must only appoint data processors who put measures in place to comply with the GDPR.</p>\n<h3>Your US customers care about data protection</h3>\n<p>According to a 2018 survey by Acxiom, 82 percent of people in the US are concerned about the issue of online privacy. This was the highest percentage out of all ten countries surveyed, including Spain, Canada, Australia, the UK, Singapore, France, Argentina, Germany, and the Netherlands.</p>\n<p>Although organizations established outside of the EU only need to comply with the GDPR in relation to data subjects within the EU, you might want to think about complying with it for all of your data subjects.</p>\n<p>The GDPR is the gold standard of data protection, so if you need to comply for your EU customers and prospects, why not have one tier of data protection rather than a lesser standard for your US data subjects. You can use this to your competitive advantage by advertising the fact that you care about their personal data.</p>\n<h3>It isn’t as onerous to comply as you think</h3>\n<p>You might think that complying with the GDPR is a time consuming and expensive thing to do, but if you have the right resources and your business is relatively straightforward, it need be neither of these things.</p>\n"},{"title":"Do you need an Article 27 representative?","thumb":null,"image":null,"content":"<p>If you do not have an establishment within the EU and the GDPR applies to you, you’re required to appoint a representative in writing.</p>\n<p>A representative can be a person or organization that acts as a liaison between your organization and EU supervisory authorities who investigate and enforce data protection matters.</p>\n<p>You don’t have to appoint a representative if your processing of personal data meets all three of these criteria:</p>\n<ul>\n<li>It’s occasional.</li>\n<li>It doesn’t include processing of special category data or criminal convictions data on a large scale.</li>\n<li>It’s unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.</li>\n</ul>\n<p>Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.</p>\n<p>The representative represents your organization with respect to your obligations under the GDPR, with the following two main responsibilities:</p>\n<ul>\n<li>To receive correspondence from supervisory authorities and data subjects on all issues related to the processing of personal data.</li>\n<li>To make available to the supervisory authority, at their request, your Article 30 processing records.</li>\n</ul>\n<p>Article 30 processing records are certain records of processing that you, as a data controller or a data processor, are obliged to keep.</p>\n<p>Representatives are typically law firms or consultants and must be established within an EU member state where your relevant data subjects are. For example, if you’re established in the United States and have no data subjects in Ireland, you cannot appoint a representative in Ireland because you speak the same language.</p>\n<p>After the UK leaves the EU, if you have data subjects within the UK, you will also need to appoint a UK Representative.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Solve","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-07T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":266833},{"headers":{"creationTime":"2022-03-14T15:16:06+00:00","modifiedTime":"2022-03-14T15:18:42+00:00","timestamp":"2022-03-14T18:01:09+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Security Awareness For Dummies Cheat Sheet","strippedTitle":"security awareness for dummies cheat sheet","slug":"security-awareness-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Here's a summary of the key components to a cybersecurity awareness program, including how to to get buy-in from leaders and colleagues.","noIndex":0,"noFollow":0},"content":"Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors","description":"Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors","blurb":"","authors":[{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"Ira Winkler is president of Secure Mentem and is considered one of the world's most influential security professionals. He often assists organizations in developing cost-effective security programs. Winkler also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. Most recently, CSO Magazine named Winkler a CSO Compass Award winner as The Awareness Crusader. He is also a columnist for DarkReading and ComputerWorld, and he writes for several other industry publications. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":290632,"slug":"security-awareness-for-dummies","isbn":"9781119720928","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119720923-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119720928-203x255.jpg","width":203,"height":255},"title":"Security Awareness For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"34698\">Ira Winkler</b> is president of Secure Mentem and is considered one of the world's most influential security professionals. He often assists organizations in developing cost-effective security programs. Winkler also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. Most recently, CSO Magazine named Winkler a CSO Compass Award winner as The Awareness Crusader. He is also a columnist for DarkReading and ComputerWorld, and he writes for several other industry publications.</p>","authors":[{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"Ira Winkler is president of Secure Mentem and is considered one of the world's most influential security professionals. He often assists organizations in developing cost-effective security programs. Winkler also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. Most recently, CSO Magazine named Winkler a CSO Compass Award winner as The Awareness Crusader. He is also a columnist for DarkReading and ComputerWorld, and he writes for several other industry publications. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119720928&quot;]}]\" id=\"du-slot-622f82e5b67de\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119720928&quot;]}]\" id=\"du-slot-622f82e5b6edf\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Tips for creating effective security awareness programs","thumb":null,"image":null,"content":"<p>The following tips are essential to creating an effective security awareness program:</p>\n<ul>\n<li><strong>Remember that awareness is a cybersecurity function.</strong> The purpose of a security awareness program is to reduce risk by modifying user behaviors. Risk reduction through awareness is just one part of a comprehensive cybersecurity program.</li>\n<li><strong>Avoid claims of perfection and platitudes.</strong> Never claim that you’re creating the human firewall or other forms of perfection. No security countermeasure has delivered perfection, and claims to that effect ruin your credibility — especially when the inevitable happens. You are simply reducing risk.</li>\n<li><strong>Deserve more.</strong> Prove that you’re providing a return on investment and reducing losses while enabling capabilities. You prove the worth of an awareness program by collecting and reporting metrics.</li>\n<li><strong>Consider subcultures.</strong> Many awareness programs are created as a monolith — a single program for everyone. Different parts of your organization, such as people from different demographics, might need different communications tools. You determine this need by knowing whether parts of your organization have different communication styles and different business interests.</li>\n</ul>\n"},{"title":"Basic components of a security awareness program","thumb":null,"image":null,"content":"<p>A security awareness program has three basic components:</p>\n<ul>\n<li><strong>Topics</strong> are the specific awareness issues you’re trying to improve — for example, phishing, physical security, and password security.</li>\n<li><strong>Communications tools</strong> are how you deliver messages — for example, posters, phishing simulations, newsletters, and security ambassador programs.</li>\n<li><strong>Metrics</strong> are tools to determine whether and where the awareness program is having success, and they can come in many forms, such as the number of incidents experienced, attendance at events, likeability measures, or phishing messages reported.</li>\n</ul>\n"},{"title":"Metrics that show what's working, and what isn't","thumb":null,"image":null,"content":"<p>Metrics are critical for showing the success of an awareness program, especially when competing for funding and resources. In a mature program, metrics are used to constantly tune a program by showing what’s working and what isn’t.</p>\n<p>Metrics come in these four categories, each one with a different purpose and value:</p>\n<ul>\n<li><strong>Likeability metrics:</strong> Fundamentally, this metric measures how much users like your content. To collect likeability metrics, survey users about how much they like the materials you produce.</li>\n<li><strong>Engagement metrics:</strong> This metric shows how users consume the data provided in a program. How many read the newsletters? How many show up at events? How many complete the required or recommended training?</li>\n<li><strong>Behavioral metrics:</strong> This metric demonstrates actual changes of behaviors and the success of awareness efforts. To collect this metric, measure specific behaviors and track improvement over time. How many users report phishing messages? What is the percentage of secured desks at the end of the day? What are the number of links blocked on web content filters?</li>\n<li><strong>Return on investment (ROI):</strong> ROI are the most valuable metrics. These metrics assign a financial value to the savings of improved behaviors. For example, if improved awareness reduced phishing incidents by 10 percent, what is the cost savings for the response and recovery? If improved awareness reduces lost computers and USB drives, what are the savings from the reduced losses?</li>\n</ul>\n"},{"title":"Gamification to reward effective behavior","thumb":null,"image":null,"content":"<p><em>Gamification</em> is a reward system that rewards people for practicing desired behaviors. Frequent flier programs and other loyalty programs are examples of gamification. People buy from an organization and receive rewards for it. This encourages the behaviors.</p>\n<p>Get more from your awareness program by incorporating gamification to reward positive security related behaviors.</p>\n"},{"title":"Security ambassadors to promote awareness efforts","thumb":null,"image":null,"content":"<p><em>Security ambassadors,</em> frequently called <em>security champions,</em> are other employees who work in parts of the company and serve as representatives for the awareness program and support awareness efforts locally. They can organize events, spread awareness program messages, answer questions, and otherwise serve as an extension of the awareness team.</p>\n<p>Security ambassadors can be quite valuable for a security awareness program, so invest first in identifying the right people to fill the role and then training them and providing the appropriate resources to support and communicate with them.</p>\n"},{"title":"Quarterly awareness programs that reinforce knowledge","thumb":null,"image":null,"content":"<p>Most awareness programs have an annual schedule, where an awareness manager generally plans for the year and features one topic per month over the course of the year. This straightforward strategy allows for more than sufficient planning. Instead, plan three months at a time.</p>\n<p>Also, as opposed to focusing one topic per month, distribute information about three topics throughout the three-month period. This serves to reinforce the topics for an extended period. Shorter plans also allow for more versatility, such as updating the topics and tools used.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-03-14T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":291466},{"headers":{"creationTime":"2020-04-07T19:45:07+00:00","modifiedTime":"2022-03-01T21:36:53+00:00","timestamp":"2022-03-02T00:01:04+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Penetration Testing For Dummies Cheat Sheet","strippedTitle":"penetration testing for dummies cheat sheet","slug":"penetration-testing-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Are you sure you're secure? Learn about basic penetration testing terminology, common pen testing tools, and sought-after certifications.","noIndex":0,"noFollow":0},"content":"Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.\r\n\r\n[caption id=\"attachment_269927\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-269927\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing.jpg\" alt=\"penetration testing concept\" width=\"556\" height=\"371\" /> © Den Rise/Shutterstock.com[/caption]\r\n\r\n ","description":"Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.\r\n\r\n[caption id=\"attachment_269927\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-269927\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing.jpg\" alt=\"penetration testing concept\" width=\"556\" height=\"371\" /> © Den Rise/Shutterstock.com[/caption]\r\n\r\n ","blurb":"","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281813,"slug":"penetration-testing-for-dummies","isbn":"9781119577485","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119577489-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/penetration-testing-for-dummies-cover-9781119577485-203x255.jpg","width":203,"height":255},"title":"Penetration Testing For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33354\">Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience.</p>","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-621eb3c00e297\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-621eb3c00e7db\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Penetration testing terminology","thumb":null,"image":null,"content":"<p>One of the key factors for being successful in pen testing are the important terms are used day to day in the field. This is a list of well-known terminology:</p>\n<ul>\n<li><strong>Cybercrime:</strong> Conducting a cybercrime is the act of conducting criminal activities such as theft, destruction, and identify theft (for example) using technology such as computer systems and networks. Hackers generally attack systems to exploit them conducting criminal activity. As an ethical hacker you will legally conduct the same hacking, only ethically for a company’s betterment and defense, not the contrary.</li>\n<li><strong>Penetration testing: </strong>Penetration (pen) testing is the act of conducting a security exploit against a system ethically and legally to identify a weakness once completed. Pen testing is an entire methodology used to conduct security analysis that attempts to circumvent security applied to a system.</li>\n<li><strong>Vulnerability testing and scanning: </strong>To know what exploits, weaknesses, and vulnerabilities exist, you must conduct a scan of a system, network, or infrastructure to identify them. A vulnerability assessment is the analysis of what is identified when a vulnerability test (or scan) is conducted. Usually the tool(s) used are uploaded with current vulnerability definitions that allow the system to more readily find current weaknesses in systems.</li>\n<li><strong>Reconnaissance:</strong> The act of reconnaissance is the subvert nature of finding a penetration point. By checking out an attack vector, probing a system and identifying a possible entry point, you can conduct a pen test to test real-world and real-time situations that may need to be fixed.</li>\n<li><strong>Infiltration and exfiltration:</strong> Infiltration takes place once a penetration has been established. You have successfully found an opening into a secure system and entering the system (likely undetected) is the beginning of an advanced persistent threat type test or APT. The theft of and leaving with and unauthorized transfer of information from an information system is exfiltration. Conducting both of these measures is part of an advanced or extended portion of the basic penetration test.</li>\n<li><strong>Incident handling and response:</strong> Incident response is the movement of a group of security professionals to handle an unauthorized security event on protected systems. The incident handling portion is what an incident response team does to protect the chain of evidence and mitigate or neutralize the threat. Pen testing allows for incidents to be found prior to having to respond to them and when they are found, they can be added to a risk register for handling.</li>\n<li><strong>Risk register management: </strong>Risk handling, management, and lowering risk through documentation of known risks in a risk register is part of an overall security program. Pen testing allows for the development of known risks to be identified or allows for known risks to be closed on the register by fixing them and running pen tests to ensure that there is no longer a threat.</li>\n</ul>\n"},{"title":"Commonly used pen testing tools","thumb":null,"image":null,"content":"<p>In the field of pen testing, there are many, many tools you can use. A few are:</p>\n<ul>\n<li><a href=\"http://www.tenable.com/\" target=\"_blank\" rel=\"noopener\">Nessus </a>is the foundation of most pen tester’s toolkits. Its focus is vulnerability scanning and assessment. You can quickly identify weaknesses to exploit in your organization or enterprise. From there, you can choose other functions within Nessus to further test or other tools to pen test and exploit those weaknesses.</li>\n<li><a href=\"http://www.kali.org/\" target=\"_blank\" rel=\"noopener\">Kali Linux</a> is a toolset that’s part of a Debian-based Linux distribution, purpose-made for pen tests, vulnerability scans, and forensics. Although you can download and install the toolset natively to Linux, you can also download the Linux distro into a virtual machine (VM) for ease of use. Kali is a set of tools bundled together by type and organized in a way that allows you to access what you need quickly and effectively. Originally called Backtrack (when Offensive Security got their start), this tool has evolved into one of the most used pen test applications of all time.</li>\n<li><a href=\"http://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a> is a tool that can look at the data and show an analyst the various communication paths that exist, including those that may not be authorized. The tool is primarily used to capture data from your network so you can analyze it. Wireshark is a tool that requires you to be able to decode information that you capture with it.</li>\n<li><a href=\"https://nmap.org/\" target=\"_blank\" rel=\"noopener\">Nmap</a> is a network mapper or mapping tool that allows you to identify a scope of a network or infrastructure, map it, and then launch a series of exploits against it (or systems on it) as part of a penetration test. You can look at the topology map after you finish mapping the network and it can provide you with places you may want to secure from hackers looking for jump-off points to get around your network and into other areas or secure hosts.</li>\n</ul>\n"},{"title":"Pen testing certifications","thumb":null,"image":null,"content":"<p>Professional organizations and vendors both offer industry standard, generalized and specialized certification programs, as well as those based on specific vendor tools. Some of them mix the two. Here are the most popular among the list with details on how to obtain them:</p>\n<ul>\n<li><strong>CompTIA PenTest+: </strong><a href=\"http://www.comptia.org/\" target=\"_blank\" rel=\"noopener\">CompTIA PenTest+</a> is a multiple choice and hands-on test that tests your ability to conduct a penetration test using tools such as Nmap. It also covers other skills required of penetration testers such as the ability to conduct vulnerability tests as well as how to plan, manage, and conduct a targeted assessment and test. According to <a href=\"https://dummies-wp-content.dummies.com/programming/certification/the-2019-comptia-a-exams/\" target=\"_blank\" rel=\"noopener\">CompTIA</a>, the PenTest+ exam also includes management skills used to plan, scope, and manage weaknesses, not just exploit them.</li>\n<li><strong>EC-Council Certified Ethical Hacker (CEH): </strong>The Certified Ethical Hacker (CEH) exam and certification is brought to you by the <a href=\"https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/\" target=\"_blank\" rel=\"noopener\">EC-Council</a> and builds strength and branding around the ethical hacking profession. The test is a vendor neutral exam that covers how to conduct an assessment and find vulnerabilities, conduct exploits or penetration testing of systems, conduct scans to find weaknesses; identify and locate attack vectors; conduct penetrations such as SQL injection, system hacks, packet sniffing and capture, reconnaissance, and cover tracks; use malware for penetration; conduct a variety of web-based attacks such as cross-site scripting, cryptography attacks, and many more.</li>\n<li><strong>SANS GPEN: </strong>The <a href=\"http://www.sans.org/\" target=\"_blank\" rel=\"noopener\">SANS</a> organization’s <a href=\"http://www.giac.org/\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification (GIAC)</a> group has a suite of certifications that are very well designed and test your ability to not only know the details of pen testing, but also how to apply it in the real world. The <a href=\"https://www.giac.org/certification/penetration-tester-gpen\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification Penetration Tester (GPEN)</a> validates your ability to properly conduct a penetration test, using best practice techniques and methodologies according to GIAC. The certified GPEN will be able to show the requisite knowledge required to conduct exploits, engage in reconnaissance, and conduct a detailed pen test project from the ground up.</li>\n<li><strong>Offensive Security Certified Professional (OSCP): </strong>The <a href=\"https://www.offensive-security.com/pwk-oscp/\" target=\"_blank\" rel=\"noopener\">Offensive Security Certified Professional</a> test is highly focused on the Kali Linux distro. Kali and its very deep toolset of ethical hacking tools are the foundation of the OSCP’s fully hands on pen test certification.</li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-14T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":269926},{"headers":{"creationTime":"2019-09-23T20:43:11+00:00","modifiedTime":"2022-02-24T19:37:02+00:00","timestamp":"2022-02-25T00:01:04+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Cybersecurity For Dummies Cheat Sheet","strippedTitle":"cybersecurity for dummies cheat sheet","slug":"cybersecurity-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Learn about the common scams that cyber criminals use to target online shoppers and how to cyber-protect yourself and your data.","noIndex":0,"noFollow":0},"content":"<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. </span></span>\r\n\r\n<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Look here to discover some</span> <span class=\"NormalTextRun SCXW223555244 BCX0\">straightforward tips on how to keep yourself — and your loved ones — safe when using the i</span><span class=\"NormalTextRun SCXW223555244 BCX0\">nternet to shop,</span><span class=\"NormalTextRun SCXW223555244 BCX0\"> as well as how to avoid </span></span><span class=\"TextRun SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">common cybersecurity mistakes</span></span><span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">.</span></span><span class=\"EOP SCXW223555244 BCX0\" data-ccp-props=\"{\"201341983\":1,\"335559685\":1022,\"335559739\":220,\"335559740\":220}\"> </span>\r\n\r\n[caption id=\"attachment_264355\" align=\"alignnone\" width=\"535\"]<img class=\"size-full wp-image-264355\" src=\"https://www.dummies.com/wp-content/uploads/cybersecurity-graphic.jpg\" alt=\"cybersecurity graphic\" width=\"535\" height=\"334\" /> © GoodStudio/Shutterstock.com[/caption]","description":"<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. </span></span>\r\n\r\n<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Look here to discover some</span> <span class=\"NormalTextRun SCXW223555244 BCX0\">straightforward tips on how to keep yourself — and your loved ones — safe when using the i</span><span class=\"NormalTextRun SCXW223555244 BCX0\">nternet to shop,</span><span class=\"NormalTextRun SCXW223555244 BCX0\"> as well as how to avoid </span></span><span class=\"TextRun SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">common cybersecurity mistakes</span></span><span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">.</span></span><span class=\"EOP SCXW223555244 BCX0\" data-ccp-props=\"{\"201341983\":1,\"335559685\":1022,\"335559739\":220,\"335559740\":220}\"> </span>\r\n\r\n[caption id=\"attachment_264355\" align=\"alignnone\" width=\"535\"]<img class=\"size-full wp-image-264355\" src=\"https://www.dummies.com/wp-content/uploads/cybersecurity-graphic.jpg\" alt=\"cybersecurity graphic\" width=\"535\" height=\"334\" /> © GoodStudio/Shutterstock.com[/caption]","blurb":"","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":"Joseph Steinberg is a cybersecurity and emerging technologies advisor with two decades of industry experience. Steinberg is one of only 28 people worldwide to hold the entire suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP). He has invented various cybersecurity-related technologies, which are cited in more than 400 U.S. patent filings.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":266359,"title":"User-Specific Cybersecurity Policies","slug":"user-specific-cybersecurity-policies","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266359"}},{"articleId":266350,"title":"Types of Social Engineering Attacks","slug":"types-of-social-engineering-attacks","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266350"}},{"articleId":266345,"title":"Types of Malware Cybersecurity Professionals Should Know","slug":"types-of-malware-cybersecurity-professionals-should-know","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266345"}},{"articleId":266228,"title":"Getting End Users to Comply with Cybersecurity Efforts in Small Businesses","slug":"getting-end-users-to-comply-with-cybersecurity-efforts-in-small-businesses","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266228"}},{"articleId":266223,"title":"Cybersecurity Job and Career Options","slug":"cybersecurity-job-and-career-options","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266223"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281675,"slug":"cybersecurity-for-dummies","isbn":"9781119867180","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119867185-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119867180-203x255.jpg","width":203,"height":255},"title":"Cybersecurity For Dummies, 2nd Edition","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33198\">Joseph Steinberg</b> is a cybersecurity and emerging technologies advisor with two decades of industry experience. Steinberg is one of only 28 people worldwide to hold the entire suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP). He has invented various cybersecurity-related technologies, which are cited in more than 400 U.S. patent filings.</p>","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":"Joseph Steinberg is a cybersecurity and emerging technologies advisor with two decades of industry experience. Steinberg is one of only 28 people worldwide to hold the entire suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP). He has invented various cybersecurity-related technologies, which are cited in more than 400 U.S. patent filings.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119867180&quot;]}]\" id=\"du-slot-62181c4030341\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119867180&quot;]}]\" id=\"du-slot-62181c4030cf4\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":264345,"title":"Cyber-Protect Yourself and Your Family on the Internet","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264345"}},{"articleId":264348,"title":"Avoid Common Cybersecurity Mistakes","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264348"}},{"articleId":264351,"title":"Common Cyber Scams Targeting Online Shoppers","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264351"}}],"content":[{"title":"Cyber-protect yourself and your family on the internet","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">To cyber-protect yourself and your family, make sure everyone in your family knows that they are a target. People who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<p><span data-contrast=\"auto\">The following tips help you protect your data and keep yourself and your family safe from Internet scams:</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<ul>\n<li><b><span data-contrast=\"auto\">Protect your devices.</span></b><span data-contrast=\"auto\"> At a minimum, run security software on every device you use to access sensitive information. Configure your devices to auto-lock, and to require a strong password to unlock them. Don’t leave your devices in insecure locations, and install software only from reputable sources, such as official app stores and official vendor and reseller websites.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Protect data.</span></b><span data-contrast=\"auto\"> Encrypt all sensitive data and back up often. If you’re unsure as to whether something should be encrypted, it probably should be. If you’re unsure as to whether you back up frequently enough, — you, like most people, probably are not.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Use safe connections.</span></b><span data-contrast=\"auto\"> Never access sensitive information over free public Wi-Fi and consider avoiding using such Internet access altogether, especially from any device on which you perform sensitive activities or access sensitive information. The connection provided by your cellular service is likely far more secure than any public Wi-Fi, and such connections can usually be shared by multiple devices if you turn on your phone’s “mobile hotspot” feature.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Use proper authentication and passwords.</span></b><span data-contrast=\"auto\"> Every person accessing an important system should have their own login credentials. Do not share passwords for online banking, email, social media, and so on with your children or significant other. Get everyone their own login. Make sure you use strong, unique passwords for your most sensitive systems.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Share wisely. </span></b><span data-contrast=\"auto\">Do not overshare information on social media or using any other platforms. Crooks look for such data and use it to social engineer people. Oversharing exposes yourself and your loved ones to increased risks of being targeted by scammers or of having your identities stolen.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"},{"title":"Avoid common cybersecurity mistakes","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">Here are some of the common cybersecurity mistakes people make. These mistakes make hacking easier than it should be, and therefore, also help criminals commit cybercrimes.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<ul>\n<li><b><span data-contrast=\"auto\">Thinking it cannot happen to you:</span></b><span data-contrast=\"auto\"> Every person, business, organization, and government entity is a potential target for hackers. People who think they do not have anything of value and “why would hackers want to attack me?” often act without proper diligence and learn quite quickly how wrong their perspective is.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Using weak passwords:</span></b><span data-contrast=\"auto\"> Despite ubiquitous warnings not to do so, a large number of people still use </span><a href=\"https://www.dummies.com/article/technology/cybersecurity/4-ways-hackers-crack-passwords-256039\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"auto\">weak passwords</span></a><span data-contrast=\"auto\">, such as “123456” or “password” — as evidenced by the lists of compromised passwords publicized on the Internet after various breaches. If you use  the same password on a sensitive site that you used elsewhere, or use another form of weak password on a sensitive site, you dramatically increase the risk to yourself of an account being compromised.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not using multifactor authentication when it is available:</span></b><span data-contrast=\"auto\"> All major social media platforms, Google, Amazon, and most major financial institutions offer some form of multifactor authentication capabilities. Multifactor authentication can, in the case of a password compromise, make all the difference between an account being breached and it remaining secure — yet, even today, many people still refuse to take advantage of the security benefits provided by multifactor authentication even when the features are offered for free.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not running proper security software:</span></b><span data-contrast=\"auto\"> Modern security software dramatically increases the odds of a person fending off a whole slew of potential cybersecurity problems, including malware, breaches, spam overloads, and others. Yet, many people still do not run such software on each and every one of their computers (including laptops, tablets, and smartphones), while others run software but fail to keep it up to date, thereby undermining the potency of their product to protect against the latest (and, often, the most dangerous) threats.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not keeping software up to date:</span></b><span data-contrast=\"auto\"> Many operating system and software updates contain fixes for security vulnerabilities discovered by researchers (or hackers) in prior releases. If you do not keep your software up to date, you’re likely to leave your devices vulnerable to attack. Worse yet, once a vendor publicly describes a vulnerability that it has fixed, criminals may seek to create exploit scripts to search for, and target, unpatched machines.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Failing to exercise good judgment:</span></b><span data-contrast=\"auto\"> The weakest link in the cybersecurity chain is almost always a human being. Whether it be by clicking a link that should not have been clicked, sending money to a fraudster who sent a bogus email impersonating one’s boss, installing a rogue app, downloading a pirated copy of a movie, or through some other imprudent action, human error often opens a cyber can of worms, and provides criminals with the ability to inflict far more harm that they would have been able to on their own.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not learning the basics:</span></b><span data-contrast=\"auto\"> People who suffer from a medical condition, or whose loved ones do, typically learn about the condition to ensure that proper treatment is administered and that unnecessary danger does not result. When it comes to cybersecurity, however, many folks choose to remain ignorant, thinking that, somehow, if they pretend that there is no danger to them, such will be the reality.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not hiring a pro:</span></b><span data-contrast=\"auto\"> When serious cybersecurity incidents occur, people (often individuals or small business owners) often try to address them on their own. Doing so is not much different than trying to treat a serious medical condition without going to the doctor or defending yourself in criminal court without a lawyer. Hackers, malware designers, and other cybercriminals are skilled and arm themselves with significant knowledge. If you’re locked in a de facto battle against them, you want a pro on your side, too.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"},{"title":"Common cyber scams targeting online shoppers","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">Cyber-criminals use some common scams to target online shoppers, but you can protect yourself from internet scams easily.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<p>One simple technique: If you ever receive any communication from a retailer, shipper, or any other party related to an online shopping order, an amazing deal, or other matter that you want to look into, do not click links in the message or open associated attachments. Open a web browser, go to the website of the relevant “sender,” locate its contact information, and contact it directly to ask about the message you received.</p>\n<p>The following are common cyber scams that target online shoppers:</p>\n<ul>\n<li><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span><b><span data-contrast=\"auto\">“There are problems with your order” emails (or text messages):</span></b><span data-contrast=\"auto\"> Criminals often send mass emails that appear to come from an online retailer and that inform recipients that a problem is preventing the store from shipping the order and that the recipient must take action to receive the order. Such emails often contain a link to a bogus website that collects, at a minimum, login information, such as usernames and passwords, for the retailer’s website.<br />\nSuch scam emails aren’t normally targeted — they simply impersonate major retailers. Criminals rely on the fact that a large number of people who receive such an email message are likely to have placed an order with the impersonated retailer in the not-so-distant past.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">“There are problems with your payment method” emails (or text messages):</span></b><span data-contrast=\"auto\"> Similar to the preceding scam, criminals send mass emails (or text messages) that appear to come from an online retailer and that inform recipients that a problem occurred with the payment method used to pay for an order — with instructions that the recipient submit new payment information via some web page.<br />\nRecipients who had, in fact, recently placed orders, are likely to be caught off-guard, and some will likely click through. Of course, the page that collects that new payment information — sometimes along with login credentials to the retailer’s site — is simply a tool for stealing credit and debit card numbers, along with potentially other data as well.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Delivery-service problem emails: </span></b><span data-contrast=\"auto\">Criminals send emails that appear to come from a major delivery service and that inform the recipients that an issue of some sort occurred with a delivery, and that the recipient must take action to have delivery reattempted.<br />\nOf course, these messages either deliver malware via attachments or direct users to phishing or malware-spreading websites; they certainly do not help people get any items delivered.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Bogus deal emails, social media posts, or web links: </span></b><span data-contrast=\"auto\">Criminals frequently either send via email or post to social media or deal websites all sorts of “amazing” offers, which often seem too good to be true. A 5-inch Samsung OLED television for $100?! A brand new 13-inch Mac laptop for $200?! While some such deals may be legitimate — and, if they are advertised by a major reseller, you can check on the website of the relevant seller to determine that — the overwhelming majority are not.<br />\nIf the seller is a major reseller and the deal is not legit, the email may link to a bogus site or be spreading malware. If the seller is a firm that you have never heard of, the whole store may be a scam — collecting payments, for example, and never shipping the goods for which the payments were made, shipping defective goods, or shipping stolen goods.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Fake invoice emails:</span></b><span data-contrast=\"auto\"> Criminals send what appear to be invoices from online stores for purchases costing significant amounts and note the sale amounts were charged to the recipients’ credit cards.<br />\nThese “invoices” scare people into thinking that they somehow unintentionally placed an order, were charged more than they expected for some item, or were somehow defrauded by someone using their credit card number. This can lead the recipients to contact the seller by clicking links that the sender, of course, conveniently included within the invoice message.<br />\nThese links, however, bring the user to a site that either captures information, installs malware, or both. Sometimes the invoices that are sent via email are included as attachments and, you guessed it, contain malware.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Solve","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-06T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":264354},{"headers":{"creationTime":"2016-03-27T16:46:48+00:00","modifiedTime":"2022-02-24T18:48:58+00:00","timestamp":"2022-02-25T00:01:03+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Hacking For Dummies Cheat Sheet","strippedTitle":"hacking for dummies cheat sheet","slug":"hacking-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"","noIndex":0,"noFollow":0},"content":"Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.","description":"Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.","blurb":"","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":"Kevin Beaver is an independent information security consultant with more than three decades of experience. Beaver specializes in performing vulnerability and penetration testing and security consulting work for Fortune 1000 corporations, product vendors, independent software developers, universities, and government organizations. He has appeared on CNN and been quoted in The Wall Street Journal.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":256048,"title":"Validate Data to Prevent Web Attacks: Input Hacks","slug":"validate-data-to-prevent-web-attacks-input-hacks","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256048"}},{"articleId":256044,"title":"Best Practices for Minimizing Hacking of Email Systems","slug":"best-practices-for-minimizing-hacking-of-email-systems","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256044"}},{"articleId":256039,"title":"4 Ways Hackers Crack Passwords","slug":"4-ways-hackers-crack-passwords","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256039"}},{"articleId":255983,"title":"Ethical Hacking: Improving Cybersecurity in Your Databases","slug":"ethical-hacking-improving-cybersecurity-in-your-databases","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255983"}},{"articleId":255968,"title":"The Dangers of Social Engineering","slug":"the-dangers-of-social-engineering","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255968"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281732,"slug":"hacking-for-dummies","isbn":"9781119872191","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119872197-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119872191-203x255.jpg","width":203,"height":255},"title":"Hacking For Dummies, 7th Edition","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"8984\">Kevin Beaver</b> is an independent information security consultant with more than three decades of experience. Beaver specializes in performing vulnerability and penetration testing and security consulting work for Fortune 1000 corporations, product vendors, independent software developers, universities, and government organizations. He has appeared on CNN and been quoted in The Wall Street Journal.</p>","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":"Kevin Beaver is an independent information security consultant with more than three decades of experience. Beaver specializes in performing vulnerability and penetration testing and security consulting work for Fortune 1000 corporations, product vendors, independent software developers, universities, and government organizations. He has appeared on CNN and been quoted in The Wall Street Journal.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-62181c3fbfec3\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-62181c3fc0852\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":139435,"title":"Hacking Tools You Can’t Live Without","slug":"hacking-tools-you-cant-live-without","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139435"}},{"articleId":139437,"title":"Common Security Weaknesses that Criminal Hackers Target","slug":"common-security-weaknesses-that-criminal-hackers-target","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139437"}},{"articleId":139436,"title":"Commonly Hacked Ports","slug":"commonly-hacked-ports","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139436"}},{"articleId":139439,"title":"Tips for Successful IT Security Assessments","slug":"tips-for-successful-it-security-assessments","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139439"}}],"content":[{"title":"Hacking tools you can’t live without","thumb":null,"image":null,"content":"<p>As an IT information security professional, your toolkit is the most critical item you can possess against hacking — other than hands-on experience and common sense. Your hacking tools should consist of the following (and make sure you’re never on the job without them):</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\"><b>Password cracking software,</b> such as ophcrack and Proactive Password Auditor</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network scanning software, </b>such as Nmap and NetScanTools Pro</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network vulnerability scanning software,</b> such as LanGuard and Nessus</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network analyzer software, </b>such as Cain &amp; Abel and CommView</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Wireless network analyzer and software</b>, such as Aircrack-ng and CommView for WiFi</p>\n</li>\n<li>\n<p class=\"first-para\"><b>File search software,</b> such as FileLocator Pro</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Web application vulnerability scanning software,</b> such as Acunetix Web Vulnerability Scanner and Probely</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Database security scanning software, </b>such as SQLPing3</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Exploit software, </b>such as Metasploit</p>\n</li>\n</ul>\n"},{"title":"Common security weaknesses that criminal hackers target","thumb":null,"image":null,"content":"<p>Information security professionals should know the common flaws that criminal hackers and malicious users first check for when hacking into computer systems. Weaknesses, such as the following, should be on your shortlist when you perform your security tests:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">Gullible and overly-trusting users</p>\n</li>\n<li>\n<p class=\"first-para\">Unsecured building and computer room entrances</p>\n</li>\n<li>\n<p class=\"first-para\">Discarded documents that have not been shredded, computers with drives that have not been wiped, and storage devices that have not been destroyed</p>\n</li>\n<li>\n<p class=\"first-para\">Network perimeters with little to no firewall protection</p>\n</li>\n<li>\n<p class=\"first-para\">Poor, inappropriate, or missing file and share access controls</p>\n</li>\n<li>\n<p class=\"first-para\">Unpatched systems that can be exploited by malware or free tools, such as Metasploit</p>\n</li>\n<li>\n<p class=\"first-para\">Web applications with weak authentication mechanisms and input validation challenges</p>\n</li>\n<li>\n<p class=\"first-para\">Guest wireless networks that allow the public to connect into the production network environment</p>\n</li>\n<li>\n<p class=\"first-para\">Laptop computers with no full disk encryption</p>\n</li>\n<li>\n<p class=\"first-para\">Mobile devices with easy to crack passwords or no passwords at all</p>\n</li>\n<li>\n<p class=\"first-para\">Weak or no application, database, and operating system passwords</p>\n</li>\n<li>\n<p class=\"first-para\">Firewalls, routers, and switches with default or easily guessed passwords</p>\n</li>\n</ul>\n"},{"title":"Commonly hacked ports","thumb":null,"image":null,"content":"<p>Common ports, such as TCP port 443(HTTPS), may be locked down or protected by a web application firewall, but other ports may get overlooked and be vulnerable to hackers. In your security tests, be sure to check these commonly hacked TCP and UDP ports:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">TCP port 21 — FTP (File Transfer Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 22 — SSH (Secure Shell)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 23 — Telnet</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 25 — SMTP (Simple Mail Transfer Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP port 53 — DNS (Domain Name System)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 80—HTTP (Hypertext Transport Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 110 — POP3 (Post Office Protocol version 3)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP port 135 — Windows RPC</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP ports 137–139 — Windows NetBIOS over TCP/IP</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 1433 and UDP port 1434 — Microsoft SQL Server</p>\n</li>\n</ul>\n"},{"title":"Tips for successful IT security assessments","thumb":null,"image":null,"content":"<p>You need successful security assessments to protect your systems from hacking. Whether you’re performing security tests against your own systems or for those of a third party, you must be prudent and pragmatic to succeed. These tips for security assessments will help you succeed in your role as an information security professional:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">Set goals and develop a plan before you get started.</p>\n</li>\n<li>\n<p class=\"first-para\">Get permission to perform your tests.</p>\n</li>\n<li>\n<p class=\"first-para\">Have access to the right tools for the tasks at hand. You can use free tools, but you usually get what you pay for!</p>\n</li>\n<li>\n<p class=\"first-para\">Test at a time that’s best for the business.</p>\n</li>\n<li>\n<p class=\"first-para\">Keep the key players in the loop during your testing.</p>\n</li>\n<li>\n<p class=\"first-para\">Understand that it’s not possible to detect <i>every</i> security vulnerability on every system.</p>\n</li>\n<li>\n<p class=\"first-para\">Study criminal behaviors and tactics. The more you know about how the bad guys work, the better you’ll be at testing your systems for security vulnerabilities.</p>\n</li>\n<li>\n<p class=\"first-para\">Don’t overlook nontechnical security issues; they’re often exploited first.</p>\n</li>\n<li>\n<p class=\"first-para\">Make sure that all your testing is above board approved before getting started.</p>\n</li>\n<li>\n<p class=\"first-para\">Treat other people’s confidential information at least as well as you would treat your own.</p>\n</li>\n<li>\n<p class=\"first-para\">Bring critical vulnerabilities you find to the attention of management and other necessary parties, and implement the appropriate countermeasures as soon as possible.</p>\n</li>\n<li>\n<p class=\"first-para\">Don’t treat every vulnerability discovered in the same manner. Not all weaknesses are bad. Evaluate the context of the issues found before you declare that the sky is falling. It’s almost always a handful of vulnerabilities that creates the majority of risks.</p>\n</li>\n<li>\n<p class=\"first-para\">*Show management and customers that security testing is good business and you’re the right professional for the job. Vulnerability and penetration testing is an investment to meet business goals; it helps find what really matters and comply with the various laws and regulations that help the organization over the long term.</p>\n</li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-02-24T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":207422},{"headers":{"creationTime":"2022-01-10T18:52:05+00:00","modifiedTime":"2022-01-10T18:52:05+00:00","timestamp":"2022-02-24T17:07:23+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Cloud Security For Dummies Cheat Sheet","strippedTitle":"cloud security for dummies cheat sheet","slug":"cloud-security-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"This handy cheat sheet summarizes the keys to building security into your network and mitigating the risk of a data breach.","noIndex":0,"noFollow":0},"content":"So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities.\r\n\r\nCloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications.\r\n\r\nWhile it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.","description":"So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities.\r\n\r\nCloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications.\r\n\r\nWhile it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.","blurb":"","authors":[{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":"Ted Coombs is an artist, technology futurist, and author of more than 20 books on technology and other topics.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":290170,"slug":"cloud-security-for-dummies","isbn":"9781119790464","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119790468-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/cloud-security-fd-9781119790464-203x255.jpg","width":203,"height":255},"title":"Cloud Security For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"34680\">Ted Coombs</b> is an artist, technology futurist, and author of more than 20 books on technology and other topics.</p>","authors":[{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":"Ted Coombs is an artist, technology futurist, and author of more than 20 books on technology and other topics.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119790464&quot;]}]\" id=\"du-slot-6217bb4ba7881\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119790464&quot;]}]\" id=\"du-slot-6217bb4ba822e\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Managing access to cloud resources","thumb":null,"image":null,"content":"<p>Access to cloud resources involves several types of security precautions:</p>\n<ul>\n<li><strong>Protecting your local devices from malware.</strong> Infected devices can allow hackers to gain access to your local network and consequently to your cloud services. Compromised accounts can also reveal login information that can be used to infiltrate your cloud accounts.</li>\n<li><strong>User account control limits who has access to your resources.</strong> There are several strategies for managing who can connect to your applications and data, but the goal should be to trust no one. This concept is known as zero trust, where access is granted only to those who have a legitimate need. This means that a well-managed access system knows the risks from both the users and the resources they access.These systems can even control the time of day that access is allowed to limit access to times when it’s reasonably expected that someone should have access.</li>\n</ul>\n<p>Here are some ways you can get started along the path to better managed cloud access:</p>\n<ul>\n<li><strong>Employ a network discovery tool.</strong> With environments changing by the second as mobile devices, IoT gadgets, desktops, and remote networks connect and disconnect constantly, it’s not possible for people to manually track what is connected. Discovery tools can make this process possible.</li>\n<li><strong>Use a CMDB configuration management database to keep track of the devices your discovery system finds.</strong> It will also track where your data resides, users who access your cloud resources, and even create lists of people who are responsible when a resource fails or begins operating outside of its normal parameters.</li>\n<li><strong>Create a risk assessment.</strong> All configuration items (Cis) in your CMDB have a level of risk associated with them. Create risk levels based on how your business would be impacted should one of these items stop working, be stolen, or locked up by ransomware. People also need to have a risk profile. For example, employees might be more trusted than vendors who have access to your cloud resources. Risk assessments allow you to automate how applications such as user account management systems control access to your resources.</li>\n<li><strong>Consider employing AIOps an artificial intelligent system of managing your network operations.</strong> Using data from logs, tracking systems, user account management systems, and more, the AI uses this data to create and manage alerts. Alert management can be automated to reduce the number of mundane tasks, such as adding disk space when a drive becomes full.Alert management can also intelligently group alerts to avoid overwhelming your network operators with floods of alerts. Instead, they are grouped based on the most likely cause of the alert and these AIOps systems then recommend solutions based on how similar problems were solved in the past.</li>\n</ul>\n"},{"title":"Maintaining network and application security","thumb":null,"image":null,"content":"<p>Hacking user accounts to break into networks is not the only way hackers exploit your cloud systems. The number one exploit is taking advantage of misconfigured networks. The number of configuration possibilities in a complex cloud environment is staggering. With the virtualized environment of the cloud, where applications run in containers or on virtual machines, each of these environments have their own configuration settings. To manage this complexity Configuration as Code (CoC) allows you to automate these configuration settings.</p>\n<p class=\"article-tips tip\">Configuration as Code can cause misconfigurations when the settings in the code are incorrect. Make sure you test these settings before putting this code into production.</p>\n<p>Beyond misconfigurations, applications running in the cloud can have bugs that hackers exploit to gain control of the data they manage or even to gain control of the network on which the application runs.</p>\n<p>There is a methodology for application development known as DevOps that allows for continuous planning, development, testing, and release of applications in an agile manner. The testing portion of this application development is normally automated, catching bugs and weak code before applications are released. Monitoring after applications are released catches bugs before they are exploited.</p>\n"},{"title":"Where to go for more information","thumb":null,"image":null,"content":"<p>There are hundreds of organizations and groups focused on improving cloud security. Find local groups and get involved giving you support in keeping up with the rapidly changing world of information security and how it impacts the security of your cloud resources. Some of the best resources to monitor for the latest security updates are:</p>\n<p><strong><a href=\"https://cloudsecurityalliance.org/\" target=\"_blank\" rel=\"noopener\">Cloud Security Alliance</a>:</strong> This non-profit alliance is dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment.</p>\n<p><strong><a href=\"https://www.nist.gov/cyberframework\" target=\"_blank\" rel=\"noopener\">National Institute of Standards and Technology</a> (NIST):</strong> This government agency has created a framework for information security, giving you a guide for implementing your own security measures.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-01-10T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":290240},{"headers":{"creationTime":"2020-01-30T02:31:25+00:00","modifiedTime":"2021-12-29T20:17:29+00:00","timestamp":"2022-02-24T17:07:21+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"The Fundamentals of GDPR and Data Protection","strippedTitle":"the fundamentals of gdpr and data protection","slug":"the-fundamentals-of-gdpr-and-data-protection","canonicalUrl":"","seo":{"metaDescription":"Learn the fundamentals of the General Data Protection Regulation and the data protections laws, including the consequences of non-GDPR-compliance.","noIndex":0,"noFollow":0},"content":"One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a <em>regulation</em> (an order that must be executed) as opposed to a <em>directive</em> (a result to achieve, though the means to achieve aren’t dictated)<strong><em>. </em></strong>\r\n\r\nThe GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.\r\n\r\nHowever, EU member states are permitted to make certain <em>derogations</em> (a fancy term for <em>exemptions</em>) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.\r\n\r\nAlthough EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:\r\n<ul>\r\n \t<li>The GDPR needs to fit into the member state’s legal framework.</li>\r\n \t<li>National legislation is needed to choose from the exemptions permitted by the GDPR.</li>\r\n</ul>\r\nAt the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.\r\n\r\n[caption id=\"attachment_267803\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-267803\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-compliance.jpg\" alt=\"GDPR compliance concept\" width=\"556\" height=\"366\" /> ©SB_photos/Shutterstock.com[/caption]\r\n<h2 id=\"tab1\" ><a name=\"_Toc19043350\"></a>Data protection laws</h2>\r\nData protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.\r\n\r\nThis list describes a handful of additional points about these laws to keep in mind. Data protection laws:\r\n<ul>\r\n \t<li><strong>Protect data subjects: </strong>A <em>data subject</em> is an individual whose personal data is collected, held, and/or processed.</li>\r\n \t<li><strong>Apply to organizations that control the processing of personal data (known as <em>data controllers</em>) and also organizations that process personal data under the instructions of data controllers (known as <em>data processors</em>): </strong>These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).</li>\r\n \t<li><strong>Apply throughout the world: </strong>The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.</li>\r\n \t<li><strong>Do not prevent organizations from using personal data: </strong>Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.</li>\r\n \t<li><strong>Prevent common misuses of personal data: </strong>Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.</li>\r\n</ul>\r\nCountries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.\r\n<table><caption><strong>Regulation/Enforcement Strength of Data Protection Laws Worldwide</strong></caption>\r\n<tbody>\r\n<tr>\r\n<td width=\"216\"><strong>Type of Regulation/Enforcement</strong></td>\r\n<td width=\"301\"><strong>Countries</strong></td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Tough</td>\r\n<td width=\"301\">Australia, Canada, Hong Kong, South Korea</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Strong</td>\r\n<td width=\"301\">Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Light</td>\r\n<td width=\"301\">Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Limited</td>\r\n<td width=\"301\">Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<h2 id=\"tab2\" ><a name=\"_Toc19043351\"></a>The 10 most important obligations of the GDPR</h2>\r\nThe <em>obligations</em> I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:\r\n<ul>\r\n \t<li><strong>Prepare a data inventory to map your data flows</strong> so that you can understand exactly what personal data you’re processing and what you’re doing with it.</li>\r\n \t<li><strong>Work out the lawful grounds for processing each type of personal data</strong> for each purpose for which you’re processing it.</li>\r\n \t<li><strong>Ensure that your data security strategy is robust</strong> and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.</li>\r\n \t<li><strong>Ensure that an appropriate safeguard is in place</strong> whenever you transfer personal data outside of the European Economic Area (EEA).</li>\r\n \t<li><strong>Update your Privacy Notice</strong> to ensure that you’re being transparent about the means and purposes of your data-processing.</li>\r\n \t<li><strong>Update your Cookie Policy</strong> to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.</li>\r\n \t<li><strong>Ensure that your <a href=\"https://www.dummies.com/computers/pcs/computer-security/10-ways-to-train-employees-to-be-good-stewards-of-data/\">staff are appropriately trained</a></strong> in relevant areas of the GDPR.</li>\r\n \t<li><strong>Ensure that you have reviewed the grounds on which you process employee data,</strong> and issue a revised employee privacy notice where necessary.</li>\r\n \t<li><strong>Determine whether you need to appoint a data protection officer (DPO).</strong> If you do, take the necessary steps to hire a suitable candidate.</li>\r\n \t<li><strong>Review all of your processor and subprocessor arrangements</strong> and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.</li>\r\n</ul>\r\n<h2 id=\"tab3\" ><a name=\"_Toc19043352\"></a>The consequences of non-compliance</h2>\r\nThink of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.\r\n<h3><a name=\"_Toc19043353\"></a>Increased fines and sanctions</h3>\r\nThe GDPR has introduced significant increases in the maximum fines for breaches of its requirements.\r\n\r\nUnder the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher.\r\n\r\nThis significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.\r\n\r\nThis is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.\r\n<p class=\"article-tips remember\">Supervisory authorities are the regulatory authorities (often known as <em>data protection authorities</em>) within individual EU member states that are responsible for the enforcement of the GDPR.</p>\r\n\r\n<h3><a name=\"_Toc19043354\"></a>Civil claims</h3>\r\nData subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim.\r\n\r\nAs you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.\r\n\r\nA civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.\r\n<h3><a name=\"_Toc19043355\"></a>Data subject complaints</h3>\r\nThe general public is much savvier about their data protection rights than they used to be, for these reasons:\r\n<ul>\r\n \t<li>The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.</li>\r\n \t<li>Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.</li>\r\n \t<li>Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.</li>\r\n</ul>\r\nThis savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:\r\n<ul>\r\n \t<li><strong>If the data subject complains directly to you (the data controller):</strong> Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.</li>\r\n \t<li><strong>If the data subject complains to the supervisory authority:</strong> Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.</li>\r\n</ul>\r\nThese corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.\r\n<h3><a name=\"_Toc19043356\"></a>Brand damage</h3>\r\nWhen a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by <a href=\"https://dma.org.uk/uploads/misc/5b0522b113a23-global-data-privacy-report---final-2_5b0522b11396e.pdf\">Axciom</a> (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.\r\n<h3><a name=\"_Toc19043357\"></a>Loss of trust</h3>\r\nIf you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.\r\n\r\nIn unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).\r\n\r\nIn 2018, <a href=\"http://www.comparitech.com/blog/information-security/data-breach-share-price-2018/\">CompariTech</a> carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.\r\n<h2 id=\"tab4\" ><a name=\"_Toc19043358\"></a>Be a market leader</h2>\r\nBy embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.\r\n\r\nElizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:\r\n<blockquote>“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”</blockquote>","description":"One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a <em>regulation</em> (an order that must be executed) as opposed to a <em>directive</em> (a result to achieve, though the means to achieve aren’t dictated)<strong><em>. </em></strong>\r\n\r\nThe GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.\r\n\r\nHowever, EU member states are permitted to make certain <em>derogations</em> (a fancy term for <em>exemptions</em>) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.\r\n\r\nAlthough EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:\r\n<ul>\r\n \t<li>The GDPR needs to fit into the member state’s legal framework.</li>\r\n \t<li>National legislation is needed to choose from the exemptions permitted by the GDPR.</li>\r\n</ul>\r\nAt the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.\r\n\r\n[caption id=\"attachment_267803\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-267803\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-compliance.jpg\" alt=\"GDPR compliance concept\" width=\"556\" height=\"366\" /> ©SB_photos/Shutterstock.com[/caption]\r\n<h2 id=\"tab1\" ><a name=\"_Toc19043350\"></a>Data protection laws</h2>\r\nData protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.\r\n\r\nThis list describes a handful of additional points about these laws to keep in mind. Data protection laws:\r\n<ul>\r\n \t<li><strong>Protect data subjects: </strong>A <em>data subject</em> is an individual whose personal data is collected, held, and/or processed.</li>\r\n \t<li><strong>Apply to organizations that control the processing of personal data (known as <em>data controllers</em>) and also organizations that process personal data under the instructions of data controllers (known as <em>data processors</em>): </strong>These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).</li>\r\n \t<li><strong>Apply throughout the world: </strong>The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.</li>\r\n \t<li><strong>Do not prevent organizations from using personal data: </strong>Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.</li>\r\n \t<li><strong>Prevent common misuses of personal data: </strong>Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.</li>\r\n</ul>\r\nCountries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.\r\n<table><caption><strong>Regulation/Enforcement Strength of Data Protection Laws Worldwide</strong></caption>\r\n<tbody>\r\n<tr>\r\n<td width=\"216\"><strong>Type of Regulation/Enforcement</strong></td>\r\n<td width=\"301\"><strong>Countries</strong></td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Tough</td>\r\n<td width=\"301\">Australia, Canada, Hong Kong, South Korea</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Strong</td>\r\n<td width=\"301\">Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Light</td>\r\n<td width=\"301\">Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Limited</td>\r\n<td width=\"301\">Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<h2 id=\"tab2\" ><a name=\"_Toc19043351\"></a>The 10 most important obligations of the GDPR</h2>\r\nThe <em>obligations</em> I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:\r\n<ul>\r\n \t<li><strong>Prepare a data inventory to map your data flows</strong> so that you can understand exactly what personal data you’re processing and what you’re doing with it.</li>\r\n \t<li><strong>Work out the lawful grounds for processing each type of personal data</strong> for each purpose for which you’re processing it.</li>\r\n \t<li><strong>Ensure that your data security strategy is robust</strong> and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.</li>\r\n \t<li><strong>Ensure that an appropriate safeguard is in place</strong> whenever you transfer personal data outside of the European Economic Area (EEA).</li>\r\n \t<li><strong>Update your Privacy Notice</strong> to ensure that you’re being transparent about the means and purposes of your data-processing.</li>\r\n \t<li><strong>Update your Cookie Policy</strong> to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.</li>\r\n \t<li><strong>Ensure that your <a href=\"https://www.dummies.com/computers/pcs/computer-security/10-ways-to-train-employees-to-be-good-stewards-of-data/\">staff are appropriately trained</a></strong> in relevant areas of the GDPR.</li>\r\n \t<li><strong>Ensure that you have reviewed the grounds on which you process employee data,</strong> and issue a revised employee privacy notice where necessary.</li>\r\n \t<li><strong>Determine whether you need to appoint a data protection officer (DPO).</strong> If you do, take the necessary steps to hire a suitable candidate.</li>\r\n \t<li><strong>Review all of your processor and subprocessor arrangements</strong> and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.</li>\r\n</ul>\r\n<h2 id=\"tab3\" ><a name=\"_Toc19043352\"></a>The consequences of non-compliance</h2>\r\nThink of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.\r\n<h3><a name=\"_Toc19043353\"></a>Increased fines and sanctions</h3>\r\nThe GDPR has introduced significant increases in the maximum fines for breaches of its requirements.\r\n\r\nUnder the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher.\r\n\r\nThis significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.\r\n\r\nThis is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.\r\n<p class=\"article-tips remember\">Supervisory authorities are the regulatory authorities (often known as <em>data protection authorities</em>) within individual EU member states that are responsible for the enforcement of the GDPR.</p>\r\n\r\n<h3><a name=\"_Toc19043354\"></a>Civil claims</h3>\r\nData subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim.\r\n\r\nAs you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.\r\n\r\nA civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.\r\n<h3><a name=\"_Toc19043355\"></a>Data subject complaints</h3>\r\nThe general public is much savvier about their data protection rights than they used to be, for these reasons:\r\n<ul>\r\n \t<li>The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.</li>\r\n \t<li>Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.</li>\r\n \t<li>Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.</li>\r\n</ul>\r\nThis savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:\r\n<ul>\r\n \t<li><strong>If the data subject complains directly to you (the data controller):</strong> Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.</li>\r\n \t<li><strong>If the data subject complains to the supervisory authority:</strong> Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.</li>\r\n</ul>\r\nThese corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.\r\n<h3><a name=\"_Toc19043356\"></a>Brand damage</h3>\r\nWhen a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by <a href=\"https://dma.org.uk/uploads/misc/5b0522b113a23-global-data-privacy-report---final-2_5b0522b11396e.pdf\">Axciom</a> (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.\r\n<h3><a name=\"_Toc19043357\"></a>Loss of trust</h3>\r\nIf you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.\r\n\r\nIn unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).\r\n\r\nIn 2018, <a href=\"http://www.comparitech.com/blog/information-security/data-breach-share-price-2018/\">CompariTech</a> carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.\r\n<h2 id=\"tab4\" ><a name=\"_Toc19043358\"></a>Be a market leader</h2>\r\nBy embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.\r\n\r\nElizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:\r\n<blockquote>“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”</blockquote>","blurb":"","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":"Suzanne Dibble, LLB, CIPP/E, is a business lawyer who has advised huge multinational corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. Learn more at suzannedibble.com.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Data protection laws","target":"#tab1"},{"label":"The 10 most important obligations of the GDPR","target":"#tab2"},{"label":"The consequences of non-compliance","target":"#tab3"},{"label":"Be a market leader","target":"#tab4"}],"relatedArticles":{"fromBook":[{"articleId":267867,"title":"GDPR and Data Security","slug":"gdpr-and-data-security","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267867"}},{"articleId":267864,"title":"The GDPR and Data Subject Access Rights (DSARs)","slug":"the-gdpr-and-data-subject-access-rights-dsars","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267864"}},{"articleId":267861,"title":"How to Create and Communicate Your Opt-In Wording","slug":"how-to-create-and-communicate-your-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267861"}},{"articleId":267858,"title":"Data Protection: When to Use Opt-In Wording","slug":"data-protection-when-to-use-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267858"}},{"articleId":267854,"title":"How to Create and Communicate Your Cookie Policy","slug":"how-to-create-and-communicate-your-cookie-policy","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267854"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":282224,"slug":"gdpr-for-dummies","isbn":"9781119546092","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119546095-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/gdpr-for-dummies-cover-9781119546092-203x255.jpg","width":203,"height":255},"title":"GDPR For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33258\">Suzanne Dibble</b>, LLB, CIPP/E, is a business lawyer who has advised huge multinational corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. Learn more at suzannedibble.com.</p>","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":"Suzanne Dibble, LLB, CIPP/E, is a business lawyer who has advised huge multinational corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. Learn more at suzannedibble.com.","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-6217bb49cc0be\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-6217bb49cca1e\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-12-29T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":267845},{"headers":{"creationTime":"2020-05-23T14:54:34+00:00","modifiedTime":"2021-12-29T20:14:26+00:00","timestamp":"2022-02-24T17:07:21+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"10 Tips for Becoming a Better Pen Tester","strippedTitle":"10 tips for becoming a better pen tester","slug":"10-tips-to-become-a-better-pen-tester","canonicalUrl":"","seo":{"metaDescription":"Want to become a better pen tester? Use these ten tips to help you improve you skills and become a better cybersecurity professional.","noIndex":0,"noFollow":0},"content":"<a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\">Penetration testing</a> is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education.\r\n<h2 id=\"tab1\" >Continue your education to improve your pen testing skills</h2>\r\nKeep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened.\r\n\r\nThe ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself:\r\n<ul>\r\n \t<li><strong>Use your library.</strong> To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes.</li>\r\n \t<li><strong>Use the internet.</strong> You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs.</li>\r\n \t<li><strong>Build a test PC.</strong> If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit.</li>\r\n \t<li><strong>Use virtualization.</strong> Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system.\r\n\r\n[caption id=\"attachment_270917\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270917 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetraiton-testing-vmware-virtualization.jpg\" alt=\"VMware virtualization pen testing\" width=\"556\" height=\"466\" /> Using Kali and VMware virtualization[/caption]</li>\r\n \t<li><strong>Use freeware.</strong> Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with.</li>\r\n</ul>\r\n<h2 id=\"tab2\" >Build your penetration testing toolkit</h2>\r\nCarpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers.\r\n\r\nNo matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit:\r\n<ul>\r\n \t<li><strong>Keeping your toolkit current is one of the hardest things to do as a pen tester. </strong>You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester.</li>\r\n \t<li><strong>Some tools are expensive, and you need to license for them. </strong>You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date.</li>\r\n \t<li><strong>All software must be updated. </strong>Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained.</li>\r\n \t<li><strong>Technology changes over time.</strong> There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them.</li>\r\n \t<li><strong>Make sure your computer is updated and safe. </strong>Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested.</li>\r\n</ul>\r\n<h2 id=\"tab3\" >Think outside the box to be a better pen tester</h2>\r\nNever get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes.\r\n<p class=\"article-tips tip\">Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset.</p>\r\nBelow is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot.\r\n\r\n[caption id=\"attachment_270918\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270918 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-alternatives.jpg\" alt=\"pen testing alternatives\" width=\"556\" height=\"420\" /> Using a Plan B alternative[/caption]\r\n<h2 id=\"tab4\" >Think like a hacker to be a better pen tester</h2>\r\nYou need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do.\r\n\r\nYou can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives.\r\n<h2 id=\"tab5\" >Get involved to improve as a pen tester</h2>\r\nWhether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field.\r\n\r\nTwo conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is <a href=\"http://www.defcon.org/\">Defcon</a> and <a href=\"http://www.blackhat.com/\">Blackhat</a>. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well.\r\n\r\nBoth of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it.\r\n\r\nThere are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct <a href=\"https://www.dummies.com/programming/networking/the-ethical-hacking-process/\">ethical hacking</a> to join together and share ideas. There are government agencies that you can join to share ideas and information.\r\n<p class=\"article-tips tip\">Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing.</p>\r\n\r\n<h2 id=\"tab6\" >Use a lab for penetration testing</h2>\r\nIf you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of <a href=\"https://www.dummies.com/programming/networking/how-to-create-a-virtual-machine/\">virtual machines</a> in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester.\r\n\r\nBecause there are many challenges to do this, you can still learn ways to get hands-on training:\r\n<ul>\r\n \t<li><strong>Online test sites:</strong> Online test sites let you experiment with your penetration-testing skills.</li>\r\n \t<li><strong>A test machine: </strong>You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine.</li>\r\n</ul>\r\nThe image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home.\r\n\r\n[caption id=\"attachment_270919\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270919 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-lab.jpg\" alt=\"penetration testing lab\" width=\"556\" height=\"385\" /> Creating a viable lab[/caption]\r\n\r\nSome of the items you may want to consider in building your pen testing lab may include (but not limited to):\r\n<ul>\r\n \t<li><strong>Server infrastructure: </strong>You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups.</li>\r\n \t<li><strong>Network infrastructure: </strong>From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network.</li>\r\n \t<li><strong>Pen test system: </strong>The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing.</li>\r\n</ul>\r\nAs you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests.\r\n<h2 id=\"tab7\" >Stay informed on penetration testing</h2>\r\nJust like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them.\r\n<p class=\"article-tips remember\">You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information.</p>\r\n\r\n<h2 id=\"tab8\" >Stay ahead of new technologies to be a better pen tester</h2>\r\nTechnology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them.\r\n\r\nWhen wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them.\r\n\r\nThere are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on.\r\n\r\nIf you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more.\r\n<h2 id=\"tab9\" >Build your reputation as a pen tester</h2>\r\nBuilding your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again.\r\n\r\nThis means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional.\r\n<h2 id=\"tab10\" >Learn about physical security</h2>\r\nAll the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a <a href=\"https://www.dummies.com/computers/computer-networking/network-security/types-of-social-engineering-attacks/\">social engineering attack</a>. Nothing can thwart technical security faster than social engineering.\r\n\r\nCard swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering.\r\n\r\nAlways consider <a href=\"https://www.dummies.com/programming/networking/network-security-physical-security/\">physical security challenge</a>s as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up.\r\n\r\nUltimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.","description":"<a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\">Penetration testing</a> is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education.\r\n<h2 id=\"tab1\" >Continue your education to improve your pen testing skills</h2>\r\nKeep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened.\r\n\r\nThe ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself:\r\n<ul>\r\n \t<li><strong>Use your library.</strong> To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes.</li>\r\n \t<li><strong>Use the internet.</strong> You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs.</li>\r\n \t<li><strong>Build a test PC.</strong> If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit.</li>\r\n \t<li><strong>Use virtualization.</strong> Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system.\r\n\r\n[caption id=\"attachment_270917\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270917 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetraiton-testing-vmware-virtualization.jpg\" alt=\"VMware virtualization pen testing\" width=\"556\" height=\"466\" /> Using Kali and VMware virtualization[/caption]</li>\r\n \t<li><strong>Use freeware.</strong> Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with.</li>\r\n</ul>\r\n<h2 id=\"tab2\" >Build your penetration testing toolkit</h2>\r\nCarpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers.\r\n\r\nNo matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit:\r\n<ul>\r\n \t<li><strong>Keeping your toolkit current is one of the hardest things to do as a pen tester. </strong>You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester.</li>\r\n \t<li><strong>Some tools are expensive, and you need to license for them. </strong>You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date.</li>\r\n \t<li><strong>All software must be updated. </strong>Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained.</li>\r\n \t<li><strong>Technology changes over time.</strong> There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them.</li>\r\n \t<li><strong>Make sure your computer is updated and safe. </strong>Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested.</li>\r\n</ul>\r\n<h2 id=\"tab3\" >Think outside the box to be a better pen tester</h2>\r\nNever get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes.\r\n<p class=\"article-tips tip\">Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset.</p>\r\nBelow is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot.\r\n\r\n[caption id=\"attachment_270918\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270918 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-alternatives.jpg\" alt=\"pen testing alternatives\" width=\"556\" height=\"420\" /> Using a Plan B alternative[/caption]\r\n<h2 id=\"tab4\" >Think like a hacker to be a better pen tester</h2>\r\nYou need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do.\r\n\r\nYou can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives.\r\n<h2 id=\"tab5\" >Get involved to improve as a pen tester</h2>\r\nWhether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field.\r\n\r\nTwo conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is <a href=\"http://www.defcon.org/\">Defcon</a> and <a href=\"http://www.blackhat.com/\">Blackhat</a>. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well.\r\n\r\nBoth of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it.\r\n\r\nThere are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct <a href=\"https://www.dummies.com/programming/networking/the-ethical-hacking-process/\">ethical hacking</a> to join together and share ideas. There are government agencies that you can join to share ideas and information.\r\n<p class=\"article-tips tip\">Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing.</p>\r\n\r\n<h2 id=\"tab6\" >Use a lab for penetration testing</h2>\r\nIf you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of <a href=\"https://www.dummies.com/programming/networking/how-to-create-a-virtual-machine/\">virtual machines</a> in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester.\r\n\r\nBecause there are many challenges to do this, you can still learn ways to get hands-on training:\r\n<ul>\r\n \t<li><strong>Online test sites:</strong> Online test sites let you experiment with your penetration-testing skills.</li>\r\n \t<li><strong>A test machine: </strong>You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine.</li>\r\n</ul>\r\nThe image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home.\r\n\r\n[caption id=\"attachment_270919\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270919 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-lab.jpg\" alt=\"penetration testing lab\" width=\"556\" height=\"385\" /> Creating a viable lab[/caption]\r\n\r\nSome of the items you may want to consider in building your pen testing lab may include (but not limited to):\r\n<ul>\r\n \t<li><strong>Server infrastructure: </strong>You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups.</li>\r\n \t<li><strong>Network infrastructure: </strong>From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network.</li>\r\n \t<li><strong>Pen test system: </strong>The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing.</li>\r\n</ul>\r\nAs you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests.\r\n<h2 id=\"tab7\" >Stay informed on penetration testing</h2>\r\nJust like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them.\r\n<p class=\"article-tips remember\">You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information.</p>\r\n\r\n<h2 id=\"tab8\" >Stay ahead of new technologies to be a better pen tester</h2>\r\nTechnology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them.\r\n\r\nWhen wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them.\r\n\r\nThere are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on.\r\n\r\nIf you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more.\r\n<h2 id=\"tab9\" >Build your reputation as a pen tester</h2>\r\nBuilding your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again.\r\n\r\nThis means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional.\r\n<h2 id=\"tab10\" >Learn about physical security</h2>\r\nAll the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a <a href=\"https://www.dummies.com/computers/computer-networking/network-security/types-of-social-engineering-attacks/\">social engineering attack</a>. Nothing can thwart technical security faster than social engineering.\r\n\r\nCard swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering.\r\n\r\nAlways consider <a href=\"https://www.dummies.com/programming/networking/network-security-physical-security/\">physical security challenge</a>s as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up.\r\n\r\nUltimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.","blurb":"","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Continue your education to improve your pen testing skills","target":"#tab1"},{"label":"Build your penetration testing toolkit","target":"#tab2"},{"label":"Think outside the box to be a better pen tester","target":"#tab3"},{"label":"Think like a hacker to be a better pen tester","target":"#tab4"},{"label":"Get involved to improve as a pen tester","target":"#tab5"},{"label":"Use a lab for penetration testing","target":"#tab6"},{"label":"Stay informed on penetration testing","target":"#tab7"},{"label":"Stay ahead of new technologies to be a better pen tester","target":"#tab8"},{"label":"Build your reputation as a pen tester","target":"#tab9"},{"label":"Learn about physical security","target":"#tab10"}],"relatedArticles":{"fromBook":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281813,"slug":"penetration-testing-for-dummies","isbn":"9781119577485","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119577489-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/penetration-testing-for-dummies-cover-9781119577485-203x255.jpg","width":203,"height":255},"title":"Penetration Testing For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33354\">Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience.</p>","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb49c3c2b\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb49c4631\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-07-20T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":270916},{"headers":{"creationTime":"2020-05-23T13:51:47+00:00","modifiedTime":"2021-12-29T20:11:38+00:00","timestamp":"2022-02-24T17:07:21+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"10 Sites for Learning More about Penetration Testing","strippedTitle":"10 sites for learning more about penetration testing","slug":"10-sites-to-learn-more-about-penetration-testing","canonicalUrl":"","seo":{"metaDescription":"Cybersecurity is a constantly evolving topic. To make sure you're staying ahead of the curve, check out these ten sites to learn more about pen testing.","noIndex":0,"noFollow":0},"content":"As an IT professional, it doesn’t matter how much you know about <a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\" target=\"_blank\" rel=\"noopener\">penetration testing</a> today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional.\r\n<p class=\"article-tips warning\">If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless.</p>\r\n<p class=\"article-tips tip\">One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way.</p>\r\n\r\n<h2 id=\"tab1\" >SANS Institute</h2>\r\n<a href=\"https://www.sans.org/\" target=\"_blank\" rel=\"noopener\">SANS.org</a> leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security.\r\n\r\nYou can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the <a href=\"https://isc.sans.edu\" target=\"_blank\" rel=\"noopener\">Internet Storm Center</a>, which is an early warning system for threats.\r\n\r\nThere are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more.\r\n\r\nAnother point of interest on the SANS website is the connection to their <a href=\"https://pen-testing.sans.org/\" target=\"_blank\" rel=\"noopener\">focused areas on pen testing</a>.\r\n\r\n[caption id=\"attachment_270903\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270903 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-sans.org_.jpg\" alt=\"pen testing SANS.org\" width=\"556\" height=\"307\" /> SANS.org[/caption]\r\n<p class=\"article-tips tip\">If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge.</p>\r\n\r\n<h2 id=\"tab2\" >GIAC certifications</h2>\r\nAnother point of interest on the SANS website is the connection to their certification arm of SANS, which is called <a href=\"https://www.giac.org/\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification</a> (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain <a href=\"https://www.giac.org/certifications/pen-testing\" target=\"_blank\" rel=\"noopener\">GIAC Penetration Tester certification</a> (GPEN).\r\n\r\nAside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated.\r\n\r\n[caption id=\"attachment_270904\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270904 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-giac-certification.jpg\" alt=\"GIAC GPEN certification\" width=\"556\" height=\"307\" /> The GIAC GPEN certification[/caption]\r\n<h2 id=\"tab3\" >Software Engineering Institute</h2>\r\nCarnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a <a href=\"https://www.sei.cmu.edu/about/divisions/cert/\" target=\"_blank\" rel=\"noopener\">CERT</a> landing page that hosts publications and other scholarly works about cybersecurity:\r\n\r\nCERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics.\r\n<h2 id=\"tab4\" >Legal penetration sites</h2>\r\nLegal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites.\r\n\r\n<a href=\"https://www.cisco.com\" target=\"_blank\" rel=\"noopener\">Cisco</a> has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills.\r\n<p class=\"article-tips tip\">If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills.</p>\r\n\r\n<h2 id=\"tab5\" >Open Web Application Security Project</h2>\r\nThe <a href=\"https://www.owasp.org/index.php/Category:Vulnerability\" target=\"_blank\" rel=\"noopener\">Open Web Application Security Project</a> (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs.\r\n\r\nThe frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs.\r\n\r\nThis site can really help you better understand more in-depth details about <a href=\"https://owasp.org/www-community/vulnerabilities/\" target=\"_blank\" rel=\"noopener\">programing and software hacking</a>, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time.\r\n\r\n[caption id=\"attachment_270906\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270906 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-owasp.jpg\" alt=\"OWASP pen testing\" width=\"556\" height=\"303\" /> The top ten application risks on the Open Web Application Security Project[/caption]\r\n<h2 id=\"tab6\" >Tenable</h2>\r\n<a href=\"https://www.tenable.com/\" target=\"_blank\" rel=\"noopener\">Tenable</a> makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester:\r\n\r\nThe image below shows the <a href=\"https://www.tenable.com/research\" target=\"_blank\" rel=\"noopener\">Tenable</a> website, where you can download Nessus for trial use, or purchase a license for permanent use.\r\n\r\n[caption id=\"attachment_270910\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270910 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-download-nessus.jpg\" alt=\"download Nessus forpen testing\" width=\"556\" height=\"332\" /> Downloading Nessus[/caption]\r\n<h2 id=\"tab7\" >Nmap</h2>\r\n<a href=\"https://nmap.org/\" target=\"_blank\" rel=\"noopener\">Nmap</a> is undeniably one of the hottest and most used tools for pen testing outside of Nessus and <a href=\"https://www.dummies.com/computers/macs/security/how-to-use-metasploit-framework-and-pro-to-perform-a-penetration-test/\">Metasploit</a>. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more.\r\n<h2 id=\"tab8\" >Wireshark</h2>\r\n<a href=\"https://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a> is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing.\r\n\r\nWithin the main website you will find tons of detailed information on how to use this tool. As well, the <a href=\"https://www.wireshark.org/#learnWS\" target=\"_blank\" rel=\"noopener\">forums</a> where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network.\r\n<p class=\"article-tips tip\">Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details.</p>\r\n\r\n<h2 id=\"tab9\" >Dark Reading</h2>\r\nIn today’s pen testing world, one of the go-to sites for security professionals is <a href=\"https://www.darkreading.com/\" target=\"_blank\" rel=\"noopener\">Dark Reading</a>. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing.\r\n\r\nYou’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture.\r\n<h2 id=\"tab10\" >Offensive Security</h2>\r\nFrom the distributors of Kali, <a href=\"https://www.offensive-security.com/\" target=\"_blank\" rel=\"noopener\">Offensive Security</a> is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well.\r\n\r\nOn this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.\r\n\r\n[caption id=\"attachment_270911\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270911 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-kali.jpg\" alt=\"pen testing Kali\" width=\"556\" height=\"276\" /> Gain access to Kali.[/caption]","description":"As an IT professional, it doesn’t matter how much you know about <a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\" target=\"_blank\" rel=\"noopener\">penetration testing</a> today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional.\r\n<p class=\"article-tips warning\">If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless.</p>\r\n<p class=\"article-tips tip\">One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way.</p>\r\n\r\n<h2 id=\"tab1\" >SANS Institute</h2>\r\n<a href=\"https://www.sans.org/\" target=\"_blank\" rel=\"noopener\">SANS.org</a> leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security.\r\n\r\nYou can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the <a href=\"https://isc.sans.edu\" target=\"_blank\" rel=\"noopener\">Internet Storm Center</a>, which is an early warning system for threats.\r\n\r\nThere are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more.\r\n\r\nAnother point of interest on the SANS website is the connection to their <a href=\"https://pen-testing.sans.org/\" target=\"_blank\" rel=\"noopener\">focused areas on pen testing</a>.\r\n\r\n[caption id=\"attachment_270903\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270903 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-sans.org_.jpg\" alt=\"pen testing SANS.org\" width=\"556\" height=\"307\" /> SANS.org[/caption]\r\n<p class=\"article-tips tip\">If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge.</p>\r\n\r\n<h2 id=\"tab2\" >GIAC certifications</h2>\r\nAnother point of interest on the SANS website is the connection to their certification arm of SANS, which is called <a href=\"https://www.giac.org/\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification</a> (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain <a href=\"https://www.giac.org/certifications/pen-testing\" target=\"_blank\" rel=\"noopener\">GIAC Penetration Tester certification</a> (GPEN).\r\n\r\nAside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated.\r\n\r\n[caption id=\"attachment_270904\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270904 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-giac-certification.jpg\" alt=\"GIAC GPEN certification\" width=\"556\" height=\"307\" /> The GIAC GPEN certification[/caption]\r\n<h2 id=\"tab3\" >Software Engineering Institute</h2>\r\nCarnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a <a href=\"https://www.sei.cmu.edu/about/divisions/cert/\" target=\"_blank\" rel=\"noopener\">CERT</a> landing page that hosts publications and other scholarly works about cybersecurity:\r\n\r\nCERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics.\r\n<h2 id=\"tab4\" >Legal penetration sites</h2>\r\nLegal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites.\r\n\r\n<a href=\"https://www.cisco.com\" target=\"_blank\" rel=\"noopener\">Cisco</a> has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills.\r\n<p class=\"article-tips tip\">If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills.</p>\r\n\r\n<h2 id=\"tab5\" >Open Web Application Security Project</h2>\r\nThe <a href=\"https://www.owasp.org/index.php/Category:Vulnerability\" target=\"_blank\" rel=\"noopener\">Open Web Application Security Project</a> (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs.\r\n\r\nThe frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs.\r\n\r\nThis site can really help you better understand more in-depth details about <a href=\"https://owasp.org/www-community/vulnerabilities/\" target=\"_blank\" rel=\"noopener\">programing and software hacking</a>, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time.\r\n\r\n[caption id=\"attachment_270906\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270906 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-owasp.jpg\" alt=\"OWASP pen testing\" width=\"556\" height=\"303\" /> The top ten application risks on the Open Web Application Security Project[/caption]\r\n<h2 id=\"tab6\" >Tenable</h2>\r\n<a href=\"https://www.tenable.com/\" target=\"_blank\" rel=\"noopener\">Tenable</a> makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester:\r\n\r\nThe image below shows the <a href=\"https://www.tenable.com/research\" target=\"_blank\" rel=\"noopener\">Tenable</a> website, where you can download Nessus for trial use, or purchase a license for permanent use.\r\n\r\n[caption id=\"attachment_270910\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270910 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-download-nessus.jpg\" alt=\"download Nessus forpen testing\" width=\"556\" height=\"332\" /> Downloading Nessus[/caption]\r\n<h2 id=\"tab7\" >Nmap</h2>\r\n<a href=\"https://nmap.org/\" target=\"_blank\" rel=\"noopener\">Nmap</a> is undeniably one of the hottest and most used tools for pen testing outside of Nessus and <a href=\"https://www.dummies.com/computers/macs/security/how-to-use-metasploit-framework-and-pro-to-perform-a-penetration-test/\">Metasploit</a>. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more.\r\n<h2 id=\"tab8\" >Wireshark</h2>\r\n<a href=\"https://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a> is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing.\r\n\r\nWithin the main website you will find tons of detailed information on how to use this tool. As well, the <a href=\"https://www.wireshark.org/#learnWS\" target=\"_blank\" rel=\"noopener\">forums</a> where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network.\r\n<p class=\"article-tips tip\">Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details.</p>\r\n\r\n<h2 id=\"tab9\" >Dark Reading</h2>\r\nIn today’s pen testing world, one of the go-to sites for security professionals is <a href=\"https://www.darkreading.com/\" target=\"_blank\" rel=\"noopener\">Dark Reading</a>. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing.\r\n\r\nYou’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture.\r\n<h2 id=\"tab10\" >Offensive Security</h2>\r\nFrom the distributors of Kali, <a href=\"https://www.offensive-security.com/\" target=\"_blank\" rel=\"noopener\">Offensive Security</a> is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well.\r\n\r\nOn this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.\r\n\r\n[caption id=\"attachment_270911\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270911 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-kali.jpg\" alt=\"pen testing Kali\" width=\"556\" height=\"276\" /> Gain access to Kali.[/caption]","blurb":"","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"SANS Institute","target":"#tab1"},{"label":"GIAC certifications","target":"#tab2"},{"label":"Software Engineering Institute","target":"#tab3"},{"label":"Legal penetration sites","target":"#tab4"},{"label":"Open Web Application Security Project","target":"#tab5"},{"label":"Tenable","target":"#tab6"},{"label":"Nmap","target":"#tab7"},{"label":"Wireshark","target":"#tab8"},{"label":"Dark Reading","target":"#tab9"},{"label":"Offensive Security","target":"#tab10"}],"relatedArticles":{"fromBook":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281813,"slug":"penetration-testing-for-dummies","isbn":"9781119577485","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119577489-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/penetration-testing-for-dummies-cover-9781119577485-203x255.jpg","width":203,"height":255},"title":"Penetration Testing For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33354\">Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience.</p>","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb49bbf0d\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb49bc899\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-07-20T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":270902},{"headers":{"creationTime":"2020-05-19T19:21:53+00:00","modifiedTime":"2021-12-17T20:01:46+00:00","timestamp":"2022-02-24T17:07:18+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"What You Need to Know to be a Penetration Tester","strippedTitle":"what you need to know to be a penetration tester","slug":"what-is-penetration-testing","canonicalUrl":"","seo":{"metaDescription":"Penetration testing helps to ensure the safety and security of our technology. Penetration testers need a wide vartiety of skills and knowledge. Learn more.","noIndex":0,"noFollow":0},"content":"Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for penetration testers and professionals with a background in IT security and the ability to do penetration testing.\r\n\r\nAs a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. You also need to know about security vulnerabilities as well as <a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\" target=\"_blank\" rel=\"noopener\">penetration testing</a> tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe.\r\n<h2 id=\"tab1\" >Skills needed for penetration testing</h2>\r\nYou’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of <a href=\"https://www.dummies.com/programming/networking/network-security-why-its-necessary/\" target=\"_blank\" rel=\"noopener\">networking and general security</a>.\r\n\r\nTo be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool.\r\n\r\nYou need to also know the difference between vulnerability scanning and penetration testing and why they’re similar and how they’re different. The following image shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can them move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secure.\r\n\r\n[caption id=\"attachment_289937\" align=\"alignnone\" width=\"1022\"]<img class=\"wp-image-289937 size-full\" src=\"https://www.dummies.com/wp-content/uploads/IP-Range.jpg\" alt=\"Penetration testing -- setting up an IP addressing range\" width=\"1022\" height=\"605\" /> Adding an IP range to scan[/caption]\r\n\r\nIt’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example).\r\n<p class=\"article-tips remember\">No stone is unturned as a pen tester and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smart home devices such as TVs and thermostats.</p>\r\nYou may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff.\r\n<p class=\"article-tips tip\">Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more.</p>\r\n\r\n<h2 id=\"tab2\" >Basic networking</h2>\r\nBasic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur.\r\n\r\nIt also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (<em>Black-box security testing</em> refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates.\r\n\r\nThe <a href=\"https://www.dummies.com/programming/networking/network-basics-tcpip-protocol-suite/\">TCP/IP protocol suite</a> also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the <a href=\"https://www.dummies.com/programming/networking/network-basics-the-seven-layers-of-the-osi-reference-model/\" target=\"_blank\" rel=\"noopener\">7-layer OSI model</a>.\r\n\r\nThe Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer.\r\n\r\n[caption id=\"attachment_270852\" align=\"aligncenter\" width=\"349\"]<img class=\"wp-image-270852 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetratin-testing-osi-model.jpg\" alt=\"OSI model pen testing\" width=\"349\" height=\"556\" /> Examining the OSI model[/caption]\r\n\r\nThe protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner.\r\n\r\nThe image below shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them.\r\n\r\n[caption id=\"attachment_289939\" align=\"alignnone\" width=\"1027\"]<img class=\"wp-image-289939 size-full\" src=\"https://www.dummies.com/wp-content/uploads/Network-packet.jpg\" alt=\"Penetration testing -- network packet\" width=\"1027\" height=\"677\" /> Digging into a network packet capture[/caption]\r\n\r\nHaving knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take.\r\n\r\nYou can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated.\r\n<p class=\"article-tips tip\">If you want to be a great pen tester, you should study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability.</p>\r\nAlthough today’s networks and systems can account for these flaws, there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise.\r\n<h2 id=\"tab3\" ><a name=\"_Toc25594011\"></a>General security technology</h2>\r\nIn the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds.\r\n\r\nThe image below shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did.\r\n\r\n[caption id=\"attachment_270856\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270856 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-firewall-log.jpg\" alt=\"firewall log pen testing\" width=\"556\" height=\"397\" /> Review a firewall log.[/caption]\r\n\r\nAnother example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix.\r\n\r\nOther general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking.\r\n<h2 id=\"tab4\" ><a name=\"_Toc25594012\"></a>Systems infrastructure and applications</h2>\r\nYou must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports.\r\n\r\nIf you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report.\r\n\r\nYou may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately.\r\n\r\nWeb applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched.\r\n<h2 id=\"tab5\" ><a name=\"_Toc25594013\"></a>Mobile and cloud</h2>\r\nMobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed, whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome.\r\n\r\nYou might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them.\r\n\r\nCloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself.\r\n<p class=\"article-tips tip\"> You might face the fallout of mistakes or mishaps committed on the vendor side.</p>\r\nPenetration testers need a wide variety of skills and knowledge, but they are essential to helping ensure the security of our IT infrastructure.","description":"Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for penetration testers and professionals with a background in IT security and the ability to do penetration testing.\r\n\r\nAs a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. You also need to know about security vulnerabilities as well as <a href=\"https://www.dummies.com/computers/macs/security/penetration-testing-for-dummies-cheat-sheet/\" target=\"_blank\" rel=\"noopener\">penetration testing</a> tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe.\r\n<h2 id=\"tab1\" >Skills needed for penetration testing</h2>\r\nYou’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of <a href=\"https://www.dummies.com/programming/networking/network-security-why-its-necessary/\" target=\"_blank\" rel=\"noopener\">networking and general security</a>.\r\n\r\nTo be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool.\r\n\r\nYou need to also know the difference between vulnerability scanning and penetration testing and why they’re similar and how they’re different. The following image shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can them move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secure.\r\n\r\n[caption id=\"attachment_289937\" align=\"alignnone\" width=\"1022\"]<img class=\"wp-image-289937 size-full\" src=\"https://www.dummies.com/wp-content/uploads/IP-Range.jpg\" alt=\"Penetration testing -- setting up an IP addressing range\" width=\"1022\" height=\"605\" /> Adding an IP range to scan[/caption]\r\n\r\nIt’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example).\r\n<p class=\"article-tips remember\">No stone is unturned as a pen tester and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smart home devices such as TVs and thermostats.</p>\r\nYou may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff.\r\n<p class=\"article-tips tip\">Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more.</p>\r\n\r\n<h2 id=\"tab2\" >Basic networking</h2>\r\nBasic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur.\r\n\r\nIt also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (<em>Black-box security testing</em> refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates.\r\n\r\nThe <a href=\"https://www.dummies.com/programming/networking/network-basics-tcpip-protocol-suite/\">TCP/IP protocol suite</a> also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the <a href=\"https://www.dummies.com/programming/networking/network-basics-the-seven-layers-of-the-osi-reference-model/\" target=\"_blank\" rel=\"noopener\">7-layer OSI model</a>.\r\n\r\nThe Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer.\r\n\r\n[caption id=\"attachment_270852\" align=\"aligncenter\" width=\"349\"]<img class=\"wp-image-270852 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetratin-testing-osi-model.jpg\" alt=\"OSI model pen testing\" width=\"349\" height=\"556\" /> Examining the OSI model[/caption]\r\n\r\nThe protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner.\r\n\r\nThe image below shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them.\r\n\r\n[caption id=\"attachment_289939\" align=\"alignnone\" width=\"1027\"]<img class=\"wp-image-289939 size-full\" src=\"https://www.dummies.com/wp-content/uploads/Network-packet.jpg\" alt=\"Penetration testing -- network packet\" width=\"1027\" height=\"677\" /> Digging into a network packet capture[/caption]\r\n\r\nHaving knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take.\r\n\r\nYou can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated.\r\n<p class=\"article-tips tip\">If you want to be a great pen tester, you should study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability.</p>\r\nAlthough today’s networks and systems can account for these flaws, there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise.\r\n<h2 id=\"tab3\" ><a name=\"_Toc25594011\"></a>General security technology</h2>\r\nIn the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds.\r\n\r\nThe image below shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did.\r\n\r\n[caption id=\"attachment_270856\" align=\"aligncenter\" width=\"556\"]<img class=\"wp-image-270856 size-full\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing-firewall-log.jpg\" alt=\"firewall log pen testing\" width=\"556\" height=\"397\" /> Review a firewall log.[/caption]\r\n\r\nAnother example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix.\r\n\r\nOther general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking.\r\n<h2 id=\"tab4\" ><a name=\"_Toc25594012\"></a>Systems infrastructure and applications</h2>\r\nYou must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports.\r\n\r\nIf you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report.\r\n\r\nYou may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately.\r\n\r\nWeb applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched.\r\n<h2 id=\"tab5\" ><a name=\"_Toc25594013\"></a>Mobile and cloud</h2>\r\nMobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed, whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome.\r\n\r\nYou might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them.\r\n\r\nCloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself.\r\n<p class=\"article-tips tip\"> You might face the fallout of mistakes or mishaps committed on the vendor side.</p>\r\nPenetration testers need a wide variety of skills and knowledge, but they are essential to helping ensure the security of our IT infrastructure.","blurb":"","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Skills needed for penetration testing","target":"#tab1"},{"label":"Basic networking","target":"#tab2"},{"label":"General security technology","target":"#tab3"},{"label":"Systems infrastructure and applications","target":"#tab4"},{"label":"Mobile and cloud","target":"#tab5"}],"relatedArticles":{"fromBook":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281813,"slug":"penetration-testing-for-dummies","isbn":"9781119577485","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119577489-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/penetration-testing-for-dummies-cover-9781119577485-203x255.jpg","width":203,"height":255},"title":"Penetration Testing For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"\n <p><b data-author-id=\"33354\">Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience.</p>","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":"Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to design, strategize, and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for more than 25 years and has written his books from the trenches of experience. ","_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb4652df3\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-6217bb465378a\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-12-17T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":270850}],"_links":{"self":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=0"},"next":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=10"},"last":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=41"}}},"objectTitle":"","status":"success","pageType":"article-category","objectId":"33537","page":1,"sortField":"time","sortOrder":1,"categoriesIds":[],"articleTypes":[],"filterData":{"categoriesFilter":[{"itemId":0,"itemName":"All Categories","count":51}],"articleTypeFilter":[{"articleType":"All Types","count":51},{"articleType":"Articles","count":45},{"articleType":"Cheat Sheet","count":6}]},"filterDataLoadedStatus":"success","pageSize":10},"adsState":{"pageScripts":{"headers":{"timestamp":"2022-05-16T12:59:10+00:00"},"adsId":0,"data":{"scripts":[{"pages":["all"],"location":"header","script":"<!--Optimizely Script-->\r\n<script src=\"https://cdn.optimizely.com/js/10563184655.js\"></script>","enabled":false},{"pages":["all"],"location":"header","script":"<!-- comScore Tag -->\r\n<script>var _comscore = _comscore || [];_comscore.push({ c1: \"2\", c2: \"15097263\" });(function() {var s = document.createElement(\"script\"), el = document.getElementsByTagName(\"script\")[0]; s.async = true;s.src = (document.location.protocol == \"https:\" ? \"https://sb\" : \"http://b\") + \".scorecardresearch.com/beacon.js\";el.parentNode.insertBefore(s, el);})();</script><noscript><img src=\"https://sb.scorecardresearch.com/p?c1=2&c2=15097263&cv=2.0&cj=1\" /></noscript>\r\n<!-- / comScore Tag -->","enabled":true},{"pages":["all"],"location":"footer","script":"<!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->\r\n<script type='text/javascript'>\r\n(function(){var g=function(e,h,f,g){\r\nthis.get=function(a){for(var a=a+\"=\",c=document.cookie.split(\";\"),b=0,e=c.length;b<e;b++){for(var d=c[b];\" \"==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};\r\nthis.set=function(a,c){var b=\"\",b=new Date;b.setTime(b.getTime()+6048E5);b=\"; expires=\"+b.toGMTString();document.cookie=a+\"=\"+c+b+\"; path=/; \"};\r\nthis.check=function(){var a=this.get(f);if(a)a=a.split(\":\");else if(100!=e)\"v\"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(\":\"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case \"v\":return!1;case \"r\":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(\":\")),!c}return!0};\r\nthis.go=function(){if(this.check()){var a=document.createElement(\"script\");a.type=\"text/javascript\";a.src=g;document.body&&document.body.appendChild(a)}};\r\nthis.start=function(){var t=this;\"complete\"!==document.readyState?window.addEventListener?window.addEventListener(\"load\",function(){t.go()},!1):window.attachEvent&&window.attachEvent(\"onload\",function(){t.go()}):t.go()};};\r\ntry{(new g(100,\"r\",\"QSI_S_ZN_5o5yqpvMVjgDOuN\",\"https://zn5o5yqpvmvjgdoun-wiley.siteintercept.qualtrics.com/SIE/?Q_ZID=ZN_5o5yqpvMVjgDOuN\")).start()}catch(i){}})();\r\n</script><div id='ZN_5o5yqpvMVjgDOuN'><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>\r\n<!--END WEBSITE FEEDBACK SNIPPET-->","enabled":false},{"pages":["all"],"location":"header","script":"<!-- Hotjar Tracking Code for http://www.dummies.com -->\r\n<script>\r\n (function(h,o,t,j,a,r){\r\n h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};\r\n h._hjSettings={hjid:257151,hjsv:6};\r\n a=o.getElementsByTagName('head')[0];\r\n r=o.createElement('script');r.async=1;\r\n r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;\r\n a.appendChild(r);\r\n })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');\r\n</script>","enabled":false},{"pages":["article"],"location":"header","script":"<!-- //Connect Container: dummies --> <script src=\"//get.s-onetag.com/bffe21a1-6bb8-4928-9449-7beadb468dae/tag.min.js\" async defer></script>","enabled":true},{"pages":["homepage"],"location":"header","script":"<meta name=\"facebook-domain-verification\" content=\"irk8y0irxf718trg3uwwuexg6xpva0\" />","enabled":true},{"pages":["homepage","article","category","search"],"location":"footer","script":"<!-- Facebook Pixel Code -->\r\n<noscript>\r\n<img height=\"1\" width=\"1\" src=\"https://www.facebook.com/tr?id=256338321977984&ev=PageView&noscript=1\"/>\r\n</noscript>\r\n<!-- End Facebook Pixel Code -->","enabled":true}]}},"pageScriptsLoadedStatus":"success"},"searchState":{"searchList":[],"searchStatus":"initial","relatedArticlesList":[],"relatedArticlesStatus":"initial"},"routeState":{"name":"ArticleCategory","path":"/category/articles/cybersecurity-33537/","hash":"","query":{},"params":{"category":"cybersecurity-33537"},"fullPath":"/category/articles/cybersecurity-33537/","meta":{"routeType":"category","breadcrumbInfo":{"suffix":"Articles","baseRoute":"/category/articles"},"prerenderWithAsyncData":true},"from":{"name":null,"path":"/","hash":"","query":{},"params":{},"fullPath":"/","meta":{}}},"sfmcState":{"newsletterSignupStatus":"initial"}}
Logo
  • Articles Open Article Categories
  • Books Open Book Categories
  • Collections Open Collections list
  • Custom Solutions
  • Home
  • Technology Articles
  • Cybersecurity Articles

Cybersecurity Articles

Batten down the (virtual) hatches with these rock-solid strategies for protecting your privacy and security.

Articles From Cybersecurity

page 1
page 2
page 3
page 4
page 5
page 6

Filter Results

51 results
51 results
Cybersecurity GDPR For Dummies Cheat Sheet

Cheat Sheet / Updated 03-15-2022

The General Data Protection Regulation (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?

View Cheat Sheet
Cybersecurity Security Awareness For Dummies Cheat Sheet

Cheat Sheet / Updated 03-14-2022

Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors

View Cheat Sheet
Cybersecurity Penetration Testing For Dummies Cheat Sheet

Cheat Sheet / Updated 03-01-2022

Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.

View Cheat Sheet
Cybersecurity Cybersecurity For Dummies Cheat Sheet

Cheat Sheet / Updated 02-24-2022

Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. Look here to discover some straightforward tips on how to keep yourself — and your loved ones — safe when using the internet to shop, as well as how to avoid common cybersecurity mistakes.

View Cheat Sheet
Cybersecurity Hacking For Dummies Cheat Sheet

Cheat Sheet / Updated 02-24-2022

Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.

View Cheat Sheet
Cybersecurity Cloud Security For Dummies Cheat Sheet

Cheat Sheet / Updated 01-10-2022

So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities. Cloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications. While it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.

View Cheat Sheet
Cybersecurity The Fundamentals of GDPR and Data Protection

Article / Updated 12-29-2021

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation. However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators. Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons: The GDPR needs to fit into the member state’s legal framework. National legislation is needed to choose from the exemptions permitted by the GDPR. At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established. Data protection laws Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights. This list describes a handful of additional points about these laws to keep in mind. Data protection laws: Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed. Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few). Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws. Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on. Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses. Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data. Regulation/Enforcement Strength of Data Protection Laws Worldwide Type of Regulation/Enforcement Countries Tough Australia, Canada, Hong Kong, South Korea Strong Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand Light Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine Limited Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay The 10 most important obligations of the GDPR The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book: Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it. Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it. Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing. Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. Ensure that your staff are appropriately trained in relevant areas of the GDPR. Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary. Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate. Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. The consequences of non-compliance Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant. Increased fines and sanctions The GDPR has introduced significant increases in the maximum fines for breaches of its requirements. Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher. This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated. This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine. Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR. Civil claims Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim. As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller. A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim. Data subject complaints The general public is much savvier about their data protection rights than they used to be, for these reasons: The introduction of the GDPR garnered a lot of publicity due to the increased sanctions. Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights. Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media. This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses: If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer. If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints. These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights. Brand damage When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data. Loss of trust If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you. In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m). In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed. Be a market leader By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage. Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely: “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

View Article
Cybersecurity 10 Tips for Becoming a Better Pen Tester

Article / Updated 12-29-2021

Penetration testing is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education. Continue your education to improve your pen testing skills Keep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened. The ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself: Use your library. To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes. Use the internet. You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs. Build a test PC. If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit. Use virtualization. Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system. Use freeware. Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with. Build your penetration testing toolkit Carpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers. No matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit: Keeping your toolkit current is one of the hardest things to do as a pen tester. You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester. Some tools are expensive, and you need to license for them. You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date. All software must be updated. Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained. Technology changes over time. There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them. Make sure your computer is updated and safe. Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested. Think outside the box to be a better pen tester Never get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes. Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset. Below is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot. Think like a hacker to be a better pen tester You need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do. You can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives. Get involved to improve as a pen tester Whether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field. Two conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is Defcon and Blackhat. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well. Both of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it. There are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct ethical hacking to join together and share ideas. There are government agencies that you can join to share ideas and information. Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing. Use a lab for penetration testing If you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of virtual machines in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester. Because there are many challenges to do this, you can still learn ways to get hands-on training: Online test sites: Online test sites let you experiment with your penetration-testing skills. A test machine: You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine. The image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home. Some of the items you may want to consider in building your pen testing lab may include (but not limited to): Server infrastructure: You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups. Network infrastructure: From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network. Pen test system: The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing. As you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests. Stay informed on penetration testing Just like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them. You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information. Stay ahead of new technologies to be a better pen tester Technology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them. When wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them. There are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on. If you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more. Build your reputation as a pen tester Building your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again. This means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional. Learn about physical security All the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a social engineering attack. Nothing can thwart technical security faster than social engineering. Card swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering. Always consider physical security challenges as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up. Ultimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.

View Article
Cybersecurity 10 Sites for Learning More about Penetration Testing

Article / Updated 12-29-2021

As an IT professional, it doesn’t matter how much you know about penetration testing today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional. If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless. One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way. SANS Institute SANS.org leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security. You can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the Internet Storm Center, which is an early warning system for threats. There are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more. Another point of interest on the SANS website is the connection to their focused areas on pen testing. If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge. GIAC certifications Another point of interest on the SANS website is the connection to their certification arm of SANS, which is called Global Information Assurance Certification (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain GIAC Penetration Tester certification (GPEN). Aside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated. Software Engineering Institute Carnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a CERT landing page that hosts publications and other scholarly works about cybersecurity: CERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics. Legal penetration sites Legal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites. Cisco has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills. If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills. Open Web Application Security Project The Open Web Application Security Project (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs. The frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs. This site can really help you better understand more in-depth details about programing and software hacking, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time. Tenable Tenable makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester: The image below shows the Tenable website, where you can download Nessus for trial use, or purchase a license for permanent use. Nmap Nmap is undeniably one of the hottest and most used tools for pen testing outside of Nessus and Metasploit. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more. Wireshark Wireshark is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing. Within the main website you will find tons of detailed information on how to use this tool. As well, the forums where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network. Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details. Dark Reading In today’s pen testing world, one of the go-to sites for security professionals is Dark Reading. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing. You’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture. Offensive Security From the distributors of Kali, Offensive Security is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well. On this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.

View Article
Cybersecurity What You Need to Know to be a Penetration Tester

Article / Updated 12-17-2021

Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for penetration testers and professionals with a background in IT security and the ability to do penetration testing. As a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. You also need to know about security vulnerabilities as well as penetration testing tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe. Skills needed for penetration testing You’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of networking and general security. To be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool. You need to also know the difference between vulnerability scanning and penetration testing and why they’re similar and how they’re different. The following image shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can them move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secure. It’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example). No stone is unturned as a pen tester and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smart home devices such as TVs and thermostats. You may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff. Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more. Basic networking Basic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur. It also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (Black-box security testing refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates. The TCP/IP protocol suite also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the 7-layer OSI model. The Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer. The protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner. The image below shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them. Having knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take. You can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated. If you want to be a great pen tester, you should study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability. Although today’s networks and systems can account for these flaws, there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise. General security technology In the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds. The image below shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did. Another example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix. Other general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking. Systems infrastructure and applications You must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports. If you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report. You may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately. Web applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched. Mobile and cloud Mobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed, whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome. You might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them. Cloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself. You might face the fallout of mistakes or mishaps committed on the vendor side. Penetration testers need a wide variety of skills and knowledge, but they are essential to helping ensure the security of our IT infrastructure.

View Article
page 1
page 2
page 3
page 4
page 5
page 6

Quick Links

  • About For Dummies
  • Contact Us
  • Activate A Book Pin

Connect

Opt in to our newsletter!

By entering your email address and clicking the “Submit” button, you agree to the Terms of Use and Privacy Policy & to receive electronic communications from Dummies.com, which may include marketing promotions, news and updates.

About Dummies

Dummies has always stood for taking on complex concepts and making them easy to understand. Dummies helps everyone be more knowledgeable and confident in applying what they know. Whether it's to pass that big test, qualify for that big promotion or even master that cooking technique; people who rely on dummies, rely on it to learn the critical skills and relevant information necessary for success.

Terms of Use
Privacy Policy
Cookies Settings
Do Not Sell My Personal Info - CA Only