Shulou(Shulou.com)06/02 Report--

Today, information technology is advancing by leaps and bounds, which has a profound impact on many fields, such as politics, economy, society, culture, military and so on. Internet technology is integrated into all aspects of life, and has already changed people's way of life. At the same time, network attacks are increasing day by day, and security protection is always a pain point of network security protection. In recent years, network attack has also become one of the most popular network security topics.

What are the differences between WEB penetration and IOT penetration?

Conventional WEB penetration testing is mainly divided into four stages, namely, information collection, vulnerability analysis, vulnerability mining and report formation.

1. Information collection

Information collection is a critical link in the initial stage, and whether the penetration test can be performed successfully depends to a large extent on the available information detected from the three-tier structure on which it depends.

2. Loophole analysis

Based on the known information, determine the test execution goal and plan, analyze and identify the feasible attack path, and consider how to obtain the access to the target system.

3. Vulnerability mining

According to the previously identified attack paths and targets, implement the excavation and verification of vulnerabilities.

4. Report formation

The report is the most important factor in the penetration testing process. The report document shows the security vulnerabilities and weaknesses found in the penetration testing process, provides guidance for vulnerability repair, and is the embodiment of the real value of penetration testing work.

Research on threat attack of Internet of things Penetration Test

Threat modeling is an effective method for in-depth analysis of application security, which identifies, quantifies, locates and captures application-related security risks by providing context and risk analysis. The Guinean Security editor informed that when evaluating the security problems of the Internet of things, it is often necessary to establish a threat model, which can also help guide the implementation process of penetration testing and help eliminate the security risks in the Internet of things. Threat modeling is usually divided into three steps, namely, application decomposition, threat determination and countermeasure interpretation. Decompose the Internet of things system from the attack surface point of view, so as to provide an identifiable potential security threat attack surface, in order to provide a reference basis for the subsequent determination of countermeasures and mitigation measures.

From the perspective of an attacker, the Internet of things is decomposed into application components according to the attack surface, which can be divided into ecosystem, device memory, device physical interface, device Web interface, device firmware, network services, management interface, local data storage, cloud Web interface, third-party back-end APIs, update mechanism, mobile applications, vendor backend APD, ecosystem communications, network traffic, authentication and authorization, privacy and hardware.

Multi-dimensional security IOT penetration testing is a security detection service for functional business threat detection based on STRIDE model. This paper starts with the analysis of the architecture design of the intelligent terminal application system, and then carries on the threat analysis to the service function realization in the architecture design, obtains the threat point that the business may face, and finally takes this as the basis to carry on the comprehensive penetration test. detect the loopholes in the intelligent terminal equipment and its entire ecosystem, and formulate corrective measures. At present, penetration business and virtual machine encryption products have achieved breakthroughs and model applications in aerospace and other national defense fields.

Functional Features of Multi-dimensional Security IOT Penetration Test

1. Business risk carding

According to the application system architecture, split the business, and model the threat for each business, and sort out all the potential security risks that may be encountered.

2. Loophole check and recheck

Verify the potential security risks one by one, and provide detailed vulnerability verification methods to identify the risks, provide review services, and ensure that the vulnerabilities are fully repaired.

3. Support vulnerability repair

According to different business vulnerability scenarios, provide targeted repair suggestions to help R & D personnel to fix vulnerabilities quickly and timely.

4. Professional safety report

From multiple dimensions and hierarchical relationships, a detailed description of vulnerability impact, risk level, vulnerability location, risk details, and repair recommendations.

Related reading: IOT Security Penetration testing Service: https://www.kiwisec.com/product/iot-test.html

APP penetration test: https://www.kiwisec.com/product/app-penetration.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.