Please download the dossier by clicking on the dossier button x
×

Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign

  • US 10,454,966 B2
  • Filed: 05/01/2019
  • Issued: 10/22/2019
  • Est. Priority Date: 11/15/2017
  • Status: Active Grant
First Claim
Patent Images

1. A method for penetration testing of a networked system by a penetration testing system using both active and passive validation methods during a single penetration testing campaign, the method for penetration testing comprising:

  • a. determining a first target network node of the networked system to be the next network node to attempt to compromise during the single penetration testing campaign;

    b. determining a first vulnerability of network nodes to be used for compromising the first target network node;

    c. selecting a first validation method for validating the first vulnerability for the first target network node, a type of the first validation method being selected from the type group consisting of active validation and passive validation;

    d. validating the first vulnerability for the first target network node using the first validation method;

    e. determining a second target network node of the networked system to be the next network node to attempt to compromise during the single penetration testing campaign;

    f. determining a second vulnerability of network nodes to be used for compromising the second target network node;

    g. selecting a second validation method for validating the second vulnerability for the second target network node, a type of the second validation method being selected from the type group consisting of active validation and passive validation and being different from the type of the first validation method;

    h. validating the second vulnerability for the second target network node using the second validation method; and

    i. reporting at least one security vulnerability of the networked system determined to exist based on results of the executing of the single penetration testing campaign, wherein the reporting comprises performing at least one operation selected from the group consisting of;

    (A) causing a display device to display a report containing information about the at least one security vulnerability of the networked system,(B) storing the report containing information about the at least one security vulnerability of the networked system in a file and (C) electronically transmitting the report containing information about the at least one security vulnerability of the networked system,wherein all of steps a-i are performed by the penetration testing system, and all of steps a-h are performed during the single penetration testing campaign.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×