Security testing

Various ways, but think of it largely as performed by pointing tools at the System Under Test. The tools will have a wide range of selectable attack surfaces known to scan for which you can select.

Attack surfaces could include for example:

• which ports are open to the computer (8080, 443, 1521 etc.)
• how visible the computer is (is ICMP/PING availalble, firewall access & which domain trusts can see it)
• what permission sets are setup - which accounts can access it? parts of it? are these in line with best practices (i.e. OS administrator account with no password)
• what folders are shared, what has read access, what has write access
• is the OS and installed software patched upto date, are there known vulnerabilities with the these software as listed on popular, common security databases of attacks in the wild
• for a given database, what level of server, database, table and security account permissions are setup. Are these in line with best practices (i.e. leaving the SQL Server ‘sa’ account enabled)
• for a website login page, the tools will attempt various attacks like entering malformed SQL in the username & password fields to check for SQLi attacks, malformed javascript to check for XSS attacks and more

The hard part isn’t so much using these tools which do most of the stuff for you, it’s investigating the results & writing an end vulnerability findings report. For that you need really expert security testing members who are highly trained & experienced. It’s really not an easy role & like general network security, these members need to be constantly informed, constantly learning of new threats.