Penetration test

by admin

Penetration testing is a method of assessing the security of a system, network or for the entire organization by emulating a real attack scenario. The ultimate goal of penetration testing is to help identify specific risks. The process involves an active evaluation of the system to discover vulnerabilities that could affect it. As part of the PenTest process, vulnerabilities will be identified and exploited to determine the real risk that could pose a threat to the business.

At the end of the testing, a comprehensive report is delivered to the customer. The report will describe in detail the security issues found during testing, including their impact and risk to the business. For each security non-conformity included in the report, risk control methods will be suggested. In addition to providing technical recommendations, where possible we will identify the root cause of the non-conformance and provide operational recommendations and politics.

What does a pen test do in general:

• identification of devices in the network

• identifying operating system vulnerabilities

• identification of operating system updates existing in the network

• identification of database vulnerabilities

• generate reports according to the vulnerabilities also find the detailed remedy

• It simulates the attack on the network , on a database, etc.

There are three main approaches to penetration testing depending on the initial level of knowledge of the target system:

• BlackBox : perform target evaluation without any knowledge of the target system or network . This provides a very realistic scenario, emulating an anonymous attacker from outside the system.

• WhiteBox : it has all the details and the necessary information about the target system. This usually includes the network map , infrastructure details and even the source code of the applications used. Depending on the scenario, the penetration test in WhiteBox mode can be much more focused on particular elements and therefore can be many times more effective.

• GreyBox : A combination of the two types of PenTests mentioned above, in which an internal attacker is emulated (so with some knowledge of the existing IT&C infrastructure) but who is a non-privileged user ( his credentials only allow access in one way restricted), having to succeed in a privilege escalation to succeed in an attack.

The most common forms of penetration testing used are:

• Penetration tests of web applications : scenario by which an external attack is emulated that tries to compromise the confidentiality , integrity or availability of information or business processes inside the organization , usually this attack takes place via the Internet.

• External penetration tests : used to identify, evaluate and fix security vulnerabilities that could affect the external interface of the information system , in order to ensure that unauthorized access from the outside (usually from the Internet) to the organization's internal systems and data is not possible .

că accesul neautorizat din exterior (uzual din Internet) la sistemele şi datele interne organizaţiei nu este realizabil.

• Internal penetration tests : recreate the scenario of an attacker connected to the company's internal network or a disgruntled employee who could try to sabotage the company from the inside through unauthorized access to systems or data.

The test plan it includes:

• Target (hw , sw , OS, applications , databases)

• Testing time-period

• instruments sw&hw used for testing

• staff involved (attackers)

• The confidentiality agreement

• Approval (otherwise it is considered INFOSEC attack and treated as a security incident)

final report includes:

• Target (hw , sw , OS, applications , databases)

• Testing time-period

• instruments sw&hw used for testing

• staff involved (attackers)

• Conclusions

• vulnerabilities identified

• Risk control measures recommended ( necessary security measures implemented for elimination / reduction vulnerabilities )

• The signatures parties ( beneficiary and auditor)

Testing activities are carried out by a team with extensive experience in large IT&C projects related to design, implementation and auditing, at home and abroad, with nationally and internationally recognized IT&cybersecurity training and accreditations/certifications.

en_GBEnglish