Penetration Testing helps identify weaknesses in the protection of the corporate network and network infrastructure elements. Technically, the service is an analysis of external and internal threats and vulnerabilities that use automated tools to control the possibility of penetration and manual attack methods used by hackers.
The final test results are presented in the form of a detailed report describing vulnerabilities, critical levels and recommendations for their elimination.
During the Penetration Test, solutions are sought for the following problems:
• Accessibility to confidential information is checked by an ordinary employee.
• Suggestions are developed to neutralize detected vulnerabilities.
• Defined information security vulnerabilities and usage options are determined.
• The possibility of entering the local network from outside is checked.
• The possibilities of increasing the privileges of an ordinary employee are checked.
The test methodology is agreed individually with each customer. However, best instructions such as NIST SP800-115 and OSSTMM (Open Source Security Test Methodology Guide) accepted in the industry are always taken as basis.
What are the main goals of Pentest?
1. General control of company security level.
2. Compliance with the requirements of various standards and regulatory documents. For example, article 11.3 of the PCI DSS standard, which requires companies that process payment card data to run an annual penetration test. At the same time, the penetration test should cover the entire environment of the information medium of the cardholder’s data.
In another example, the requirement of article 24.07.2012, B.02.1.BDK.0.77.00.00 / 010.06.02-1, published by the BRSA (Banking Regulation and Supervision Agency), which forces money transfer companies to pentest at least once a year.
Penetration Tests include the following titles:
• Control of existing communication infrastructure and active devices used.,
• Domain Name system (DNS) Services,
• Client domain and user computers,
• E-mail services,
• Databases and Database application systems,
• Internet and Web applications used on the Intranets,
• Company Mobile applications,
• Wireless Network Systems,
• ATM Systems,
• Denial of Service Tests such as Dos and DDoS,
• Code Analysis,
• Social Engineering,
• Internal Penetration Test (Intranet Security Checkup),
Benefits of having a penetration test
• Preventing events that may adversely affect corporate reputation and customer safety,
• The company does not have “security on paper” but the practical security control of the company,
• Mandatory compliance with PCI DSS, 382-P and other similar standards,
• Reducing the risk of information leakage and unauthorized access,
• Use of modern tools that simulate all known attack types,
• It enables to identify the most vulnerable places in terms of Information security in your systems.
• Detection of all other critical threats to information security.
Steps of Penetration Test:
• Analysis of publicly available information about the company and its information environment;
• Conducting research on social engineering;
• Vulnerability analysis of internal and external resources;
• Penetration application;
• Creating reporting documents.