Copyright © 2021 SPEX Yazılım ve Siber Güvenlik Hizmetleri A.Ş.

Penetration Testing

admin • 13 Ocak 2022

Penetration testing, which has a much wider scope and impact than vulnerability scanning tests, be the leading measure to be taken against cyber-attacks.

What is Penetration Testing?

The penetration testing, briefly known as “pentest” are simulated cyber-attacks. It is possible to make the analogy of a “cyber-attack praxis” for penetration testing. Primarily, security flaws of the target system are established in the penetration testing.  Then, carrying out simulated cyber-attacks with the same or similar cyber-attack tools and is infiltrated the system in order to reveal possible damages causes which from determined security flaws. These tests, which give the opportunity to fix security flaws before a real attack because to clearly show the size of the potential damages intended for the system.

What’s the Aim of The Penetration Testing?

The only purpose of penetration testing is not just a determining the security flaws of the system. The main aim is to fix security flaws with the determining vulnerabilities for the system security before a possible cyber-attack and set the bar high on system security.

There is a significant difference between vulnerability assessment testing and penetration testing. When the vulnerability assessment testing just determines security flaws, penetration testing clearly reveals possible damages caused by these vulnerabilities.

Penetration testing is costly due to causes such like give absolute results and completing in more long periods of time than vulnerability assessment testing.

Therefore, within the scope of cyber-security services, it is suggested that be performed the vulnerability assessment tests which are affordable, usually several times a year (for instance, quarterly) while the penetration tests are once a year at least.

What’s the Penetration Testing Approaches? 

The Black Box Approach:

The firm that will make the test does not share any preliminary information about the system with the security firm. Since the penetration test will be performed without prior knowledge, the possibility of unintentional damage to the system is high and the test period is quite long.

The Gray Box Approach:

In this approach, there is limited preliminary information transfer to the security firm. (For instance, list of IP address, information of system version). The test period is shorter than the black-box approach and the possibility of unintentional damage to the system is less.

The White Box Approach:

It is the approach where all system information is shared with the security firm by the firm that will make the test. There is no damage possible to the system. In comparison to the other two approaches, the test period is much shorter in the white-box approach.

How to Perform Penetration Testing? What are the Test Stages?

It is possible to summarize the penetration testing stages under six headings.

Planning Phase (Goal and Scoping)

There is come to an agreement between the firm that will make the test and the security firm regarding which system, infrastructure, or applications the test will be aimed at (scope of the test), and which test approach (black-box, white-box, or gray-box) will be used. In order to distinguish it from a real attack, the IP addresses which to be used by the security firm during the test are notified to the client company in advance.

Information Gathering and Discovery Phase

It is the phase where the security firm that will perform the test collects first passive and then active information about the target system from a cyber attacker’s point of view. The passive information gathering part includes the domain name and similar information that can usually be obtained via internet services without direct access to the target system. On the other hand, active information gathering includes information that can be obtained by providing direct access to the target system, such as system infrastructure and programming language.

Vulnerability Detection and Analysis Phase

It is the phase where the scanning target system uses automatic tools for the purpose of detection of security vulnerabilities. By making use of the security vulnerabilities detected as a result of the scan, analysis and planning are made regarding which threat models will be used in the next phase of infiltration or attack.

Infiltration Phase (Attack and Authorization)

Primarily at this phase, the effects of security vulnerabilities on the system are examined by searching for answers to questions such as “Is the system open to unauthorized access? Can these accesses interrupt system operation?” The purpose is to reveal to what extent the security vulnerabilities detected in the previous phase can pose a real risk. After the first access is obtained, automatic system exploitation software (such as exploit, payload) starts to run. The purpose here is to clearly reveal the risks such as whether the attacker can expand the limits of authority, which files can be accessed without authorization, whether or not authorization can be upgraded, how the attacker progresses in the system, and whether he can reach critical areas.

Analysis and Reporting Phase

In the light of the data and information obtained as a result of the penetration test, a report is prepared by the security firm, containing the detected system vulnerabilities, the risks that these vulnerabilities will create, critical files that can be seized by a possible attack, and solution suggestions, and presented to the institution that has the test done. The report to be prepared must be prepared in accordance with BRSA, TSE, and ISO 27001 standards.

Cleaning Phase

The penetration test terminated with a system cleanup. The changes made by the automatic software, if any, on the system are recovered and the system is returned to its pre-test state.

What are the Types of the Penetration Testing?

Internal Network Pentest

These are the tests carried out to identify internal threats to the corporate network and all equipment connected to the network. It is based on scenarios simulating attacks that can be carried out by both authenticated and unauthenticated, unauthorized, or fraudulent internal network users.

External Network Pentest

It is the type of test in which attack simulations are aimed at the servers and devices of institutions that can be accessed over the internet, such as DNS, e-mail, web servers, firewall devices. The purpose here is to reveal the risks posed by attacks that may come from outside the institution.

Web Application Pentest

It is a type of test applied to detect the risks that may be caused by vulnerabilities in web-based applications and browsers of institutions, caused by faulty or incomplete development, design, or coding.

Go Back to Blog
Make Comment

Related Posts
What Does Cybersecurity Training Do? - Spex

What Does Cybersecurity Training Do?

Devamını Oku
How Much Salary Does a Cybersecurity Specialist Get? - Spex

How Much Salary Does a Cybersecurity Specialist Get?

Devamını Oku
What is a Certificate of Cybersecurity? - Spex

What is a Certificate of Cybersecurity?

Devamını Oku