What is Penetration Testing?

Penetration testing is a security evaluation executed exactly as a real attacker would. System vulnerabilities are discovered and exploits are launched trying to obtain unauthorized access. The objective is to inform the organization of the security issues that could result by not having the necessary security measures.

By Craig Ford - Cyber Security Specialist

The main objective of the test is the identification of potential vulnerabilities in the systems and network structures. Utilising specialised tools to carry out a simulated attack, measuring the impact and scope that would result when undergoing a security breach directed towards the company.

In this way, the companies weaknesses and security gaps would be known, allowing security professionals to shield and strengthen the security layers implemented in its infrastructure.

This type of ethical hacking test is recommended to be carried out at least once a year so that this way you carry out continuous improvement in your information security.

Types of Penetration Tests

The following are important types of penetration tests and types of penetration testing tools we employ:

 

White Box Penetration Testing

The Penetration Tester must have full knowledge of the target to attack, so it is necessary that the IT Security administrator can share this information with the Tester. The administrator will have knowledge about the type of test to be carried out and when they will be carried out.

Black Box Penetration Testing

The Penetration Tester does not have any information about the target, simulating an external attacker to the organization, so the Tester would be in charge of carrying out the proper investigation by its own means, either by means of social engineering, scans of ports, vulnerability scans, etc. These tests can be performed from remote locations or even within the organisation’s offices.

Gray Box Penetration Testing

The Pen Tester has a certain amount of objective information, so it is a combination of White and Black Box.

Stages of Penetration Testing:

Agreement phase

Planning and preparation begin with the definition of the goals and objectives of penetration tests. The client and the tester must jointly define the objectives so that both parties have the same objectives and understanding. The common objectives of the penetration tests are to

  • Identify the vulnerability and improve the security of the systems.
  • Have IT security confirmed by an external agent.
  • Increase the security of the infrastructure of the organization/staff

Planning and reconnaissance

The reconnaissance includes an analysis of the preliminary information. Many times a tester does not have much information other than preliminary information, an IP address or IP address block. The tester starts by analyzing the available information and, if it is necessary, receives more information such as system descriptions, network plans, etc. from the client.

This step is a kind of passive penetration test the only objective is to obtain complete and detailed information of the systems.

Scan phase

Using the information obtained previously, possible attack vectors are searched. This stage involves the scanning of ports and services. Subsequently, the vulnerability scan is performed, which will define the attack vectors.

Enumeration phase

The objective of this stage is to obtain data referring to users, equipment names, and network services, among others. At this point of the audit, active connections are made to the system and queries are executed within it.

Access phase

In this stage, access to the system is finally made. This task is achieved from the exploitation of those detected vulnerabilities that were used by the auditor to compromise the system.

Access maintenance phase

After access to the system has been obtained, the way to preserve the compromised system available to whoever has attacked it is sought. The goal is to maintain access to the aforementioned system that lasts over time.

Importance of Penetration Testing

  • The security vulnerabilities of the architecture are identified and corrected before a hacker can find and exploit them; resulting in loss of business or unavailability of services.
  • Today, businesses must comply with various standards and compliance procedures. An intrusion test will ensure that deviations are corrected in time to be compliant. One of the examples is PCI-DSS; an organization that processes customer’s credit card information (store, processing, or transmission) must have it PCI-DSS certified. One of the requirements is to have intrusion tests carried out.
  • The penetration tests will be a revelation or a check of the internal security controls of the organisation. How long does it take to identify attacks and take reactive measures? Do they realize that there has been a breach? If so, what do they do? And when they do, is it enough?
  • What will be the effect if a real attack occurs? What damage can be done? We can actually calculate the potential loss for the organization in case of an attack.

 

Penetration Testing deliverables

The result of a penetration test is a detailed report, which includes all the results of the security testing, as well as the countermeasures and recommendations necessary to protect your IT infrastructure.

  1. Executive summary: The executive summary describes your general safety posture and indicates elements that require immediate attention.
  2. Technical review: The technical review describes the activities carried out to determine the vulnerabilities and the results of the activities carried out when attacking the target systems, including the methodologies used.
  3. Vulnerabilities and exploits: We will provide a detailed list of discovered vulnerabilities, as well as their vulnerabilities, listed in order of importance.
  4. Recommendations: To optimize the protection of the assets identified in the report, we will provide a series of recommendations to strengthen your security posture.

If necessary, our team can also prepare a presentation of the results to your team.

The team at Davichi has all the penetration testing tools required to complete a full assessment of your security. Contact us today to safeguard your customer data, comply with legislation and protect your reputation.

Need more information?

For more information on cyber security, Click Contact Us, or call us on +61 7 3124 6059 and speak to a Davichi Representative Today!

Latest News

What is Penetration Testing?

What is Penetration Testing? Penetration testing is a security evaluation executed exactly as a real attacker would. System vulnerabilities are discovered and exploits are launched

Read More »
Silver cloulds next to computer monitors

Is the Cloud risky?

What are the Main Risks of Cloud Computing? The biggest risk of cloud computing is just that – the fact that it is cloud computing.

Read More »

Lets Talk

Please fill in this form, and our sales team will get back to you as soon as possible.