A penetration test, or a pentest for short, identifies weaknesses in the corporate network security and network infrastructure elements. It analyzes external and internal threats and vulnerabilities with automated tools to check, if the penetration, including manual hacking methods, is possible.
The final test results are listed in the detailed report. The report includes the description of vulnerabilities, their criticality, and recommendations on how to eliminate them.
The following goals are met during a pentest:
Check if an ordinary staff member can access confidential information
Find information security vulnerabilities and ways they can be exploited
Check if a staff member can escalate their own privileges
Develop recommendations to address detected vulnerabilities
Check if the local network can be accessed from the outside
The testing methodology is developed individually for each customer and must be approved. However, the best industry practices, such as NIST SP800-115 and OSSTMM, are always considered as a basis.
Main pentest goals
- General test of the organization’s information security.
- Compliance with different standards and regulations. For example, organizations that process payment card data must carry out an annual check against PCI DSS Requirement 11.3. The test scope must cover the whole perimeter of cardholder data environment.
External Security Analysis—Black Box model
ITGLOBAL.COM specialists use the Internet to organize a series of attacks through the customer’s public resources.
Internal Security Analysis—Grey Box or White Box model
The customer provides remote access to their internal network, using a VPN connection, for example. Attacks are made using ordinary staff rights.
Preparing a pentest report
The report covers the testing methodology, test objects, detected vulnerabilities, their criticality, and includes recommendations on how to address them.
An opportunity to prevent incidents that can violate the company’s reputation and compromise customer safety
Compliance with PCI DSS and other standards
Using up-to-date tools that simulate all known types of attacks
Not a theoretical security test, but a practical one
Reducing the risks of information leaks and unauthorized access
Detecting all critical information security threats