Pentest / Тест на проникновение

Simulation of targeted attacks to identify vulnerabilities in IT infrastructure

About

A penetration test, or a pentest for short, identifies weaknesses in the corporate network security and network infrastructure elements. It analyzes external and internal threats and vulnerabilities with automated tools to check, if the penetration, including manual hacking methods, is possible.

The final test results are listed in the detailed report. The report includes the description of vulnerabilities, their criticality, and recommendations on how to eliminate them.

Request a pentest

The following goals are met during a pentest:

Check if an ordinary staff member can access confidential information

Find information security vulnerabilities and ways they can be exploited

Check if a staff member can escalate their own privileges

Develop recommendations to address detected vulnerabilities

Check if the local network can be accessed from the outside

Details

The testing methodology is developed individually for each customer and must be approved. However, the best industry practices, such as NIST SP800-115 and OSSTMM, are always considered as a basis.

Main pentest goals

  • General test of the organization’s information security.
  • Compliance with different standards and regulations. For example, organizations that process payment card data must carry out an annual check against PCI DSS Requirement 11.3. The test scope must cover the whole perimeter of cardholder data environment.

Tools



Multifunctional vulnerability scanners such as Nessus and Burp Suite, which detect «holes» in applications, operating systems and corporate networks


Manual testing, when a pentester tries to compromise protection through the browser’s address bar and exploit vulnerabilities in operating systems, software, hardware, and so on


Professional software, for example, utilities from Kali Linux distribution: Metasploit, Nmap and others

Testing stages

  1. External Security Analysis—Black Box model

    ITGLOBAL.COM specialists use the Internet to organize a series of attacks through the customer’s public resources.

  2. Internal Security Analysis—Grey Box or White Box model

    The customer provides remote access to their internal network, using a VPN connection, for example. Attacks are made using ordinary staff rights.

  3. Preparing a pentest report

    The report covers the testing methodology, test objects, detected vulnerabilities, their criticality, and includes recommendations on how to address them.

Advantages

An opportunity to prevent incidents that can violate the company’s reputation and compromise customer safety

Compliance with PCI DSS and other standards

Using up-to-date tools that simulate all known types of attacks

Not a theoretical security test, but a practical one

Reducing the risks of information leaks and unauthorized access

Detecting all critical information security threats

Related Solutions

Аудит ИБ

audit_big
Внешняя оценка защищенности ваших ИТ-сервисов с выдачей экспертных рекомендаций

Подготовка к сертификации по PCI DSS

5
Подготовка к QSA-аудиту и сертификации по стандарту PCI DSS

SOC

Мониторинг событий в ИБ и реагирование на происходящие инциденты в режиме реального времени

Консультация

Have a question or interested in learning more how IT can help your business? Please connect with us.