Пентест (pentest): тестирование на проникновение, стоимость проведения

About

A penetration test, or a pentest for short, identifies weaknesses in the corporate network security and network infrastructure elements. It analyzes external and internal threats and vulnerabilities with automated tools to check, if the penetration, including manual hacking methods, is possible.

The final test results are listed in the detailed report. The report includes the description of vulnerabilities, their criticality, and recommendations on how to eliminate them.

Request a pentest

The following goals are met during a pentest:

Check if an ordinary staff member can access confidential information

Find information security vulnerabilities and ways they can be exploited

Check if a staff member can escalate their own privileges

Develop recommendations to address detected vulnerabilities

Check if the local network can be accessed from the outside

Details

The testing methodology is developed individually for each customer and must be approved. However, the best industry practices, such as NIST SP800-115 and OSSTMM, are always considered as a basis.

Main pentest goals

General test of the organization’s information security.
Compliance with different standards and regulations. For example, organizations that process payment card data must carry out an annual check against PCI DSS Requirement 11.3. The test scope must cover the whole perimeter of cardholder data environment.

Tools

Multifunctional vulnerability scanners such as Nessus and Burp Suite, which detect «holes» in applications, operating systems and corporate networks

Manual testing, when a pentester tries to compromise protection through the browser’s address bar and exploit vulnerabilities in operating systems, software, hardware, and so on

Professional software, for example, utilities from Kali Linux distribution: Metasploit, Nmap and others

Testing stages

External Security Analysis—Black Box model

ITGLOBAL.COM specialists use the Internet to organize a series of attacks through the customer’s public resources.
Internal Security Analysis—Grey Box or White Box model

The customer provides remote access to their internal network, using a VPN connection, for example. Attacks are made using ordinary staff rights.
Preparing a pentest report

The report covers the testing methodology, test objects, detected vulnerabilities, their criticality, and includes recommendations on how to address them.