What is Pentest?
It is a check (or testing) for penetration and system security (searching and exploitation of vulnerabilities) – this is a search for vulnerabilities in the selected information system. Typically, a penetration test is a method for assessing the level of security of information networks, which fully simulates a cybercriminal attack (penetration test). A team of IT specialists in information security plays the role of hackers and tries to hack the system by prior agreement with the owner of the information system, using all possible system vulnerabilities.
The purpose of the pentest is the next one:
Find all possible vulnerabilities of the system that can lead to any violations:
– violations of confidentiality
– integrity of information
– availability of information,
– provoke incorrect system operation
– lead to denial of service.
– to assume possible financial losses and economic risks from threats as well.
Pentesting concerns both the virtual security layer of information systems and the physical one associated with equipment. By the way, having minimal information about the CMS used on the site, server settings and the list of scripts used on the same site, you can quickly google and find existing vulnerabilities, fresh prescription, in order to speed up the penetration process and not scan and search for super complex vulnerabilities for a long time. And this opportunity is used by both novice hackers and more experienced ones. As practice shows, a huge number of webmasters who create sites do not know the basic security measures during the usual installation of plugins “by default” on the same WordPress.
After the pentest
After receiving the results, Datami.ua experts give an assessment of the current level of cybersecurity, which will allow calculating the current level of security of information systems, which will help to understand how the system is able to endure a hacking attempt. Also, the report will contain information about how long it takes to successfully attack a client and what resources are needed for this. Based on the results obtained, the pentest customer will be provided with a list of recommendations for removing the ensuing list of vulnerabilities.
Modeling the actions of a cybercriminal infers an attack on such objects (objects of verification):
– information system database management structures
– network equipment used to service the IS
– network services and services (for example, e-mail) related to the company’s IS
– information security tools
– software installed on servers
– server and user Operating Systems
To conduct a site penetration test, many different programs are used, such as Nmap or Nessus, the Kali Linux operating system, etc. The software that must be used in a particular case is chosen by the cybersecurity specialist himself. Different programs are needed in different cases. You cannot use the same set of software to check different levels of sites, servers or entire systems. This is the choice of specialists who need to check all possible “holes” in the security system.
Penetration testing –
is a rather interesting “journey” through the client’s information bases, where it is necessary to make decisions as you enter into the depth of networks. And the more vulnerabilities are found, the more software needs to be used at one or another stage of the penetration test. In such work, penetration testers often use an external IP address, connecting the most popular programs Router Scan and NMap, which allows them to find vulnerabilities, for example, in Windows, whose components often have many “entrances” for attackers.
Pentest results (what is the output?):
Pentest report usually consists of the following items:
– Pentest start date and end date with the exact time
– Information about the specialist or the team performing the work
– Reasons for starting the test (suspicions, contract with the customer, etc. .)
– information provided by the client
– a small FAQ with an indication of the terms used in the report, links
– history (log) of testing for vulnerabilities (penetration testing process) – a list of found threats and vulnerabilities
-recommendations and tips for eliminating vulnerabilities
Penetration testing is carried out using a whole list of special software, various applications (password matching, exploration vulnerabilities in ports of IP networks, detection of malicious programs). Therefore, it covers a large number of verification points.
The most common of which are below in the list:
– collection of information (search for customer data in open sources, collection of data on employee permits) this is especially important for social engineering (we recommend using multifactor authentication). It is very important to gather as much information as possible about the company, about its employees (including former ones). Here you need all the data: and social networks, domains, email addresses. mail, the structure of the company with positions, the list of sites of providers of IT solutions for this company, DNS servers, the data milked in, etc.
– searching for a technical base. It is collecting data about existing resources, operating systems, software, and applications that the company uses to keep information resources running.
– the analysis of vulnerabilities and threats. This is the detection of vulnerabilities in security systems, applications, and software using specialized programs and utilities. – exploitation and processing of data (at this stage there is a simulation of a real attack by attackers to obtain information about existing vulnerabilities for further analysis, as well as collecting data on the possible timing of hacking and calculation of economic risks).
– formation of the report (a stage of registration of the received information, drawing up of recommendations and instructions for the elimination of existing vulnerabilities).
Also during the pentest, we use all possible methods, such as:
– launching exploits
– intercepting traffic
– matching the passwords
– untwisting the obtained password hashes
– checking for the possibility of SQL injection/XSS
Why do you still need a pentest?
– to obtain information about the state of information security in the company
– allows you to identify vulnerabilities and vulnerabilities
– allows you to take timely measures to improve security
– to give an understanding of the current work of information security departments
– provides an action plan to address vulnerabilities.
How often do you need to do a pentest?
– at least once a year, but it all depends on the traffic of the site, the database, and the load on the server.
It should also be clarified that when conducting a pentest, it is better to look for a specialist on the side or in a company that specializes in cybersecurity. The full-time employee of the company, which is responsible for the security of information systems, is not very suitable for such a task due to personal interest in the results. He may hide real threats due to the detection of his incompetence or simply not have the necessary level of knowledge. The remote expert is more likely to find all the vulnerabilities and get the job done on time.
What can’t the penetration test detect?
Do not forget to check your cute secretaries at the workplace, as there you can find the most interesting stickers pasted on the monitor with a password to access the admin panel of the site, through which you can quickly get into all the protected places of the server and no “protection” of the cybersecurity department it will not help. And also – check the newly purchased Wi-Fi routers for a password to access it “by default”, because many often do not set their passwords, using the “default” password written on the sticker on the bottom of the router along with the serial number of the device. Prevent employees from using VPN to log into secure company databases.