Penetration Tests

The goal of a penetration testing is to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal. In other words said penetration testing is the process of deliberate attempt to gain access to systems that you are not supposed to have access.

The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested.

Who needs a penetration testing

Of course when we talk about the need for something related with security it always comes to the answer of the question is IT security important for me? What are the losses if my information is accessed from outside or damaged or altered?

We could say that penetration testing is the “last” measure when it comes to security. We could generalize and say that the process is going like this. First you realize the risk of being hacked, and then you invest in some security measures, something like firewall, antivirus, intrusion prevention systems. You write a security policy and then redesign your systems and processes to fit polices that you have come up with. The next logical step is to get someone to make a security audit. Not that others know more that you, it is just important to have a third party to look over what you have come up with. In most of the cases the audit will show some vulnerability and you will immediately address them based on their priority. So know you have secured system and most importantly you know which is the most “precious” asset of yours. Then you find someone to make a penetration testing and try to gain access to this “precious” asset.  So penetration testing is the last measure.

In seek of completeness; vulnerability assessment is something that should be done periodically and is part of initial security audit.

In most of the cases penetration testing is requested by clients that believes their defenses to be strong, and wants to test that assertion. Some regulatory standards also requires a penetration test results for compliancy.

What kind of penetration tests there are

In most of the cases penetration tests are divided based on the focus on the test. For example a common penetration tests are:

–        Network services test

This is one of the most common types of penetration tests, and involves finding target systems on the network, searching for openings in their base operating systems and available network services, and then exploiting them remotely.

–        Web application test

These penetration tests look for security vulnerabilities in the web-based applications and programs deployed and installed on the target environment.

–        Wireless security test

These penetration tests involve discovering a target’s physical environment to find unauthorized wireless access points or authorized wireless access points with security weaknesses.

–        Social engineering test

This type of penetration test involves attempting to make a user into revealing sensitive information such as a password or any other sensitive data. These tests are often conducted over the phone, targeting selected help desks, users or employees, evaluating processes, procedures, and user awareness.

Internal/External

External penetration testing is, let’s say logical because by default we assume that the attacker is an outsider of our organization. Unfortunately that is not entirely true these days, especially after all the malware that there is right now. So we need to think of security form within and therefore invest in penetration testing from inside.

White-box/Black-box

Depending on what pen-tester knows about the network that he/she attacks the test could be black-box (pen-testers does not know anything) or white-box (pen-tester already have knowledge of system design, software code and etc.)

Targeted / Untargeted

A penetration test could be targeted or has a specific goal, like change a specific entry into a specific MS SQL database. Penetration test could be wider and its goal could be test all of by web services for any vulnerabilities.

What kind of penetration tests Telelink can do

We have more than 60 engineers specialized in different technology areas including developers. We tend to believe that we could deliver a variety of penetration services in order to fit your needs, so we are open for challenges.

What are the deliverables

In most of the cases a detailed report what vulnerabilities have been found and how they were exploited.