Penetration testing is an imitation of the actions of a potential attacker in order to assess the possibility of unauthorized access to a corporate information system and to demonstrate the vulnerabilities of the existing information security (IS) system. Penetration testing allows you to identify vulnerabilities and weaknesses in the information security system before cyber criminals do it, to assess the “practical” protection against attacks from the “real world”.
Simulating the actions of a potential attacker during testing performs the following tasks:
- identification of shortcomings and vulnerabilities in the used information systems, software, applied information security measures and assessment of the possibility of their use;
- practical demonstration of the possibility of exploiting vulnerabilities (by examples);
- obtaining a comprehensive assessment of the current level of security of the organization and its external services.
After the end of testing, the following is carried out:
- development of specific recommendations to eliminate the identified deficiencies and increase the level of security of the organization;
- consultations and participation of Valeurbit specialists in work to eliminate identified vulnerabilities and shortcomings;
- conducting subsequent tests and trials (after fixing vulnerabilities and deficiencies) to confirm the effectiveness of the implemented measures.
Penetration testing is carried out by external and internal attackers and involves the use of various methods:
- The “black box” method is an imitation of an intruder who does not have any information about the organization and access to its corporate network.
- The “gray box” method is an imitation of an intruder with limited knowledge of the organization, its corporate network and security system. The offender may have a valid user account with limited privileges in certain information systems (for example, an ordinary employee, a client with remote access to the system).
- The “white box” method is an imitation of an intruder who is an administrator or other user who is well aware of the corporate network and security system. The offender has a valid user account, including an administrative one.
Penetration testing technologies
Technical Testing
From the perspective of a potential attacker, authorized attempts are made to bypass existing protection means, possible scenarios of penetration into the corporate network and the achievement of testing goals are identified (for example, obtaining access rights, stealing confidential information, making changes to information systems, disrupting the operation of individual network components and security systems or business -processes).
Sociotechnical Testing
Using the methods of social engineering, using the “human factor”. authorized attempts are made to obtain unauthorized access to the corporate network and protected assets of the target organization. Methods, as a rule, are aimed at users of end systems and allow determining the reaction of personnel in various normal and abnormal situations, the level of awareness and knowledge of personnel about safety requirements.
Description of some examples of sociotechnical methods
| Phishing | Formation of a fake web page of a legal service (for example, a page for remote access to mail), and encouraging users to enter confidential data (for example, passwords) on it |
| Trojan horse | Sending messages to users with malicious attachments and encouraging them to open them through targeted cover letters, file names, cover calls and other approaches |
| Pretext | Modeling a specific scenario involving the entry of trust in the user (through the preliminary collection of data about the organization and individual employees and their areas of responsibility), in order to induce the user to perform a specific action. For example, calls to users under the guise of potentially trusted persons for them (external or internal) in order to obtain confidential information |
| Travel apple | Tossing infected media with logos / tags / file names motivating to launch them in public places of the organization (elevator, canteen, parking) |
| “Quid about quo” | Calls to users from the support service with messages about problems on their personal computers and offering help in solving it |
| “Reverse” social engineering “ | Sending emails to users from trusted addresses with “support” contacts, creating problems on computers and waiting for calls / letters to fix problems, during which you can get the necessary data |