In their search for vulnerabilities, hackers are constantly changing their tools and tactics. To understand whether your digital security measures are working or not, you need to test them for strength. Simply put – try to hack, almost for real. Only in the case of infrastructure penetration testing, or pentest – penetration test, hacking is completely under your control, and a successful attempt does not threaten anything.
The main goal of a penetration test is to find vulnerabilities in the client’s infrastructure and applications that could potentially be exploited by attackers. In addition, penetration testing helps to understand how effective the developed IT security policies are and whether they should be improved. Sometimes penetration tests are carried out to check the readiness of information security specialists to repel attacks.
Who needs a pentest
For banks and financial institutions, penetration testing is a mandatory procedure. For example, according to the Regulation of the Bank of Russia dated April 17, 2019 N 683-P (clause 3.2) , banks must organize a penetration test to check their Internet resources for vulnerabilities. There are many similar regulatory requirements, and sanctions are provided for failure to comply with them. If the company does not conduct testing, the regulator may fine it.
But it’s not just about fines. Many commercial and government organizations conduct these checks on a regular basis to ensure that their systems are well protected. Penetration testing is an investment in security, as holes that are not closed in time can lead to multi-million dollar losses in the event of a successful attack.
Also, information about leaks often gets into the press and undermines the trust of customers and partners. But leaks not only spoil the image, they are also subject to fines. The GDPR (General Data Protection Regulation) applies to these citizens of European countries , companies are fined for such leaks. In this case, the amount of the fine is calculated based on the income of the parent company. In Russia, they are still more loyal to this, but, most likely, fines will also grow, and it is better not to bring the matter to them.
You can read more about the regulation of personal data, including GDPR, in our separate material .
Who is testing
Penetration testing is a technically complex procedure. One careless action can lead to irreversible consequences – the fall of the resource or the deletion of critical information. That is why the penetration test should be carried out by experienced specialists who know how to “hack” the system and not damage anything. Sometimes they are also called “white hackers”.
The parties agree on the shore what needs to be checked. For example, a company needs to find out if it is possible to elevate a user’s privileges on a system with stolen credentials. After testing is completed, the customer receives a detailed report with recommendations for eliminating and preventing vulnerabilities – for example, the company can establish a more stringent password policy.
The two main types of penetration testing are internal and external. In the case of internal testing, the performer operates inside the client’s infrastructure with his laptop and, for example, tries to elevate the user’s privileges.
In the case of external testing, the attack is carried out from the outside. At the same time, experts distinguish between three main methods – “black box”, “gray box” and “white box”.
- Black box method – the performer does not know anything about the system and tries to hack, relying on his tools and open information. In this way, the actions of common attackers are imitated. In this case, the company checks to what extent its systems are ready to repel typical attacks.
- The “gray box” method – the contractor knows the data about the infrastructure. This is an imitation of targeted attacks and attacks involving insiders – people working for a company and transmitting information to cybercriminals. In this way, you can, for example, understand whether the system for preventing data leakage due to the fault of employees is working.
- White box method – the tester owns all the information and even the source code. This method is used to check whether the system is resistant to hacking by employees of the administrator or developer level.
There are also international standards for such testing – for example, the OWASP Testing Guide .
What does the customer get
Since testing is done by experienced professionals, they understand what needs to be tweaked to close the loophole for attackers. In the final report, the customer sees a list of vulnerabilities and all the steps that led to the discovery and exploitation of this vulnerability. Sometimes, if it is agreed by the parties, the customer can receive more specific recommendations, up to certain protective solutions or equipment models with the necessary settings.
Outsourced penetration test
Penetration testing is usually outsourced because the best test is independent. In addition, there are not so many specialists in penetration testing on the market; this is a very scarce specialization due to the extremely high level of required qualifications. Large companies try to trust such sensitive procedures to organizations with a name to be sure of the safety of the results obtained.
Valeurbit is trusted by many market leaders. Based on the results of the analysis, conducted in accordance with international standards, eight vulnerabilities were identified, including unsafe storage and transmission of user data. The bank received step-by-step recommendations, eliminated vulnerabilities and strengthened protection.