{"id":19886,"date":"2021-02-03T00:57:04","date_gmt":"2021-02-02T19:27:04","guid":{"rendered":"https:\/\/valeurbit.com\/blog\/?p=19886"},"modified":"2021-02-12T18:11:22","modified_gmt":"2021-02-12T12:41:22","slug":"pentest-who-needs-it-and-why","status":"publish","type":"post","link":"https:\/\/valeurbit.com\/blog\/pentest-who-needs-it-and-why\/","title":{"rendered":"Pentest: Who Needs It And Why?"},"content":{"rendered":"\n

In their search for vulnerabilities, hackers are constantly changing their tools and tactics. To understand whether your digital security measures are working or not, you need to test them for strength. Simply put – try to hack, almost for real. Only in the case of infrastructure penetration testing, or pentest – penetration test, hacking is completely under your control, and a successful attempt does not threaten anything.<\/p>\n\n\n\n

The main goal of a penetration test is to find vulnerabilities in the client’s infrastructure and applications that could potentially be exploited by attackers. In addition, penetration testing helps to understand how effective the developed IT security policies are and whether they should be improved. Sometimes penetration tests are carried out to check the readiness of information security specialists to repel attacks.<\/p>\n\n\n\n

Who needs a pentest<\/h2>\n\n\n\n

For banks and financial institutions, penetration testing is a mandatory procedure. For example, according to the Regulation of the Bank of Russia dated April 17, 2019 N 683-P (clause 3.2) , banks must organize a penetration test to check their Internet resources for vulnerabilities. There are many similar regulatory requirements, and sanctions are provided for failure to comply with them. If the company does not conduct testing, the regulator may fine it. <\/p>\n\n\n\n

But it’s not just about fines. Many commercial and government organizations conduct these checks on a regular basis to ensure that their systems are well protected. Penetration testing is an investment in security, as holes that are not closed in time can lead to multi-million dollar losses in the event of a successful attack.<\/p>\n\n\n\n

Also, information about leaks often gets into the press and undermines the trust of customers and partners. But leaks not only spoil the image, they are also subject to fines. The GDPR<\/a> (General Data Protection Regulation) applies to these citizens of European countries , companies are fined for such leaks. In this case, the amount of the fine is calculated based on the income of the parent company. In Russia, they are still more loyal to this, but, most likely, fines will also grow, and it is better not to bring the matter to them. <\/p>\n\n\n\n

You can read more about the regulation of personal data, including GDPR, in our separate material .<\/p>\n\n\n\n

Who is testing<\/h2>\n\n\n\n

Penetration testing is a technically complex procedure. One careless action can lead to irreversible consequences – the fall of the resource or the deletion of critical information. That is why the penetration test should be carried out by experienced specialists who know how to “hack” the system and not damage anything. Sometimes they are also called “white hackers”. <\/p>\n\n\n\n

The parties agree on the shore what needs to be checked. For example, a company needs to find out if it is possible to elevate a user’s privileges on a system with stolen credentials. After testing is completed, the customer receives a detailed report with recommendations for eliminating and preventing vulnerabilities – for example, the company can establish a more stringent password policy. <\/p>\n\n\n\n

Testing varieties<\/h2>\n\n\n\n

The two main types of penetration testing are internal and external. In the case of internal testing, the performer operates inside the client’s infrastructure with his laptop and, for example, tries to elevate the user’s privileges. <\/p>\n\n\n\n

In the case of external testing, the attack is carried out from the outside. At the same time, experts distinguish between three main methods – “black box”, “gray box” and “white box”.<\/p>\n\n\n\n