fbpx

Welcome to SEC-PEDIA

Free dictionary concerning the world of cyber security

Penetration Test or Pen-Testing.

A penetration test is a method of evaluating the security of a computer, network or technology, by simulating a deliberate attack, analyzing and investigating systems, testing the response of defense systems, etc.

We operate mainly according to three types of tests (based on the type of test, the test is performed according to the required field, see details below):

  • Black Box
  • Gray Box
  • White Box

Cyber attack configuration

This test is usually performed as an external test, at least that’s how it starts and if the tester manages to penetrate, it can also continue into the organization, of course, it all depends on what the purpose of the test is and what the pre-agreed limit is. This test is based on the fact that the pen-tester does not receive any details or preliminary information about the organization or the existing systems in the organization, this test actually simulates a very realistic situation where a “hacker” wants to break into the organization when he has no organization and no inside information. This test is usually longer since a large part of the test is information gathering, there is another disadvantage and it is likely that this test will not cover all the existing “systems” and areas “in the organization.
In software testing and WEB application testing, a Black Box test means testing the application when there is no prior information about it, and the access code to the software code or its characterization cannot be held in order to find vulnerabilities in the code itself.

The second test is a test in which the pen tester receives limited information about the organization and information systems. In some cases, the pen tester is given limited access to the organizational network and the test can be performed outside or outside the organization, depending on what is agreed in advance and the amount of information the tester receives.
In the field of software, the test means that the pen tester will receive limited information about the software, sometimes receiving a little of the software code to try to find vulnerabilities both by reading the code and by an “external” test.

The tests can also be separated into the external test, internal test, combined test.

This test is usually performed as an internal test, the pen tester receives the full information about the organization and the details of the information systems, defense systems, to allow him a comprehensive and individual examination as possible in order to find as many vulnerabilities as possible. The tester is given full access to the network and does not need to pave his way to it, the test can simulate a state of validity from within the organization (for example a dissatisfied employee who wants revenge) that is already accessible to the network and company resources, this test allows maximum time However does not simulate a realistic state of validity that does not belong to the organization.

In the field of software, the test means that the examiner receives all the source code of the software, including characterization and detailed information in order to find vulnerabilities in the code and the software mechanisms visible from the development side.

Fields of existing assessments

Internal Pen-Testing

An Internal pen testing is an attempt to penetrate and gain access to the enterprise information systems from the point of view of a valid person who has access to the internal network or works with limited access to the network. Many times, organizations do not attach much importance to internal organizational attacks but the damage that can be caused is huge and should be taken very seriously.

During an internal penetration test we try to raise our permissions (escalation) as much as possible to gain access to all the devices that are included in the test.

As proof of the test and verification of the data, we will indicate in the report, among other things, the following details that will be found during the test:

  • Administrative access passwords
  • Access passwords to databases
  • Screenshots
  • Confidential emails
  • Confidential documents, etc.

An internal permeability test is conducted according to the usual standards of permeability tests:

  • Collection of information about the internal network
  • Scan for vulnerabilities
  • Identify relevant weaknesses
  • Attempted assault
  • Preparation of a comprehensive report

The report summarizing the assessment does not only include technical details and even a person who is not versed in the technical concepts of information security can capture the results.

External Pen-Testing

External Penetration Test – This is a test that tests the ability of the organization’s computer systems to withstand external attacks, usually, these attacks occur without prior information on the inside of the organization, this situation comes in the form of a deliberate attempt to attack an external attack or a random attack. Which attacks the organization.

In this process, we scan the information systems and network access to us outside the organization with the intention of trying to locate existing vulnerabilities that lead to intrusion or damage to the organization.

An external test can also continue as an internal test if an intrusion into the internal network has indeed taken place, but this is of course according to what is agreed in advance.

In this test we simulate a realistic state of the actions that will most likely be attempted by the following methodology:

  • Gathering external information about the organization and checking its relevance regarding the intrusion test.
  • Perform a vulnerability scan to identify existing vulnerabilities.
  • Conducting a risk survey based on the results of the scan for the purpose of prioritizing and the relevance of the findings.
  • Carrying out a “safe burglary” process based on previous findings.
  • Testing network devices that are accessible outside the organization, such as FWs, routers, mail servers, etc.
  • Preparation of a comprehensive report.

Web & Mobile Application Pen-Testing

Penetration testing is a method of assessing the security of a network computing device by simulating an attack, an applicative penetration test (WEB Application) focuses only on assessing the security status of the app, which we say app, of course, a website falls into.

The testing process includes an active analysis of the application to identify weaknesses, technical failures, or potential vulnerabilities.

Any weakness you find will be presented to the site owner with the risk assessment and will include the weight of the weakness in accordance with its impact on the organization and of course a recommendation for a technical solution.

Our WEB tests focus on the OWASP – Open Web Application Security Project which guides and focuses on the main and most important weaknesses on the applicative side.

Infrastructure Pen-Testing

Infrastructure testing is a penetration test or vulnerability assessment of computer systems, network devices or IP address ranges to identify vulnerabilities that could be exploited.  Testing should be conducted from outside the organization (external testing) and from inside the organization.

The vulnerabilities identified are reported back to the system owner along with mitigation recommendations.

Infrastructure testing can also be used to test an organization’s compliance with security policies and how effectively it can respond to security threats.

Social Engineering

Performing an penetration test that combines a “Social Engineering” test which includes checking employees ’awareness, including attempting to infiltrate and attack the organization by“ social engineering ”type attacks and then draw conclusions and share the results with employees.

Call us for a free consultancy

Anywhere, Anytime, Anything

Skip to content