PENETRATION TEST – VULNERABILITY ANALYSIS
What is Penetration Test?
A penetration test enables us to form an opinion about attacks which may come to the structure from internal or external sources and if it happens, what kind of data and/or systems they can access to. As a consequence, the issue of how safe the system and data is has been a specific question to be asked and it has a relative answer. Penetration test helps us find answers to these questions.
What is Vulnerability Analysis?
Vulnerability Analysis or Vulnerability Assessment is in-depth analysis process by which vulnerabilities on the structure are described, identified, tested and arranged in terms of their significance. The goal is to detect and correct vulnerabilities, before the attackers’ attempts, which may be harmful to the flow of the processes or to minimize these vulnerabilities to an acceptable level.
What are the types of penetration test?
There are three actively-used types of Penetration Test. This differs according to the target, the vector, the attack to be simulated and the system itself. Depending upon these mentioned factors, the penetration test to be conducted to a company/organization differs and each one of them is for solutions of different problems.
Internal Penetration Test
It seeks an answer the question of which data and/or systems can be accessed over internal systems of the structure.
External Penetration Test
It seeks an answer the question of which data and/or internal systems can be accessed over external systems of the structure.
Web Application Penetration Test
It seeks an answer to the same question as that of ‘External Penetration Test’ but the focus is web applications.
What are the methods of Penetration Test?
Blackbox: No foreknowledge about the structure and/or the system on which the test will be conducted is given to the Information Security Expert.
Whitebox & Crystalbox: All information about all the structures and/or the system inside the company/organization is given to the Information Security Expert.
Graybox: It is somewhere between ‘Whitebox & Crystalbox’ and ‘Blackbox’. No ‘detailed’ information about the structures and/or the systems is given to the Information Security Expert.
(*) In methods of ‘Whitebox & Crystalbox’ and ‘Graybox’, it is aimed to test the possible outcomes in the result of a situation where there can be an attack by an attacker (standard user or authorized user) who is still working or worked before in the company/organization and who has/had gained access (physical or logical) to the company/organization network. At this point, there exists a missing or wrong idea. ‘Blackbox’ method is usually considered as “trying to ‘leak’ to the systems with the eye of the attacker” but the attacker will have enough information about the target structure. For this reason, ‘Whitebox & Crystalbox’ and ‘Graybox’ are more effective, efficient and result-oriented methods.
How do we do this?
At this stage, no active scanning is conducted on the system; only necessary information is gathered. The application platform, application programming language, application version, internal/external connections, server platform, and operating system are detected at this stage.
Scanning and Classification:
At this stage, in the light of the information gathered at the first stage, ‘scanning’ operation is conducted on the target system and/or some information are obtained with the help of impulse-responses toward the system.
At this stage, in the light of the information gathered at the ‘Step II’, an access to vulnerabilities that are detected on the target system is tried to be gained.
Managing the Access:
At this stage, the access rights at ‘Step III’ which are obtained with the help of vulnerabilities in the target system are managed (for example, to make the access rights obtained permanent on the system and/or to create an authorized user on the system).
At this stage, tracks (e.g. log records) which are left on the target system by the operations at the first four steps are cleaned up or corrupted. (APT-Advanced Persistent Threat)
When conducting these tests, we follow the steps mentioned above by taking international standards into consideration and use a ‘customized’ structure differently from the ‘standard’ Penetration Tests. This ‘customized’ structure includes parameters below.
At the stages of ‘Data Collection’ and ‘Scanning and Classification’, apart from internationally accepted tools (commercial & Open-Source) we use tools (Analysis & Scanning Tools) and exploits (Exploit Research & Development, DB) which are coded by ourselves. (These exploits can be coded before and/or during the Penetration Test. Each coded exploit is firstly tested on Pentest Lab.
In consequence of a penetration test, a detailed report is prepared. This report includes separate parameters such as ‘Technical Report’, ‘Administrator Report’ and ‘Findings Report’. Completely ‘customized’ answers are given to the headings of ‘detailed explanation of found vulnerabilities’, ‘indication of the vulnerability (its screenshot and/or printout)’ and ‘solutions for the vulnerability’. The vulnerability is firstly eliminated in the medium of Pentest Lab where a similar system to the target system, where the vulnerability is detected, is created (densification). Then, ‘solutions for the vulnerability’ are written with the instructions in detail.
If you want to take a penetration test service, please contact with us.