<Back
Meet the Pentest

Hello everyone 🖖


Today we are beginning to dive into the fascinating world of information security, or more precisely, into one of its significant subsections - penetration testing.


What is Penetration Testing (Pentest)?


An enterprise's corporate network can be external, which unites various servers and other remote devices, and internal (local area network), which unites enterprise devices located within the office location into a network. Each of these devices performs some function, for example, a server for a corporate website, a data warehouse or an employee's work computer.


Both operating systems and programs may have weaknesses. If you put pressure on these weaknesses correctly, you can gain access to the management of the device(s), and then use certain methods to capture the entire corporate network. Thus, it is possible to divide the pentest into external and internal. We will talk about this in more detail in the section "Main stages of testing".


Thus, a pentest is a simulation of a hacker attack, which is aimed at finding and compromising vulnerable devices in the external and internal network of an enterprise, or in the global Internet as a whole, in order to steal data or take the device out of working condition.


Testing methodology


White box methods. In this group of tests, the tester knows the system being tested well and has full access to all its components. The testers work with the client and have access to private information, servers, running software, network circuits, and sometimes even credentials. This type of testing is usually carried out to test new applications before they are put into operation, as well as to regularly check the system as part of its life cycle - Systems Development Life Cycle (SDLC). Such measures make it possible to identify and eliminate vulnerabilities earlier than they can get into the system and harm it.


"Black box" methods. This group of tests is applicable when the tester does not know anything about the system under test. This type of testing is most similar to real attacker attacks. The tester must obtain all the information by creatively applying the methods and tools at his disposal, but without going beyond the agreement concluded with the client. But this method also has its drawbacks: although it simulates a real attack on a system or applications, the tester, using only it, may miss some vulnerabilities. This is a very expensive test, since takes a lot of time. Performing it, the tester will study all possible directions of attack and only after that will report the results. In addition, in order not to damage the system being tested and not cause a failure, the tester must be very careful.


Methods of the "gray box". The test takes into account all the advantages and disadvantages of the first two tests. In this case, only limited information is available to the tester that allows an external attack on the system. Trials usually performed in a limited volume, when the tester knows a little about the system. An example of information is a range of IP addresses that need to be checked for vulnerability.


Conclusion


Penetration testing is a very large and significant section of information security. It helps many companies around the world to reduce the risks of compromising devices, to identify unscrupulous personnel. With each new article on this topic, we will dive deeper into the world of pentest. In the next publication, we will consider, in general terms, what stages classical penetration testing consists of.

Hashtags:
#pentest
Share:

Lates

About graphs, simply.

In this article, we will begin our acquaintance with graphs, get acquainted with the breadth-first search algorithm (BFS) and implement the graph in the Rust programming language.

#graphs
#rust
#algorithms

What is the difference between outsourcing development and outstaffing an IT employee for development?

In this article we will understand what outsourcing and outstaff development are.

#developmentprocess

Reducing the implementation period of MVP

Let's figure out the timing of the implementation of the MVP.

#developmentprocess

Testing an MVP concept

We will figure out how not to waste the budget on MVP development in vain

#developmentprocess

Incorrect estimation of the cost of IT contractor services

Today we will talk about the incorrect assessment of the cost of developing IT solutions. This pain is one of the main ones for enterprises and startups, including IT contractors themselves.

#consultin

Introduction to Design Patterns in Software Development

In this article, we will begin to dive into the world of optimizing application architecture using design patterns.

#designpatterns

OSI Model Levels

In this article, we will take a closer look at each of the levels of the OSI model

#networks
#osi

Documenting code in the Rust programming language

In this article, we will look at how documentation takes place in Rust and consider a very useful opportunity - writing tests through documentation.

#rust

Introduction to the OSI model

In this article we begin to consider the fundamental model of network interaction - OSI

#networks

CSS animation ripple

A simple example of how to implement ripple animation using HTML and CSS

#css

From concept to MVP

In this article, you will learn, by example, how to move from a concept to an MVP without unnecessary complications in the functionality of the product

#developmentprocess

Introduction to writing the terms of references

The Terms of Reference are an important part of the development process. In this article, we will begin to dive into this issue.

#developmentprocess

Introduction to software development

Today, most companies are faced with IT development and often do not get what they want. In this article, we begin to dive into the process of creating IT solutions.

#developmentprocess

From idea to concept

In this publication, we will talk about how the idea differs from the concept. Let's do this with an example of a specific goal

#developmentprocess

Weighted graphs

In this article, we will get acquainted with weighted graphs, Dijkstra's algorithm, and its implementation in the Rust programming language.

#algorithms
#graphs

Why does a VPN business need?

In this article, we will look at how you can secure access to enterprise cloud resources using a VPN

#networks
#vpn