<Back

Meet the Pentest

Hello everyone 🖖

Today we are beginning to dive into the fascinating world of information security, or more precisely, into one of its significant subsections - penetration testing.

What is Penetration Testing (Pentest)?

An enterprise's corporate network can be external, which unites various servers and other remote devices, and internal (local area network), which unites enterprise devices located within the office location into a network. Each of these devices performs some function, for example, a server for a corporate website, a data warehouse or an employee's work computer.

Both operating systems and programs may have weaknesses. If you put pressure on these weaknesses correctly, you can gain access to the management of the device(s), and then use certain methods to capture the entire corporate network. Thus, it is possible to divide the pentest into external and internal. We will talk about this in more detail in the section "Main stages of testing".

Thus, a pentest is a simulation of a hacker attack, which is aimed at finding and compromising vulnerable devices in the external and internal network of an enterprise, or in the global Internet as a whole, in order to steal data or take the device out of working condition.

Testing methodology

White box methods. In this group of tests, the tester knows the system being tested well and has full access to all its components. The testers work with the client and have access to private information, servers, running software, network circuits, and sometimes even credentials. This type of testing is usually carried out to test new applications before they are put into operation, as well as to regularly check the system as part of its life cycle - Systems Development Life Cycle (SDLC). Such measures make it possible to identify and eliminate vulnerabilities earlier than they can get into the system and harm it.

"Black box" methods. This group of tests is applicable when the tester does not know anything about the system under test. This type of testing is most similar to real attacker attacks. The tester must obtain all the information by creatively applying the methods and tools at his disposal, but without going beyond the agreement concluded with the client. But this method also has its drawbacks: although it simulates a real attack on a system or applications, the tester, using only it, may miss some vulnerabilities. This is a very expensive test, since takes a lot of time. Performing it, the tester will study all possible directions of attack and only after that will report the results. In addition, in order not to damage the system being tested and not cause a failure, the tester must be very careful.

Methods of the "gray box". The test takes into account all the advantages and disadvantages of the first two tests. In this case, only limited information is available to the tester that allows an external attack on the system. Trials usually performed in a limited volume, when the tester knows a little about the system. An example of information is a range of IP addresses that need to be checked for vulnerability.

Conclusion

Penetration testing is a very large and significant section of information security. It helps many companies around the world to reduce the risks of compromising devices, to identify unscrupulous personnel. With each new article on this topic, we will dive deeper into the world of pentest. In the next publication, we will consider, in general terms, what stages classical penetration testing consists of.