IT Asset Penetration Testing Methodology

In the penetration tests targeting IT assets that Privia Security carries out periodically, security vulnerabilities in critical systems can be identified. By aiming to take measures before these vulnerabilities are exploited by malicious actors, it becomes possible to eliminate those vulnerabilities.

In order to reveal the current security posture of the IT infrastructure within an organisation and the vulnerabilities present in that posture, both external (Internet) and internal penetration tests are conducted first.

Details regarding the penetration test are set out below. Penetration testing work targeting IT assets consists of five distinct phases. As shown in the diagram below, these phases consist of the following steps in sequence:

• Penetration Test Kick-Off Meeting
• Conducting the Test
• Preparation of the Penetration Test Report
• Presentation of Findings
• Verification Audit

IT Asset Penetration Testing Methodology

After a confidentiality agreement is signed between the organisation and Privia Security, a kick-off meeting is held to determine the scope within which the tests will be carried out, the test methodology and approach, the work schedule, to document the project plan, and to determine the test manager and team to be assigned to the test.

• Determining the scope to be tested
• Determining the test manager and team
• Determining the methodological approach to be applied during the tests
• Determining the organisation’s test coordinator
• Determining the work schedule and working hours
• Extracting and documenting the project plan
• Determining the test scenario
• If the determined scenario falls within the scope of a White Box penetration test, identifying and communicating the IP address ranges, DNS addresses, web applications and mobile applications to the test team
• If the determined scenario is Black Box, communicating that the identification of externally exposed systems will be carried out by Privia
• If the tests to be conducted on both the internal and external network are to be performed using the White Box penetration testing method, requesting that the necessary access permissions be determined and implemented by the organisation
• Determining the IP addresses from which the tests will be conducted and communicating these to the organisation
• Providing information on which countries access and tests will be conducted from
• Discussing social engineering test scenarios
• Determining in which segments and during which time intervals the DDoS test will be conducted
• Reviewing the report standard
• Determining the locations to be tested
• Scheduling the locations
• Determining and communicating to Privia Security the list of the organisation’s responsible persons at each location
• Informing the organisation’s responsible persons at each location about the test or the personnel who will be conducting the test

Even though confidentiality and service agreements have been signed with the organisation before the penetration test begins, there is a need to obtain certain additional permissions. These permissions are required to test applications or services that the organisation receives from third-party institutions and organisations.

The penetration test is conducted within the scenario determined at the “Penetration Test Kick-Off Meeting” held previously with the organisation. The penetration test targeting IT assets is conducted based on national and international methodologies, covering all the headings below. For a penetration testing price quote tailored to your organisation, you can contact our expert team and obtain detailed information about our IT asset penetration testing methodology.