Pentest (Penetration Testing) is a security testing process applied to detect security vulnerabilities present in computer systems. The pentest or pentesting process simulates the actions that attackers who exploit vulnerabilities in systems could carry out. In this way, security vulnerabilities can be identified before an organisation is subjected to a cyber attack, and the vulnerabilities can be remediated by applying the necessary solutions.
The advancement of technology and the emergence of new systems give rise to new security vulnerabilities. Organisations must be prepared against current threats in order to protect their computer systems from cyber attacks. For this reason, pentest operations should be carried out on a regular basis. Companies that perform pentests provide Pentest Services to carry out security tests on organisations’ systems. These companies offer pentest proposals to organisations that wish to make use of the pentest service. Subject to confidentiality agreements signed between the organisations that benefit from this service and the cybersecurity companies, security tests are applied to the organisation’s systems by cybersecurity experts who have proven themselves in the field. The experts who carry out the pentest operation are called Pentesters. Pentesters target the organisation’s systems from an attacker’s perspective and attempt to infiltrate those systems. They then prepare a pentest report containing the results obtained, to be submitted to the organisation.
What Pentest Companies Do
Identify security vulnerabilities affecting assets belonging to an organisation
Reveal risks and threats affecting the organisation
Confirm the accuracy of applied procedures, policies and designs
Plan to secure systems in order to prevent attackers from breaching the organisation’s security
Identify the points that attackers who successfully breach the organisation’s security could access
Modify or improve the existing security architecture
Prevent reputational damage and financial losses that could result from a breach of the organisation’s security by attackers
Assess the effectiveness of security devices used by the organisation
Reveal threats to prevent organisations whose security has been compromised by a cyber attack from being affected by future attacks
What Are the Pentest Approaches?
The pentest process is carried out using three approaches: blackbox, graybox and whitebox. Descriptions of these approaches are given below:
Blackbox (Black Box Testing): Blackbox is a pentest approach in which no information about the organisation’s systems is provided to the security experts. In this approach, pentesters are expected to gather information about systems they have no prior knowledge of and perform security tests. The purpose of this approach is to simulate the actions that could be carried out by attackers who have no prior knowledge of the organisation’s systems.
Graybox (Grey Box): Graybox is a pentest approach in which the security experts have some information about the organisation’s systems. In this approach, pentesters are provided with information such as IP address lists and server system version information. The purpose of this approach is to simulate the actions that could be carried out by attackers who have gained access to an organisation’s network infrastructure.
Whitebox (White Box): Whitebox is a pentest approach in which the security experts have complete knowledge of the organisation’s systems. The purpose of this approach is to simulate the actions that could be carried out by malicious insiders who have complete knowledge of the systems.
What Are the Pentest Methodologies?
The pentest process is carried out on the basis of national and international methodologies. This is because the pentest process must be performed in accordance with a standard. National and international methodological approaches are listed below.
National Methodological Approaches
TSE (TS-13638)
SOME Guide Published by Civil Aviation
BDDK (Banking Regulation and Supervision Agency) Circular on Penetration Tests Relating to Information Systems
International Methodological Approaches
NIST 800-115
OSSTMM
OWASP
ISSAF
What Are the Pentest Phases?
The pentest process is carried out by applying the following phases:
Information Gathering: At this stage, information is gathered about the target systems belonging to an organisation. Information gathering is the most important stage of a pentest operation. The more information an attacker has about an organisation, the greater the likelihood of causing damage to the organisation’s systems. For this reason, information gathering is carried out first, before any attack against the organisation’s systems is launched. The information gathering phase is applied in two ways: passive information gathering and active information gathering. Passive information gathering is carried out without communicating with the organisation’s systems, by researching those systems through external sources. The purpose of passive information gathering is to reveal what assets and resources belong to the organisation. Active information gathering, on the other hand, is carried out by communicating with the organisation’s systems in order to collect information about those systems and the services running on them. The purpose of active information gathering is to identify the points to be assessed for vulnerabilities in order to carry out a penetration operation against the target systems.
Enumeration: Enumeration is the phase that comes after information gathering, in which the maximum amount of information about the target system is sought. At this stage, information such as which services are using the open ports that have been identified, which vendor’s services these are, and their version numbers is discovered using a method called banner grabbing. After confirming the accuracy of the information obtained through manual testing, vulnerability databases are scanned in light of this information and known vulnerabilities are noted for use in subsequent phases.
Vulnerability Scanning: At this stage, a vulnerability scan is performed on the basis of the information obtained in order to identify vulnerabilities affecting the target systems.
Exploitation: At this stage, penetration attempts are made by exploiting security vulnerabilities affecting the target systems. If the attempts are successful, a session is obtained from the target system, which can then be commanded and controlled.
Post-Exploitation: The pentest process continues after an organisation’s system is compromised, in order to compromise other devices connected to the organisation’s network. This phase encompasses all the operations applied to compromise other systems belonging to the organisation from the already compromised system. An attacker who has compromised a system exploits a local security vulnerability on that system to escalate rights and privileges. They then discover other devices on the network and attempt to access those systems using information obtained from the compromised system. The post-exploitation phase continues until control over all of the organisation’s systems has been obtained.
Reverting Changes: Some operations applied during the pentest process may require changes to be made to the organisation’s systems. Before a pentest operation is concluded, these changes must be reverted and the systems must be returned to the state they were in at the moment of initial compromise.
Reporting: All findings are reported by the pentesters so that the organisation can be informed of the results obtained. A report contains the following items:
An executive summary relating to the security audit work carried out and the findings
Vulnerability ID cards showing the criticality levels of the vulnerabilities identified during testing, which systems the vulnerability was found on, and containing recommended remediation measures for eliminating the vulnerability
What Is Pentest and What Are Its Types?
Carrying out a pentest operation differs depending on the type of target systems. The pentest operation is carried out within the scope of a scenario determined by the organisation. The types of pentest are listed below:
Web Application Security Tests: Web application security tests are performed on web servers belonging to an organisation that are published on the internet, and on the web applications running on those servers. Security vulnerabilities affecting web applications and web servers are assessed on the basis of the OWASP Top 10 security vulnerabilities.
Mobile Security Tests: Mobile security tests are performed on mobile applications running on Android and iOS operating systems. Security tests for mobile applications are carried out on the basis of the OWASP TOP 10 Mobile Security Risks.
Local Network Security Tests: In local network security tests, a vulnerability assessment is conducted on all systems within an organisation’s internal network, and flaws in the organisation’s assets are revealed.
Database Security Tests: Database security tests are performed to identify database-specific security vulnerabilities such as vulnerabilities arising from default configurations on databases, definition of unnecessary privileges, and identification of default passwords.
Network Tests: Network tests are performed to identify security vulnerabilities affecting network devices and the network protocols running on systems.
Wireless Network Security Tests: Wireless network security tests assess the adequacy of security controls developed to protect wireless services against unauthorised access. Wireless network security tests are carried out with the aim of gaining access to wireless SSIDs or escalating rights and privileges through guest SSIDs that are intended to be isolated from private networks.
DDoS: DDoS tests are performed to determine how well an organisation’s systems are protected against denial-of-service attacks.
Social Engineering Tests: Social engineering tests are performed to determine the information security awareness of an organisation’s employees. Phishing attacks are carried out on the organisation’s employees through social engineering tests. As a result of these attacks, attempts are made to gain access to the organisation’s local network via its employees.
Cloud Security Tests: Security tests performed on cloud systems test whether cloud systems containing sensitive information contain security vulnerabilities that could compromise the data, and whether security controls are being properly applied.
Container Security Tests: Container security tests are performed to identify security vulnerabilities affecting an organisation’s container systems.
Source Code Analysis: The source code of applications belonging to an organisation is examined in an attempt to identify security vulnerabilities affecting those applications.
VoIP Security Tests: VoIP security tests are performed to identify fraudulent activities that could be carried out through a VoIP system and to detect security vulnerabilities affecting VoIP systems.
For our penetration testing service tailored to your organisation and a price quote, you can contact us at [email protected] or visit our IT Penetration Testing Service page to apply. As Privia Security, we are always by your side with our team of experts to protect your organisation’s network.
