What is Pentest?
The concept is known as Penetration Test. It is the detection of logic errors and weaknesses to prevent the abuse of information systems by malicious people and to make the systems more secure. This work is carried out legally by authorized people. The purpose here is not only to detect the vulnerability in the system but to use the vulnerability without damaging the system and to gain authorized access. Security studies in the field of informatics can be divided into two bases. The first is defensive security, and the second is proactive security called offensive security. Pentest studies are a result of the offensive security approach.
Pentest (penetration tests) and Vulnerability Assessment (Vulnerability assessment/screening) should not be confused. Vulnerability Assessment is the process of finding and reporting security vulnerabilities in target systems using various security software. In pentest studies, the aim is to evaluate the vulnerability, obtain authorized access to the systems and determine the additional operations (such as infiltration into the system, access to information) that can be performed on the target systems.
What are the Types of Pentest?
The type of pentest to be applied should vary according to the target, vector, simulated attack and system.
- Network Penetration Tests
- Internal Network Penetration Test
- External Network Penetration Test
- Web Application Penetration Tests
- Mobile Application Penetration Tests
- Critical Infrastructure Systems Penetration Tests
- DDoS and Load Test
- Wireless Network Penetration Test
- VoIP Infrastructure Penetration Test
- Social Engineering Penetration Test
Internal Network Penetration Test: In this type of penetration test, an answer is sought for the question of which data and/or systems can be accessed through the internal systems of the relevant institution.
External Network Penetration Test: In this type of penetration test, an answer is sought for the question of which data and/or internal systems can be accessed through the external systems of the relevant institution.
Web Application Penetration Test: The answer to the same question is sought with the External Network Penetration Tests, but the focus is on web applications.
Social Engineering Penetration Test: Social engineering is defined as the whole process of trying to obtain the desired information through various persuasion and deception methods by taking advantage of the weaknesses of people.
What are the Pentest Methods?
It is good to use the methods mentioned in the software development process here, too.
White Box: In this approach, expressed as a white box, the security test team is fully informed about the system itself and the additional technologies running in the background. It provides greater benefit to the institution and the company compared to the Black Box technique. Since it will be easier to find errors and vulnerabilities, the time to take action against them will be reduced. The risk of damage to the system is very low and it is the least costly in terms of cost.
Gray Box: In this approach, information about the system is available. For example; IP address list, version information about the server system, etc. The information is provided in advance to the team that will perform the security test. It takes less time than the Black Box approach. Since the IP addresses to be controlled and tested are determined, the possibility of unintentional damage to the system is reduced.
Black Box: In this approach, there is no information about the system to be tested for security at startup. Information about a completely unknown system will be collected and tests will be carried out. In this method, since the test team has no level of knowledge about the system, there is a high probability of accidentally damaging the system. The information-gathering phase takes a lot of time. It is the longest-lasting approach in terms of duration.
Why Should We Have a Penetration Test?
Although security steps are important during the software development phase, security vulnerabilities in information systems should be checked and reported by the third eye. This is essential for proactive security.
It becomes easier to capture systems according to competence, approach and technology that is used. It will be useful to have the system tested by white hat hackers as it will be difficult to follow the change regularly and take precautions. Also, standards such as PCI, HIPAA require Pentesting. Recently, the pentest has been started to be made with the obligation of GDPR Pentest.
How Should the Penetration Test Project Plan?
If there is no competent department in our team, the pentest is done with an external service. Before getting this service, it is necessary to decide the scope of the pentest to be made. This is because the scope has an effect on a wide scale from the pentest period to the fee. The efficiency to be obtained from the pentest will be determined by the answers given to the following questions. For example, the answers could be important how much benefit can be obtained as a result of having a pentest done once a year in a rapidly changing system or web testing for a system that is active only on a mobile. For this reason, answering the following questions, in general, will help to create a plan for the pentest.
- What will be the scope of the Penetration Test? (White Box, Gray Box, Black Box)
- What kind of penetration test do I want? (Internal Pentest, External Pentest, Web Application Pentest)
- Who will I have the tests done?
- How often will I have it done?
- Should risky systems and services be out of scope or do I want to accept the risk and see the result?
- Will DDOS tests are performed within the scope of Pentest?
Open source Pentest Software:
Nessus, Nmap, Metasploit, Inguma, Hping, John the Ripper, W3af, Burpsuite, Retina, Canvas, Wireshark, etc.
- TS13638 (Bilgi Teknolojileri – Güvenlik Teknikleri – Sızma testi yapan personel ve firmalar için şartlar) – https://tse.org.tr
- CREST Penetration Testing Guide – https://www.crest-approved.org
- OSSTMM (The Open Source Security Testing Methodology Manual) – https://www.isecom.org
- OWASP (The Open Web Application Security Project) Top Ten – https://owasp.org
- NIST (Cybersecurity Framework) – https://www.nist.gov
- PTES (Penetration Testing Execution Standard) – http://www.pentest-standard.org
- PCI SSC (Security Standards Council) Penetration Testing Guidance – https://www.pcisecuritystandards.org
Have error-free code!