Pentesting (pentesting)

What is pentesting?

Penetration testing includes a series of penetration tests based on attacks by IT systems to identify their weaknesses or vulnerabilities. They are designed to classify and determine the extent of security breaches and their degree of impact. As a result of such tests, you can get a fairly clear idea of ​ ​ the dangers to your system and the effectiveness of your protection^[1][2].

Pentests help determine the likelihood of an attack success, as well as identify security holes that are a consequence of low-risk vulnerabilities, but are used in a certain way. They also identify other vulnerabilities that cannot be detected using automated network software or special programs, and can also be used to assess whether security managers are able to successfully detect and respond to attacks.

How penetration testing is performed

There are several types of pentests classified according to the type of system information. Whitebox penetration tests know everything about the system, applications or architecture, and blackbox penetration tests do not have any information about the goal. Keep in mind that this type of classification is a practical necessity, since often the testing conditions are based on user criteria.

After that, you need to choose one of the various penetration testing methods. The choice will be determined by the characteristics of the system or even carried out in accordance with external requirements in the company. In any case, available methods include ISSAF, PCI, PTF, PTES, OWASP, and OSSTMM, among others. Each method has a lot of its own nuances, but their deep knowledge is necessary when implementing pentests.

Which method to choose?

According to a number of experts, PTES and OWASP are quite good types of pentests, due to the way these methods are structured. According to them, Penetration Testing Execution Standard (or PTES), in addition to being adopted by many authoritative experts, is already a model used in textbooks for penetration testing systems such as Rapid7 Metasploit.

On the other hand, Open Source Security Testing Methodology Manual (OSSTMM) has become the standard. While not particularly innovative, these tests are one of the first approaches to the universal framework of the safety concept. Today it has become a benchmark not only for organizations that want to develop high-quality, organized and effective penetration testing, but also for a number of companies.

Alternatively, the Information Systems Security Assessment Framework (ISSAF) organizes data around so-called "evaluation criteria," each of which has been compiled and reviewed by experts in each area of ​ ​ security solutions. The Payment Card Industry Data Security Standard (PCI DSS) was developed by a board of leading credit and debit card companies and serves as a guide for organizations that process, store and share cardholder data. It was for this standard that PCI penetration testing was developed.

The number of methods and frameworks is quite large, they are extensive and diverse. As already mentioned, the choice between them will depend on understanding your company's needs and knowledge of the required security standards. But by doing everything right, you can protect your systems much more effectively, knowing in advance where and how they can fail. Invaluable information for those who know how to use it.

Chronology of events

2022:77% of organizations in Russia are not sufficiently protected from hacking

The Innostage Security Analysis Group conducted penetration testing (pentest) in Russian companies and shared the interim results on December 28, 2022. The purpose of the pentest was to obtain the maximum possible privileges or perform an illegitimate action in relation to the organization's IT infrastructure. In 77% of organizations, specialists managed to gain administrative access to critical objects or sensitive information, being outside the external perimeter. Read more here.

Notes