Тестирование систем и инфраструктуры на проникновение (penetration test) – анализ защищённости инфраструктуры компании с помощью моделирования действий злоумышленника по проникновению в информационную систему.
Penetration test allows to:
- Detect a vulnerability before an attacker and take timely measures to address it;
- Make sure of the current level of protection;
- Identify violations and non-compliance with information security policies.
Penetration testing involves a controlled hacking of a specific part of your system.
Pentest goal:
- finding out protection problems
- taking timely actions
Testing can be carried out according to three scenarios:
- Black box – Tester doesn’t have knowledge of the infrastructure being tested
- Gray box – Tester obtains common user access
- White box – Tester has a wide set of knowledge about your infrastructure
After a certain time after testing, it is recommended to retest, taking into account the detected vulnerabilities and using the information obtained during the initial testing in order to make sure that the previously found vulnerabilities are no longer actual.
Testing is carried out in accordance with international standards and penetration testing methodologies:
- ISECOM OSSTMM Open-Source Security Testing Methodology Manual;
- OWASP Testing Guide;
- BSI Penetration Testing Model;
- ISACA IS - P8 Security Assessment - Penetration testing and vulnerability analysis;
- PCI DSS Penetration Testing Requirements;
- PTES Penetration Testing Execution Standard;
- NIST Technical Guide to Information Security Testing and Assessment.
In order to guarantee an unbiased and confidential result, we separate our teams that will provide services. The pentest is carried out by a separate group of professionals, not associated with specialists involved in the development and implementation of an ISMS and management of cyber protection means.
