Penetration testing is a simulation of the actions of a potential attacker in order to assess the possibility of unauthorized access to a corporate information system and to demonstrate the vulnerabilities of the existing information security (IS) system. Penetration testing allows you to identify vulnerabilities and weaknesses in the information security system before attackers do this, evaluate the "practical" security against attacks from the "real world". Before using this method, check penetration testing cost to know how much it"ll cost you to identify the vulnerabilities of the system.
The Main Functions Penetration Testing Performs
Simulating the actions of a potential attacker during the testing process performs the following functions:
· identification of shortcomings and vulnerabilities in the used information systems, software, applied information security measures and assessment of the possibility of their use;
· practical demonstration of the possibility of exploiting vulnerabilities (using examples);
· obtaining a comprehensive assessment of the current level of security of the organization and its external services.
What Test Methods Are Used?
Now, you have a clear picture of penetration testing. Let"s have a look at how it is carried out. There are various methods:
· The "black box" method is an imitation of an intruder who does not have any information about the organization and access to its corporate network.
· The "gray box" method is an imitation of an intruder with limited knowledge about the organization, its corporate network and security system. An intruder may have a valid user account with limited privileges in certain information systems (for example, an ordinary employee, a client with remote access to the system).
· The "white box" method is an imitation of an intruder who is an administrator or another user who is well aware of the corporate network and security system. The intruder has a valid user account, including an administrative one.
From the perspective of a potential attacker, authorized attempts are made to circumvent existing means of protection, possible scenarios of penetrating the corporate network and achieving test goals (for example, obtaining access rights, stealing confidential information, making changes to information systems, disrupting the operation of certain network components and security systems or business -processes).