Penetration Testing is the process of intentionally hacking and attacking your own network, web applications and organization, for the purpose of checking how secure your assets really are. Attackers have no regard to your organization’s internal policies, the trustworthiness of your employees, or the expertise of your technical staff. Only one fact matters to them: are you vulnerable?
It is in an organization’s best interest, economically, and for the sake of reputation, to answer that question before the attackers do.
To answer this question, an organization should regularly perform a Penetration Test, in which simulated hacking attacks are performed on its network and computing infrastructure, to determine – based on facts and results – how secure (or insecure) an organization really is. Fortify 24×7’s team of security engineers performs Penetration Tests and Vulnerability Assessments in various forms, as explained below.
Black Box Penetration Testing
A Black Box Penetration Test is a real hacking attack simulation, where Foritfy 24×7 security engineers carry out their attacks like actual hackers do, without any prior or internal knowledge of the target. Through these attacks, the Foritfy 24×7 experts try to identify and exploit any weakness in any layer (web applications, operating systems, network devices, e-mail, DNS, etc.) and attempt to pivot further into the target organization. Foritfy 24×7 penetration tests are skill-based and depth-focused, with no reliance on automated tools and checklists.
White Box Penetration Testing
A White Box Penetration Test is a cooperative security test performed with prior knowledge of the infrastructure, its underlying logic, and access to some credentials. The technical staff of the organization provide the Foritfy 24×7 security experts with the insight & knowledge they need to thoroughly test every element of the target network; guaranteeing no systems, functionality or ip subnets are left untouched. The more context our experts are provided; the more complete its final result will be. Allow our trusted security experts to take a look at your organization from the inside and tell you how secure it is at its core.
An External Penetration Test is performed strictly remotely, with no internal access provided to the Fority 24×7 security engineers. The goal of this test is to simulate the majority of attacks coming from the internet. The focus of this test is primarily the internet-facing assets of the organization, for example: Web applications, web servers, network endpoints, VPN, e-mail servers. This test also helps an organization learn what information (public or private) can be gained about it from the outside.
An Internal Penetration Test is performed from within the premises of the target organization, usually to simulate threats from guests entering its physical boundaries (including wireless range), an employee with a malicious intent, or simply to discover the extent of damage an external hacker can do once he gains access to one of the internal machines. An Internal Penetration Test focuses on workstations, internal applications, access controls, domains, and internal documents. This test is useful to determine what sensitive information might be stolen from the inside.
Penetration Test Steps
– Reconnaissance: Collection of information about staff, systems, applications and others.
– Mapping: Mapping of information gained through reconnaissance into a full picture, as well as development of attack scenarios.
– Discovery: Discovering security vulnerabilities and weakness in any layer included in the test scope.
– Exploitation: Verification of weaknesses by exploiting them to gain access and determine the full extent of possible damage, as well as pivoting further inside.
Upon completion of the security test, a detailed report is sent to the client, including the following:
– Executive Summary: Summary of the purpose of this test, as well as as brief explanation of the threats facing the organization from a business perspective.
– Findings: A detailed, technical explanation of the findings of the tests, with steps and proofs of the findings.
– Conclusion & Recommendations: This section provides final recommendations and summary of the issues found in the security test.