Performing a Penetration Test is one of the best ways to assess the information security posture of any organization.
Where a vulnerability scan, or even a vulnerability assessment limit themselves to uncover technical weaknesses of the systems under review, a pentest takes the logical next step, exploiting those vulnerabilities to actually compromise the network. Moreover, attack vectors are not limited to purely technical ones but can include social engineering as well.
Reaping the benefits…
Simulating real-world scenarios and behaviour of real attackers allows the organizations to assess how actually effective are systems, security controls and organizational measures in place. Attacks can be staged using multiple attack vectors, as in real-life.
Pentests go beyond the formal approach often employed in security audits, usually performed for compliance purposes and allow to gauge the actual economic, financial, and operational impacts of a successful attack.
…avoiding the risks
The preparation of a penetration test is extremely important to reduce any risks. A clear scope and rules of engagement must be agreed upon and contractually defined beforehand. The scope can be delimited by technical means (IP address ranges, list of systems, URLs or applications for instance) but can also include o exclude certain attack vectors (social engineering for instance) or limit or forbid physical access to the premises. All these details will have to be clearly stated before the actual pentest begins, as well as the content of the final report. This last point is especially important because a penetration test will bring actual value only if the result information is actionable by the client.
Our approach will provide both the technical expertise and the business perspective needed for a valuable penetration test.
In a black-box pentest, minimal information is given to the team, who will have to gather intelligence and information from scratch. In a white-box one, much more information and/or access is supplied by the client, allowing the pentest team to zero in the actual attack.
A black-box approach hase the advantage of simulating much more closely the behaviour of an actual (external) attacker and also allow a wider security assessment of how sensible information is managed.
The white-box approach can be useful when the perceived threat is internal. It also focuses the budget on the actual attack and not on the information gathering.
Choosing the right approach – or a middle one – is the first task in a penetration testing consulting activity, and very important because – together with the scope definition – can tailor it to the exact client’s need.