What is a penetration test?
Called by several similar names, which include: Penetration Testing, PT and Resistance Testing: the term refers to a test during which a cyber attack is attempted on a corporate network or application.
The operation is performed by highly qualified specialists with extensive training and professional knowledge, called penetration/resilience testers, also known as white hats or ethical hackers. These individuals undergo a series of credibility checks.
The world of penetration testing is roughly divided into two: application and infrastructure.
- Infrastructure penetration testing is about hacking into IT infrastructures, for example: operating systems, services running on computers such as FTP and SMB, hubs and routers, control systems, authentication systems such as domain controller (DC) and more. Testing is performed outside and inside the organization, as well as on Cloud systems where customers set up their independent IaaS infrastructures.
- Applicative Penetration Testing is about the ability to hack server and client applications, including cellular, WEB and API interfaces and more. Some off-network and on-network testing is also performed here; the same goes for cloud-based systems.
Testing is performed according to several protocols, such as Black box protocol, where no prior information about the system is provided; Gray box protocol, where partial information is provided; and White box protocol, where all data and objectives are shared with the expert, who is also consulted on all aspects of the security level of the architecture.
We use world-leading methodologies such as OWASP, NIST 800-53, as well as the Cyber Steering Guidelines.
Examples of types of penetration tests:
|Type of penetration test||Desciption|
|Penetration testing for mobile applications||This mobile penetration test comprises a set of tests that focus on detecting weaknesses in applications developed for Android and iOS devices.|
|Infrastructure penetration test||whose purpose is to combine several attack vectors based on MITRE standards. The specialist applies lateral movement techniques (emulating users with unlimited access), trying to take control of the organization's computer systems.|
|Application penetration testing||This category includes websites, internal/external portals, APIs and more. The tests are based on the OWASP framework and the full results are used to help developers handle them more accurately.|
|Penetration testing for cloud systems||These tests incorporate both application and infrastructure penetration testing. The IT system of many companies is cloud-based or sometimes even stored in multiple clouds. Therefore, it must be examined by specialists to assess the level of hardening of the systems.|
|IoT penetration testing||This is a unique MADSEC service during which the tester disassembles the device and attempts to connect it and test the hardening level of the system. This test also incorporates electronics and is considered a premium service.|