Penetration testing is focused on finding the maximum number of security vulnerabilities in the target environment, which can allow attackers to enter the network, computer systems or cause violations in the business processes of the customer’s company. The purpose of this test is to actually compromise the target system and eventually steal confidential information or disrupt the business process and provide a final report describing the shortcomings in the security system. Intervention of such a plan requires methods and tools similar to those used by intruders.
In the field of penetration tests, the company R&B Team has achieved high results and continues to improve them. Our specialists regularly participate in bug bounty programs and successfully implement projects on a pentest with the use of social engineering. R&B Team is one of 20% of companies in the industry that is able to perform high-quality complex projects of the RED Team class, using non-standard methods of checking the maximum number of attack vectors.
Based on the results of the penetration test, our customers receive reports and consultations that provide a real picture of the level of security of organization and help to determine the priority of investment in their security.
Types of penetration tests.
One of the important aspects of any penetration testing program is to determine the area in which performers should work. Typically, scope determines which systems, locations, methods, and tools can be used in the penetration test. Limiting the volume of the test helps to focus team members and defenders on systems over which the organization has control.
Basic strategies:
External testingis designed for external visible servers, services and systems of the company. The goal is to figure out whether external attackers can infiltrate and how far they can advance after gaining access.
Target testing is performed by IT team of organization and penetration testing group in cooperation with respect to certain systems. This is sometimes called an approach, “lights turned on”, because both the performer and the customer can see how the test is conducted.
Internal testing (insider simulation) simulates an internal attack by an authorized user with standard access rights. This type of test is useful for assessing damage, which can cause an unsatisfied employee.
Blind testing (black box) simulates the actions and procedures of a real attacker. As a rule, performers can only be given the name of the company. The performer must conduct an independent search for the necessary information about the company to implement the attack. Since this type of test requires a considerable amount of time for exploration, it can have a high cost.
Testing the white box(white box) implies the execution of penetration test by the performer, previously having information about the target company. This information may include data such as IP addresses, mailbox addresses, network infrastructure schemes, usage protocols, application source code, etc.
Using different penetration test strategies helps performers focus on the right systems and get an idea of the types of attacks that pose the greatest threat to the customer’s business.