About the service
A penetration test, or pentest, helps to identify weaknesses in the protection of a corporate network and network infrastructure elements. Technically, the service is an analysis of external and internal threats and vulnerabilities using automated tools for checking the possibility of penetration, as well as manual hacking methods used by intruders.
The final test results are presented in the form of a detailed report with a description of the vulnerabilities, their level of criticality and recommendations for their elimination.
During penetration testing, the following tasks are solved:
The possibility of obtaining access to confidential information by an ordinary employee is checked
Information security vulnerabilities and their use cases are identified
The possibility of an ordinary employee increasing their privileges is being checked
Recommendations are being developed to neutralize the discovered vulnerabilities.
The possibility of penetration into the local network from the outside is being checked
Details
The testing methodology is agreed with each customer individually. However, the best practices adopted in the industry are always taken as a basis — NIST SP800-115 and OSSTMM (Open Source Security Testing Methodology Manual).
The main objectives of the pentest
- A general check of the organization’s security level.
- Meeting the requirements of various standards and regulations. For example, paragraph 11.3 of the PCI DSS standard, which requires companies that process payment card data to conduct annual penetration testing. In this case, the test should cover the entire perimeter of the information environment of cardholder data. Another example is the requirement of clause 2.5.5.1. (Clause 14.2) of the Regulation of the Bank of Russia No. 382—P, which obliges money transfer companies to make a pentest at least once a year.
Tools
The stages of penetration testing
-
External security Analysis — the Black Box model
The work is carried out remotely via the Internet: specialists ITGLOBAL.COM They are trying to organize a number of attacks through the customer’s public resources.
-
Internal security analysis — Grey Box or White Box model
The customer provides remote access to their internal network, for example, using a VPN connection. The attacks are modeled with the rights of an ordinary employee.
-
Preparation of the penetration testing report
The report describes the testing methodology, testing objects, identified vulnerabilities, their level of criticality, and provides recommendations for their elimination.
Advantages
The ability to prevent incidents that may negatively affect the company’s image and customer safety
The ability to comply with the mandatory requirements of PCI DSS, 382-P and other standards
The use of modern tools that simulate all known types of attacks
Practical verification of company security, not “paper security”
Reducing the risks of information leakage and unauthorized access
Detection of all critical information security threats
Suitable for whom
Companies wishing to comply with the standards of the Russian Federation (GOST 57580, Regulations of the Central Bank, 152-FZ, 187-FZ)
Companies wishing to increase the maturity of information security processes
Companies that have experienced security incidents
Advantages of working with us
We work with our own team of certified pentesters and information security specialists.
We are constantly in touch and quickly answer all questions from the beginning of the pentest to the final report, and stay in touch after the end of the project.
We provide a structured final report that will be understandable to both business and IT and information security specialists.
Our clients
