Penetration Testing Definition and Pentest Methodologies
What is Penetration Testing? The penetration testing service offered by experts in the field to ensure the digital security of institutions and organizations is a red team service. In this article too What is Pentest? With the question "What are Penetration Test Methodologies?" Who Should I Get It Done? and Why Should I Get Pentest Service? We will be answering questions like:
What is Penetration Testing?
Penetration testing (pentest) is a security service offered by penetration testing experts to detect institutional vulnerabilities and ensure that necessary security measures are taken against these vulnerabilities. A cyber security expert is a red team member and has certificates such as OSCP, TSE and CEH. With the pentest study, various security tests are carried out within the scope specified for the target or within the scope determined by the expert himself. Pentest specialist detects and reports potential security risks and vulnerabilities by applying all attack vectors that attackers can use against the target system. This service offered is called "penetration testing service".
What are Pentest Methodologies?
Penetration testing basically consists of 3 methodologies; black box, greybox And whitebox. Blackbox pentest methodology is a methodology in which the scope is determined entirely through Open Source Intelligence (OSINT) studies, without providing any information by the institution. In the Blackbox penetration test, the relevant expert detects the domains, IP addresses and subdomains of the institution one by one and performs security tests.
Greybox pentest methodology is a type of methodology in which certain information is presented to the expert by the institution. Penetration tests using Greybox methodology provide faster results than Blackbox penetration testing. Since the pentest specialist has knowledge about the institution, he can act faster and expand his scope faster.
Whitebox penetration test methodology is a methodology in which all kinds of information is provided to the expert by the institution and users are identified. Whitebox penetration testing is the fastest-yielding pentest methodology. The expert focuses directly on detecting security vulnerabilities without wasting time by expanding the scope, creating user accounts and trying to expand the attack surface. In this way, results can be obtained in a shorter time.
What are the Types of Penetration Tests?
Penetration test types are determined according to the type of network targeted during the test. Pentest types offered by pentest experts are:
- Local Network Penetration Test: It is a penetration test where the test scope is the systems within the institution's local network. In local network pentesting, security vulnerabilities in structures such as Active Directory, NetBIOS and Domain Controller are detected.
- External Network Penetration Test: This is a type of pentest in which pentesting is carried out by targeting the institution's external network IP addresses. In the external network penetration test study, an attempt is made to access the local network by using all resources of the institution that can be accessed over the internet.
- Web Application Penetration Test: Web application pentest, which is carried out to ensure web application security, targets web applications located in corporate domains. With the web application penetration test study, corporate web applications are examined from an attacker perspective using OWASP as a reference.
- SCADA Penetration Test: It is a penetration testing service performed for SCADA systems, which refers to closed systems such as Distributed Control Systems and I/O systems.
- Wireless Network Penetration Test: Wireless network pentesting, which targets the network connection shared through wireless devices, aims to protect Wi-Fi security within the institution. It is aimed to detect security vulnerabilities in wireless systems and eliminate these vulnerabilities.
Who Should I Have a Pentest?
Pentest service is a cyber security service that should definitely be provided by experts in the field. You should make sure that the relevant personnel of the company you want to perform penetration testing have the necessary experience. You should also check whether the experts have the necessary certificates such as TSE for BRSA / KVKK Compliant Penetration Testing.