What is Pentest?

Let's start with the most important frequently asked questions; Why should we have a penetration test? It is of great importance for your system security that the security vulnerabilities in your systems are checked by cyber security companies, their strengths and weaknesses are reported and presented to your information. Despite all the care and efforts of you and your employees in security, there is no limit to the methods and tools that attackers can use to exploit your systems. Possibilities and risks change dimensions according to the level of knowledge and experience of the attackers. For this reason, the security of your systems; It would be a more realistic and efficient step to ensure and increase security by having "White Hat" hacker teams who can act from the point of view of cyber attackers and know the attack methods and take precautions against these methods. In addition, standards such as PCI, HIPAA require pentesting.

During the pentest studies, there are various risks that may be encountered, as the systems for the target institution are examined from a real attacker's point of view. Just as the attacker has the possibility of affecting the entire system in a real attack scenario, unconscious penetration testing can cause disruption to your systems. In order to avoid such disruptions, the pentest team and the system administrators of the institution served should work in coordination. With continuous communication and coordination, all risks should be minimized and a penetration test should be performed without causing any interruptions.

The steps of the penetration test start with the first stage where the contract is signed and the planning is done. At this stage, a confidentiality agreement is made between the consultant company that will provide the service and the company that receives the service, and it is acted within the scope specified in this agreement. After the contract phase, which we can consider as the preparation phase, is completed, the technical penetration test phases are applied respectively: Exploration Phase: At this phase, the penetration tester conducts research on the target institution and tries to expand the attack surface by collecting all kinds of information he can gather. The information gathering step is one of the most important steps of the pentest. The more data is collected in this step, the more successful the penetration test will be. Scanning Phase: While mostly passive information gathering techniques are used in the exploration phase, more concrete and functional data is collected by interacting with the target during the scanning phase. With tools such as Nmap, Nessus, Burp Suite, the systems of the target institution are scanned. As a result of scanning, open ports, services and version information about services are determined. Vulnerability Analysis Phase: During the vulnerability analysis phase, the vulnerabilities of the services running on the detected ports are determined. For example, if an outdated service is used, known vulnerabilities related to this service are investigated. First Access Phase: After vulnerabilities are detected, they are exploited and the target system is first accessed and infiltration is performed. Ensuring Permanence: In the permanence phase, studies are carried out to remain active in the infiltrated system. If necessary, the penetration tester moves horizontally through the network from one system to the next. (Lateral Movement) Cleanup Phase: As a real attacker would do, the penetration tester removes the tools he has installed in the system after completing the relevant studies, and does not leave any traces by deleting the data obtained during the test in order not to leave any traces on the system. Reporting Stage: The most important stage of the pentest is the reporting stage. In order to eliminate the identified security vulnerabilities, the report prepared must be extremely clear, detailed and understandable. The tests performed by the penetration test team are meticulously recorded in the report and presented to the relevant system administrators.

Penetration tests are basically grouped under 3 different methodologies. These methodologies are shaped according to the perspective of the attacker and the data he has: Black Box Pentest Methodology: Black Box Penetration Test is a pentest method in which the entire infiltration process is made from scratch by approaching the system like a real threat actor without having any knowledge of the target system. In this methodology, the attacker does not have any knowledge of the system and the black box penetration test reveals the best possible result in a possible attack. Gray Box Pentest Methodology: Gray Box Pentest is a type of pentest that can be considered as a partial black box, in which limited information about the target system is obtained and the penetration tester is given certain authorizations. White Box Pentest Methodology: White Box Pentest is a type of methodology in which sufficient information about corporate systems is presented to pentester by system administrators. White box pentest method is preferred because it gives faster results. Pentest methods are divided into 3 different branches as mentioned above. Blackbox methodology should be preferred in order to determine the possible effects of cyber events that may be encountered in real life scenarios in the most accurate way.