תקן אבטחת מידע
ISO 27001
Penetration Tests
Penetration tests are actually tests designed to simulate an external and/or internal attack on the organization's computer systems, with the aim of locating security weaknesses and potential risks.
The penetration test is carried out by professional parties who are in fact hackers with hacking skills and in-depth knowledge of networks and computer systems who use their extensive knowledge for positive purposes - improving the company's security. In accordance with the agreed test framework, penetration attempts are made into the system using tools and methods appropriate to the nature of the client's technology, with the aim of examining the security loopholes that endanger the system.
1. The owner of a database whose security level is the highest, is responsible for having penetration tests conducted on the database systems for the purpose of examining resistance against various security risks. Performing these tests will be performed at least once every eighteen months. After performing the test, the owner of the database must discuss the results and correct the deficiencies accordingly.
Who is obligated to perform the test?
2. An organization that has several databases may specify in one document all the databases at the same level of security as well as the list of database systems (infrastructure and systems, software, etc.). In addition, the organization must perform a risk survey and penetration tests at least once every eighteen months and act to correct the deficiencies accordingly.
What does the penetration test include?
Each test is essentially different from others and adapted to the purpose of the test. Since there are a large number of ways to penetrate the organization and a wide variety of defense systems, the content of the test will be determined after the goal is defined by the client.
1. Checking the programming of certain attacks.
2. Assembling a strong attack from several weak fronts.
3. Identification of weaknesses that will not be revealed by automatic tools such as: (weakness scanner in applications/infrastructures).
4. Identifying the magnitude of the business and operative damage that will be caused by the attacks.
5. Testing the capabilities of the defense system of the system intended for attack in terms of identifying attacks and how to handle them.
6. Providing evidence to improve the human and technological security system.
Common approaches to penetration testing
There are 3 common approaches to penetration testing and they are: White Box, Black Box and Gray Box. Each method offers distinct advantages and is tailored to different security assessment needs.
White Box, Black Box, and Gray Box penetration testing methods each play a vital role in assessing and improving an organization's cybersecurity posture. The choice between these approaches depends on factors such as the level of access to the target system, the desired scope of the assessment and the specific goals of the security testing initiative. A well-rounded cybersecurity strategy often incorporates a combination of these techniques to comprehensively identify and address vulnerabilities, ultimately improving overall system security.
?How It Works
The steps of the process
Information Gathering
This phase begins with gathering information and preliminary research about the environment being tested. The process includes the use of advanced tools and techniques to identify vulnerabilities and security weaknesses, which are weak points of the environment being tested that the attacker can exploit for the purpose of taking over and damaging the organization's systems and infrastructure
1
3
Reports and Information
After completing the tests and documenting the findings, the company provides a detailed report of findings and threats, which includes recommendations for correction. Our report includes the identifiers with which an attacker can exploit vulnerabilities and weak points that exist in the system.
2
Identifying and exploiting security vulnerabilities
After identifying the main security vulnerabilities and weaknesses, the tester begins analyzing and evaluating the information and building a hacking model. The tester performs the practical test manually while making controlled and safe use of the weaknesses identified on the basis of the analyzed information.
4
Correction and update
In addition to the official evaluation report that the client receives, the company provides a retest for repairs for the report's vulnerabilities. After the inspections of the repairs carried out, the inspector will update the report while providing a new determination of the risk level and mark which vulnerabilities in the report were there and warranted a correction to update the risk level.