WHAT IS A PENETRATION TEST?
Do you know the weaknesses of your IT infrastructure?
Penetration test is a process that allows you to answer this question by evaluating the security level of your information system while simulating a cyber attack.
Penetration test is not an exact science, but a set of techniques that may be more or less suitable depending on the context: its final goal is to clearly highlight the vulnerabilities in security.
HOW A PENETRATION TEST IS PERFORMED?
The analysis is conducted by following human reasoning and using various dedicated software with the aim of highlighting the weaknesses of the system by collecting all possible information regarding the vulnerabilities that allowed unauthorized access.
The penetration test is not a static process that can be repeated without modifications; in fact, it is adapted to the client’s infrastructure and needs on a case-by-case basis. Any penetration testing activity can be however standardized in terms of methodology.
IambOO adopts the following technological standards:
OSSTMM – Open Source Security Testing Methodology Manual describing a methodology for performing security tests in different areas. It also includes aspects regarding the planning and rules of engagement. It is usually used for Network Penetration Tests and Wireless Penetration Tests.
OWASP – an independent organization dedicated to establishing and spreading a “culture of web application security”. Its Testing Guide, namely a web app safety evaluation guide, is usually used for web penetration tests.
NIST – national agency of the United States Department of Commerce dedicated to standards and technologies. The NIST SP 800-115 contains recommendations for testing and assessment; it is usually used for vulnerability assessment and establishing the testing scheme.
Iamboo follows the methodology indicated in the PTES guidelines (PENETRATION TESTING EXECUTION STANDARD)
At the end of the testing process, a detailed report is handed to our clients, describing all the activities performed by the penetration tester, the vulnerabilities that have been detected and the steps necessary to reduce or eliminate them.