The tests of penetration (Pentesting or Ethical Hacking) are done to give visibility to the security breaches which could impact the confidentiality, integrity and disposition of the information by imitating the offensive actions that could be done by a real cyber-attack. Normally these structures are planned and are given the name of, black, grey and white boxes, these are done in the same manner of evaluations on the security system, infrastructure, communications and the components of security published on the internet.

 

Solution: Pentesting or penetration tests

​

The objectives are:

• Identify the gaps in the security system, from the exterior or interior.

• Document the vulnerabilities that could be penetrated, usually done with the ISO 27001, OWASP Testing Guide v4 or any other norms.

• Report on the recommendations to mitigate the damage, suggest any procedure that could minimize the impact or any other recommendations for the future.

 

How is it done?

​

The Penetration Tests can be done from the outside or inside of the technological ecosystem. It looks to analyse and are focused on how to test the mechanisms of within with special techniques, controls and tools that simulate of a real cyber-attack. The tests are normally done in a remote location via the Internet, or VPNs, but it can also be done on site, depending on the conditions of the business.

 

• Black Box: In this type of test, the execution team has no prior knowledge of the infrastructure to be tested. In this sense, it is the type of penetration test that most closely resembles a real attack.

• White Box: This is the most comprehensive test as it begins with full prior knowledge of the infrastructure to be tested. It is usually carried out with support from the client’s internal personnel.

• Grey Box: This test starts with partial prior knowledge of the target infrastructure. It is usually the recommended type of Pentest when hiring specialized companies.

 

In some cases, dedicated computing equipment will be available for automated analysis, which can perform scans over continuous and extended periods of time. In these cases, explicit client approval will be required.

 

Findings Report and Results

​

The findings report is structured through the categorization of vulnerabilities based on their business impact and according to applicable industry or sector regulations where the client operates—commonly ISO 27000, PCI, the OWASP Testing Guide v4, NIST, CIS, etc.
This report is consolidated into a matrix that allows for a comprehensive review of the identified issues with a holistic view.

For each vulnerability, recommendations, mitigation actions, and technical or executive remediation measures are provided. In some cases, it is only possible to mitigate the effect of the vulnerability; in others, it is possible to eliminate it—this often depends on the feasibility of the recommendations, which may be limited by the nature of the services, applications, criticality of the systems involved, or other variables that may exceed the scope of the test.

Recommendations may be specific to each vulnerability or applicable to groups of them. They are typically delivered alongside an executive presentation and a technical document, allowing the client’s security personnel to fully understand the nature of the flaws and the course of action required for improvement.

 

Follow-up

​

Normally, the client is responsible for carrying out corrective actions based on the recommendations provided by the testing team. Therefore, follow-up processes may be defined for the vulnerabilities—typically those deemed critical or high priority.
It is possible to establish consultative support with the testing team (to maintain independence) and also common to schedule a retest focused on the remediations, usually performed three months after the initial test.

 

Continuous Improvement Cycle

​

A PentTest is a continuous improvement process because it is a systematic, analytical, and proactive cycle that identifies and exploits weaknesses, technical flaws, vulnerabilities, and design errors in applications to understand the level of information exposure—specifying the required security controls to protect an organization’s IT and Communications infrastructure.
It is common to carry out a PentTest at least once a year, enabling the following:

• Identify threats and vulnerabilities to which information resources are exposed. This allows for quantification of risk impact and the implementation of adequate security measures.

• Reduce organizational costs by providing better return on investment in security—identifying and resolving vulnerabilities in the design and implementation of technologies rather than spending on reactive measures.

• Obtain and maintain certifications that regulate the industry, as applicable.

• Align the organization with best practices and ensure compliance with internal, external, and industry-specific regulations.