WHAT IS A PENETRATION TEST?
Penetration test, known by its short name Pentest;
Infrastructure networks that make up companies ' information systems are trial tests applied in the form of simulations to detect vulnerabilities and vulnerabilities, if any, in internal users against attacks and leaks that will come from outside.
WHAT ARE THE TYPES OF PENETRATION TESTING?
As a penetration test, 3 different test management and sector-specific packages are different services.
1-WHITE BOX PENETRATION TEST
Gets all information about the infrastructure from authorized persons within the company and has information about all the systems used. In this method, the damage that people who previously participated in the company, are still working or who later joined the network as guests can cause to the systems is tested and reported.
Scope Of The Test
* Scanning external IP addresses, DNS records, MX records and ADSL, XDSL, GHDSL lines vulnerabilities
* Vulnerability scanning of all active devices and user computers on Local networks and VLANs
* Vulnerability scanning of all physical and virtual servers on Local networks and VLANs
It is a test that allows you to scan for vulnerabilities for the ISO 27001 standard.
1 C Class ( /24 ) IP block for a system without VLAN separation and with 8 external IP blocks,
Scan Time: 2 Days
Attack Tests: 1 Day
Reporting: 1 Day
Suggestion + Reporting: 5 Days (Optional Service )
2-BLACK BOX PENETRATION TEST
In this penetration test, no information is shared with the company performing the penetration test on the company's sites, only the target to be tested is given. By acting as a hacker trying to break into the system in order to leak or damage Information, damage that can actually be caused is determined and reported.
Scope Of The Test
* Scanning of external IP addresses, DNS records, MX records and vulnerabilities
* Vulnerability scanning of open applications (all web-based applications and services )
* Vulnerability scanning applied over IPS, IDS, Firewall, Router and ADSL, XDSL, GHDSL lines over external IP blocks
One of the tests that allows you to scan vulnerabilities for ISO 22301.
For a system with 16 external IP blocks,
Scan Time: 3 Days
Attack Tests: 2 Days
Reporting: 0.5 Days
Recommendation + Reporting: 3 Days (Optional Service )
3-GRAY BOX PENETRATION TEST
It is a large infiltration test covering White Box and Black Box tests. It's a test for both inside and outside threats. In addition to the Gray Box Test, social engineering attacks, wireless network attacks, Phishing mail are also added.
ISO 27001 is the test that ensures all qualification for ISO 22301.
1 C Class ( /24 ) IP block for a system without VLAN separation and with 8 external IP blocks,
Scan Time: 4 Days
Attack Tests: 2 Days
Reporting: 1 Day
Recommendation + Reporting: 7 Days (Optional Service )
INDUSTRY-SPECIFIC TESTS
A ) IN-HOUSE DATACENTER PENETRATION TEST
It covers white Box and Black Box tests. It's a test for both inside and outside threats. In addition, stress testing is also performed on all active devices and their connections with edge endpoint devices.
ISO 27001, ISO 22301, ISO20000-1 is the test that ensures all qualification.
1 C Class ( /24 ) IP block for a system without VLAN separation and with 8 external IP blocks,
Scan Time: 3 Days
Attack Tests: 2 Days
Reporting: 1 Day
Suggestion + Reporting: 6 Days (Optional Service )
B ) PENETRATION TESTING IN SOFTWARE DEVELOPMENT COMPANIES
It covers white Box and Black Box tests. It's a test for both inside and outside threats. In addition to all active devices, edge endpoint devices, Code Security Testing ( Git-TFS, etc. Including services ), Cloud services and customer link links are also tested.
ISO 27001, ISO 22301, ISO20000-1 is the test that ensures all qualification for COBIT.
1 C Class ( /24 ) IP block without VLAN separation and 8 external IP blocks for a system with 6 people and six software development personnel,
Scan Time: 4 Days
Attack Tests: 1 Day
Reporting: 2 Days
Suggestion + Reporting: 8 Days (Optional Service )
Code security test: a code security test is a special test performed on computers that process shared source code within the software team. Only the source code is applied separately to each of the developed computers.
Cloud test: consists of data analysis and connection security analysis of all connections to services sold or continuously connected.
D) penetration test in accordance with the Personal Data Protection Act 6698
Covers White box tests. It's a test for both inside and outside threats. In addition, all active devices, edge, endpoint devices, personal data analysis, data classification and Labeling Analysis Analysis access and authorization Personal data fields personal data fields, security, vulnerability scanning, and data analysis will include testing the appropriateness of software used.
ISO 27001, ISO 22301 is a test that allows you to scan for weaknesses in the requirements of kvkk compliance.
Hospitals, hotels, Human Resources Consulting Companies, companies and agencies providing human transportation, insurance companies, etc. It covers tests that are recommended to be performed in accordance with the law for companies that host and process personal data.
1 C Class ( /24 ) IP block for a system without VLAN separation and with 8 external IP blocks,
Scan Time: 5 Days
Attack Tests: 3 Days
Reporting: 3 Days
Recommendation + Reporting: 10 Days (Optional Service )
WHAT ARE THE PENETRATION TEST STAGES?
1. Step: Collecting Information
During information collection, an Active Scan is not performed on the system that will be tested for infiltration. This stage is only a passive stage of information collection.
2. Step: scanning and Classification
Depending on the information collected in the first stage of the scanning and classification step, the ‘scanning’ process is performed on the system to be tested and the results of the analysis are obtained.
3. Step: Get Access
According to the analysis carried out in this step, the vulnerabilities found on the system that are intended to be tested are tried to be reached.
4. Step: Manage Access
In this step, access rights to vulnerabilities are managed.
5. Step: Hide Traces
In this step, traces left in access operations performed in the first 4 steps on the target system are cleared, or vice versa, further traces are left.
Reporting:
Standard Report
As a result of each test, a comprehensive penetration test report is prepared, including vulnerabilities and openings covering the entire system.
Standard Report + Recommendations
As a result of each test, a comprehensive penetration test report is prepared, including vulnerabilities and openings covering the entire system. All reasons for clarity and vulnerability in the report, as well as all recommendations for closing these reasons, are also reported separately. Analysis of all weaknesses and the root causes that cause them is provided when preparing recommendations.
Once the report service covering the recommendations is received, the second vulnerability scan is performed free of charge within the scope of the recommendations.