It is essential, though far less common than it should be, to be aware of the risks that your company faces. To have a real grasp of the dangers to which you are exposed, there are certain tools that you need to understand and appreciate. Otherwise, you are probably underestimating the security holes that could jeopardize the security of your company. The good news is that thanks to pentesting or penetration tests, it is possible to identify such holes accurately.
What is pentesting?
Pentesting involves a series of penetration tests, based on attacks on IT systems, in order to identify their weaknesses or vulnerabilities. They are designed to classify and determine the scope and impact of such security flaws. As a result of these tests, you can get a reasonably clear idea of the dangers to your system and the effectiveness of your defenses.
Pentests help determine the chances of a successful attack, and identify security holes that are the consequence of low-risk vulnerabilities but are exploited in a certain way. They also enable the identification of other vulnerabilities that are impossible to find with an automated network or specific software, and can be used to evaluate whether security managers are able to successfully detect and respond to attacks.
How to perform pentesting
There are several types of pentests, classified according to the type of information you have about the system. With whitebox pentests, everything is known about a system, application or architecture, and with blackbox pentesting there is no information about the target. Bear in mind that this type of classification is a practical necessity, as often the test conditions are based on the customer’s criteria.
Once this point has been addressed, it is necessary to choose between different pentesting methods. The choice will be determined by the characteristics of the system or even in line with external requirements on the company. In any case, available methods include ISSAF, PCI, PTF, PTES, OWASP and OSSTMM, among others. The details of these methods are extensive, but an in-depth knowledge of them is a necessity when implementing them.
Which method to choose?
According to some experts, two good types of pentesting are PTES and OWASP, due to the way these methods are structured. In their words, the Penetration Testing Execution Standard or PTES “in addition to being adopted by numerous highly respected professionals, is already a model to follow in training manuals for pentesting frameworks such as Rapid7’s Metasploit.”
On the other hand, the Open Source Security Testing Methodology Manual (OSSTMM), has now become a standard. Although its tests are not particularly innovative, it is one of the first approaches to a universal structure of the concept of security. Today, it has become a reference point for organizations that want to develop quality, organized and efficient pentesting, something that also applies to companies.
Alternatively, the Information Systems Security Assessment Framework (ISSAF) organizes data around what has been called ‘evaluation criteria’, each of which has been drawn up and reviewed by experts in each area of security application. The Payment Card Industry Data Security Standard (PCI DSS) was developed by a committee comprising the leading credit and debit card companies and serves as a guide for organizations that process, store and transmit cardholder data. It was under this standard that PCI pentesting was designed.
The number of methods and frameworks is extensive and varied. Choosing between them, as mentioned, will depend on understanding the needs of your company and knowing the required security standards. But in doing it correctly, you will be protecting your systems much more effectively, knowing in advance where and how they can fail. Invaluable information for those who know how to use it.