The fundamental objective of the Intrusion Test is to detect the degree of vulnerability of the client’s systems to external attacks and to assess their ability to detect against such attacks. In this way, you can assess the risk facing your Internet-connected systems and the real possibilities of accessing, intercepting and modifying your company’s critical information. Within the test, attempts will be made to intrude on any computer that may be accessible, either directly or through other computers. In addition, the security level of the current defenses (routers, firewalls, IDS, IPS, etc.) will be analyzed.
The increasing focus of software developers on improving the quality of their applications, the constant innovations in system administration – including Patch Management – enable secure configurations and up-to-date systems and the availability of increasingly widespread tools for attacking Web), have changed the view of vulnerabilities in computer systems. These major trends are converging that application (layer 7) vulnerabilities are in full growth, giving hackers a less robust path to corrupt systems and steal information. Web applications are currently the primary goal of this type of threat. It is not enough to keep system updates up to date and periodically auditing for static vulnerabilities. This is part of the process, but only by performing custom vulnerability scans specifically for this threat (layer 7) can you ensure that web servers are immune to these risks. Therefore, it is necessary to perform an application-level vulnerability analysis using specialized tools to be able to indicate to the organization’s developers the source portions of the web application that can currently suffer attacks such as SQL Injection, Session Hacking, etc. The new Regulation (GDPR) raises the stake to a whole new level by introducing companies to a high material penalty they would suffer if they do not submit to security scans and checks regularly. Each company is obligated to run vulnerability tests and reparations in order to keep themselves and all their clients’ and employees’ data safe from attacks.
GDPR MINIMUM SECURITY REQUIREMENTS: THE IMPORTANCE OF PENETRATION TESTING FOR GDPR
Security checks are being more and more frequently mentioned and marked as mandatory, especially since the GDPR came into effect. Security scans, such as vulnerability assessment and penetration testing are required on regular bases in order to continuously monitor potential threats and system vulnerabilities. All details about IT security were fully covered and specified as crucial by General Data Protection Regulation – “The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organizational measures are used.” It states that one will take the full responsibility and the penalty in case of an attack, if they didn’t engage in taking security precaution.
Testing is being done out of necessity to determine possible presence of vulnerabilities and security threats. The existence of vulnerabilities must be tracked down, defined and approached to carefully and with proper tools and knowledge, in order to protect data from unauthorized access. Vulnerabilities could lead to theft of information and to other kinds of abuse of unprotected/insufficiently protected data. Target application testing will be done strictly according to your request. It will be tested through multiple scenarios that might occur, and this method will show us the variety of potential security issues, as well as the ways we can solve them.
Security testing is the first step to successfully protecting your data. The search of system vulnerabilities will allow us to move forward with preserving data by giving us the insight in realistic state of security. Our goal is to detect and completely eliminate potential security threats, which will be highly beneficial for your company on many levels, starting by ensuring both you and your clients are inarguably secure.
METHODOLOGY
The Open Web Application Security Project (OWASP)
OWASP represents an enormous step forward in the area of IT security, testing and data protection. This is a non-profit project and its intention is to inform groups, companies and individuals from all over the world about application security. Everyone is free to join OWASP online community and each user will have the access to all relevant information, articles, tools, researches and methodologies related to web application security.
The usage of OWASP provides us with many different tools. Some of them are suitable for automatic vulnerability scanning (commercial and open source tools), while others are being used for penetration testing (information gathering tools, authentication testing tools, data validation testing tools, web services testing tools, etc.). OWASP Top 10 publishes annual lists of the most common vulnerabilities, most dangerous threats, most critical security risks, and other, and they regularly report about these topics.
Penetration Testing Execution Standard (PTES)
This new standard originates in 2009, back when the discussion about the necessity of penetration testing and the insufficient awareness of this necessity began. The penetration testing execution standard is divided in 7 phases, and it starts with asking and answering questions in order to get to know the system properly. This phase is known as pre-engagement interaction. It is followed by intelligence gathering, which is particularly important because it eases the following phases, and future penetration tests. The third phase is threat modeling and it defines the approach that will later on be used to test potential threats and vulnerabilities. Vulnerability analysis will discover all errors and malfunctions in the system. This vulnerability analysis can vary, depending on threats and vulnerabilities we are facing at this stage. Exploitation identifies ways to attack the system based on prior vulnerability analysis. Post-exploitation is being done in order to maintain the control and protect the system. Reporting is the seventh and final section of penetration testing according to the standard. It should contain the full summary with all important details and insights about the entire testing process.