In 2021, the number of cyberattacks on every company increased worldwide by 40%. Protecting your resources against malicious users is getting more and more difficult.
Even the most secure infrastructure may have some vulnerabilities that threaten your company. How can you make sure that you have covered all possible threats and that your resources are securely protected?
To achieve this, you can do a pen test, i.e., a specially designed penetration test. We’ll explain what it is based on the example of our service.
What a pen test is
A pen test implies testing your infrastructure and applications for malicious penetration opportunities. The test consists in simulating a malicious attack, checking how deeply attackers can penetrate into your system, and calculating how much damage they can cause to your company.
The pen test is conducted from the attacker’s position. As a result, the vulnerabilities of your infrastructure and applications are identified. We check how dangerous they are and give recommendations on the ways to eliminate them.
You can test your application, the entire IT infrastructure, or its individual elements: databases, various network services (for example, email), network equipment, applied software, or user and server operating systems.
How pen test is conducted
There are different testing methodologies. The Gcore’s pen test is based on two techniques:
- OWASP Web Security Testing Guide is the main methodology for testing the security of web applications. It was developed by the international OWASP consortium. It is a complex web resource testing guide that has incorporated the best practices of the world’s pen testers.
- Penetration Testing Execution Standard contains basic testing recommendations. Special attention is paid to determining the pen test’s goals and objectives correctly depending on the characteristics of the resource to be tested.
The test involves 5 stages:
- Infrastructure research. Experts analyze your systems, collect maximum information about malicious users’ potential goals, and analyze the collected data.
- Threat modeling. Based on the data obtained, possible attacks are simulated. Two possible scenarios are taken into consideration: an external penetration and the actions of the company’s employees having access rights.
- Vulnerability analysis. Specialists look for the flaws in your systems, such as potential entry points and attack vectors, and select appropriate hacking tools and methods.
- Exploitation. Experts imitate attacks, while bringing the simulation as close to real conditions as possible and trying to outmaneuver the security system.
- Post-exploitation. Experts calculate financial losses caused by the attack and the costs of eliminating the consequences.
What you get as a pen test result
After the pen test, you will receive a report containing recommendations on how to fix the vulnerabilities revealed.
For example, our pen test report includes:
- summary and a full testing checklist;
- methodology description;
- current possible security threats;
- detailed description of the vulnerabilities detected;
- recommendations on how to eliminate them and enhance the security of your infrastructure.
The vulnerabilities list includes a CVSS assessment (Common Vulnerability Scoring System), attacks scenarios, and their possible consequences.
This means that we will explain to you in detail which security problems we have found, which consequences they can lead to, and how to avoid it.
A few more words about Gcore’s pen test
Our pen test service has been launched only recently, but we have a lot of experience in solving security issues.
We have our own WAF (Web Application Firewall) that protects our clients’ web applications against cyberattacks. Our servers are protected against DDoS attacks at layers L3, L4, and L7. We have managed to repel quite a number of threats and we know how malicious users act. This means that we are capable of simulating their actions and checking all your systems in detail.
Summary
- Pen test is a new service provided by Gcore. It implies testing your applications and infrastructure for vulnerabilities. The test is carried out in the form of simulating malicious users’ real attacks.
- Our pen test involves 5 stages: analyzing your infrastructure, simulating possible threats, looking for vulnerabilities that can be exploited, imitating an attack, and determining its consequences.
- After the pen test, you receive a detailed report containing a description of the methodology used, the information about the vulnerabilities found, and the consequences of their exploitation. We also give you recommendations on how to eliminate your system’s weaknesses and enhance its security.
- Gcore has an extensive experience in repelling cyberattacks. We know how malicious users work and we are capable of revealing all the weaknesses of your system.