What is the Penetration Test (PT)?
It’s a simulation of a cyber-attack in a way similar to what an attacker might use. It’s a sophisticated technique that requires extremely experienced professionals. It identifies vulnerabilities, classifies them according to their impact, the competence required of the attacker, and finally the complexity of the remedies to be implemented. It is a fundamental activity for cybersecurity.
By whom and how are PTs made?
PTs are performed by Ethical Hackers who use typical cybercriminals’ mindsets and techniques by exploiting the vulnerabilities existing in all systems. They are carried out with the full consent of the company that requires them, ensuring the operation of the systems tested and following strict international standards. Security experts then use attackers’ strategies and actions to assess the risks and vulnerabilities of an organization’s computer systems, network, or web applications. The Penetration Test takes advantage of hackers’ perspectives to identify risks and mitigate them before they materialize. The term “penetration” refers to the degree to which a hypothetical hacker can penetrate an organization’s cybersecurity measures and protocols.
Why would a company do a PT?
The increase in Cyber Threats and Cyber Crimes in quantity and dangerousness pushes more and more companies to protect themselves with an adequate security policy. PTs are required by numerous national regulations and quality certifications, such as ISO 27001. They are an essential task to identify, prioritize and carry out the necessary actions to strengthen cybersecurity, and thus minimize the chances of success of criminal attacks.
What are the risks if you don’t do PTs?
Leave gaps and vulnerabilities that may be exploited by malicious actors causing economic, legal and reputational harm to the company.
Why do a PT with BCyber?
Our Red Team of certified professionals with decades of experience can perform even the most complex PTs, in complete safety and collaboration with customers. We have a long-standing, more than 30 years of experience in this sector, but also a new and modern mentality with a customer-oriented approach.
Advantages
- Allows identifying the vulnerabilities of the company being tested before the Cyber Criminals do
- Shows the real risks for the company, offering an independent and external point of view
- Allows to test the effectiveness of the defences already in place in the company
- The released report guides the company toward concrete solutions
How it is articulated
- Attacks are simulated from outside and/or within the corporate network, or on web applications, and on systems defined by the customer
- Identified vulnerabilities are exploited to breach the network perimeter, bypass user privileges, simulate malware installations, read confidential data, encrypt data, and so on
- The results are summarized in a report that summarizes the vulnerabilities found, their impact, the level of capacity required of the attacker, and the complexity of the defensive solution.
- After patching the problems that emerged it is recommended to perform a re-testing, to verify the real effectiveness of the actions taken
How long does it take?
The time varies depending on the complexity of the network, the number of servers and clients, and the individual Web Applications.
An example is:
For a company with 8 external IPs, an internal subnet and 1 Web Application it takes about 20/25 days including the drafting of reports.
How often should it be done?
The various regulations and certifications provide different cadences depending on the case of each sector and company. In general, every company should have an annual Penetration Test plan that can vary from a minimum of once a year, up to four times/year for the most exposed companies.
BCyber’s references
We have carried out Penetration Tests for companies of all sizes and sectors, from the hotel to the industrial one, banks, retail, utilities, couriers, and ICT companies. Our work is strictly covered by NDAs; however, we can provide references with the explicit consent of our past customers.
