IT Penetration Test

IT Penetration Test
Penetration test is a process performed against IT (Information Technology) assets and used to detect Cyber Security threats in advance. The IT assets are tested with the penetration test and the vulnerabilities on these assets are determined. The vulnerabilities found and the methods of removing these vulnerabilities are also processed within this process. Penetration tests are carried out in scenarios for each asset type. With these scenarios, the scope of the test to be performed, its progress, penetration techniques, and techniques for circumventing security devices and products are determined. Penetration tests are carried out on the basis of both national and international methodological approaches. The national and international methodological approaches that penetration tests take as the basis are as follows.

  • National Metadological Approaches
    • TSE (TS-13638)
    • SOME Guide Published by Civil Aviation
    • Circular of BRSA (Banking Regulation and Supervision Agency) Penetration Tests Regarding Information Systems

  • International Metadological Approaches
    • NIST 800-115
    • OSSTMM (Open Source Security Testing Methodology Manual)
    • ISSAF (Information Systems Security Assessment Framework)
    • OWASP Testing Guide
    • SCADA Methodology

Penetration tests based on national and international methodologies are applied using the following 3 main methods.

  • Black Box

In this approach, no information is given to the test team about the systems to be tested for security initially. It is expected that information about a completely unknown system will be collected and tests will be made. In this method, since the test team will not have any information about the system, there is a possibility of accidentally damaging the system. The information gathering phase takes a lot of time. It is the longest test approach in terms of duration.

  • Gray Box
In this approach, information about the system is available. For example; IP address list, version information about the server system, etc. The information is provided in advance to the team that will perform the security test. It takes less time than the Black Box approach. Since the IP addresses to be checked and tested are determined, the possibility of unintentional damage to the system is reduced.

  • White Box

In this approach, the security test team is fully informed about the system itself and the additional technologies running in the background. It provides greater benefit to the institution and the company compared to the Black Box technique. Since it will be easier to find errors and vulnerabilities, the time to take measures for them will be reduced. There is little risk of damage to the system.

The penetration test is carried out within the scenario determined in the "Penetration Test Kick-Off Meeting" previously held with the Customer. Penetration testing for IT assets is carried out on the basis of national and international methodologies to cover all topics below.

  • Web Applications Penetration Tests
  • Domain Penetration Tests
  • Client Side Penetration Tests
  • Database Penetration Tests
  • Network Penetration Tests
  • E-Mail - DNS Services Penetration Tests
  • Wireless Network Penetration Tests
  • Denial of Service (DDoS) Tests
  • Social Engineering and Target Oriented (APT) Penetration Tests
  • Firewall Bypass Tests
  • URL, Content Filtering and Spam Gateway Products Elimination Tests
  • Virtualization Systems Penetration Tests
  • Penetration Tests for Cloud Systems