Penetration / Penetration Testing

Penetration / Penetration Testing

Penetrasyon Testi (pentest nedir?)
Penetration Testing (what is pentest?)

What is Penetration Testing?

penetration test, penetration test or penetration testing; It is a type of attack carried out by ethical hackers who are authorized to evaluate the cybersecurity effectiveness of computers, servers, firewalls, network systems and applications in the systems under test.

Penetration testing is also known as performing a simulation of a permissible attack on a system to evaluate the vulnerabilities in the relevant system and eliminate the vulnerabilities after testing. In order to prevent personal data held digitally from being leaked as a result of a cyber attack, it is important to have a penetration test performed within the organization to identify and close your cyber security vulnerabilities.
In addition, penetration testing is included in the technical measures guide published by the Personal Data Protection Authority.

What is Penetration Testing?

Penetration TestAfter the test is carried out to detect security vulnerabilities, design weaknesses and risks of the IT infrastructure in your institution (Penetration Test), we take the necessary actions to eliminate the vulnerabilities and carry out risk improvement studies. Thus, all information resources of the institution are secured and data security is ensured.

Penetration tests (Pentest) and Vulnerability Assessment are similar but different concepts. Vulnerability scanning is the process of finding and reporting security vulnerabilities in the target system using various software. In pentest studies, the aim is not only to identify security vulnerabilities, but also to determine additional operations that can be performed on target systems (such as infiltrating the system, accessing database information) by using these vulnerabilities.

Why Are Security Tests Necessary?

  • Regulatory Obligations: If you have or want to obtain certifications such as KVKK, ISO27001, TSE-Trust Mark, you should have your information systems regularly audited and reported by an authorized institution.
  • Risk of Data and Reputation Loss: In any attack on your information systems, you may lose your sensitive data and your brand reputation may be damaged. Therefore, you should always make sure that your sensitive data is safe.
  • Business Continuity: IT infrastructure is the lifeblood of an organization, and if it is not under control, it can bring workflows to a halt. Therefore, you should be prepared in advance for attacks on your IT infrastructure.

Penetration Test Types and Cyber Security Consultancy

  • Web Application (Web Application / Web Security) Pentest Service: Infiltration operations are carried out by pentesting for web security through the company's services that are open to the internet (such as Mail, DNS, Web, FTP).
  • Local Network Pentest Service: It is done through the institution's local network. It is carried out to show what risks any client connected to the local network may pose in terms of security. Our experts reveal your vulnerabilities and configuration errors of your assets through local tests on your local network.
  • Mobile Pentest Service: It includes static and dynamic security tests for mobile applications developed for Android and iOS operating systems. When necessary, the security of your applications is checked by source code audit and vulnerabilities are reported.
  • Cloud Pentest Service: These are security tests performed for vulnerabilities on your institution's cloud servers. In these tests, infiltration attempts are made at many points, from configuration errors on your servers to the performance rates of your security devices, and a report is prepared.
  • Source Code Analysis Service: By analyzing the source code, all applications you have produced for your institution, dealers, business partners or users are tested. The source codes of these applications are examined and the vulnerabilities they contain are identified, allowing you to take precautions against cyber attacks.
  • DDoS Pentest Service: The entire internet system of the institution is analyzed in detail and denial of service attacks (DDOS) are carried out on the system.
  • Wireless Network (Wireless) Pentest Service: It includes the examination of the wireless network infrastructure managed by the company in its internal networks, and the performance of penetration tests and reporting services against external infiltration or attacks by malicious persons.
  • Voip Infrastructure Pentest Service: It is aimed to test the frauds and vulnerabilities that can be committed through the VOIP system by performing a detailed analysis of the VOIP system used by the company.
  • Social Engineering/Phishing, End User Security Tests: Social engineering attacks are carried out by obtaining the e-mail accounts of company employees over the internet. In the penetration test, attempts to access the company's local network via the internet, APT and similar attack techniques are applied. At the same time, as a result of these tests, it is aimed to identify the weakest links by revealing the information security awareness of your employees.

BRSA Penetration Test, includes at least the following headings:

  • Communication Infrastructure and Active Devices
  • DNS Services
  • Domain and User Computers
  • Email Services
  • Database Systems
  • Web Applications
  • Mobile Applications
  • Wireless Network Systems
  • ATM Systems
  • Distributed Disconnection Tests
  • Code Analysis
  • Social Engineering
  • Internal Penetration Test (Intranet Security Checkup)

Testing by information technology experts in many areas such as social engineering, network security, ddos tests, application tests over the internet, etc. is one of the most common protection and vulnerability analysis tools in detecting security vulnerabilities. Especially with in-depth scanning of internal systems, a clear picture of the information security situation can be taken against cyber attacks of sensitive systems that may be clearly exposed. However, there are two important elements that should not be forgotten here. The first element is that the tests are tailored to the needs of institutions. The second element is that it would be appropriate to select security experts in the most appropriate way for the tests to be carried out, and to evaluate the quality of the team that will perform the penetration tests rather than the company itself.

Penetration tests performed to ensure good security are only the first aspect of the work. However, it should not be forgotten that the next stage will be more challenging. It is equally important to close the vulnerabilities identified as a result of security tests. Because security tests only make security vulnerabilities known, but this does not mean that the situation is closed.
If you wish, let's examine the details of penetration tests. In some cases, the tests may be in the form of a 3-stage test. These staged tests, called black box, gray box or white box tests, are tests that vary depending on the amount of information provided to the security expert. For example, in information security tests, tests performed without providing any information are called black box, and tests performed by providing all information (passwords, etc.) are called white box tests. As can be understood from its color, gray box tests are tests performed when the information provided is neither complete nor incomplete.

Another issue that needs to be known is the continuity of the tests performed. Changing conditions, new situations added, some mistakes made or the passage of time can make a system vulnerable again. Therefore, these tests must be repeated at certain periods and continuity must be ensured. Experts and publications on this subject recommend that these tests be carried out outsourced at least once a year and that the situation be observed by an eye outside the business.

Penetration tests are not an external security solution or a physical protection system. Therefore, you cannot measure the service received by looking at the number of vulnerabilities found. Therefore, a detailed report of the service received should be presented and, if necessary, the details of the work done should be questioned and examined in a final session meeting. Another issue is that external pentest services should not always be provided by the same company or the same expert. As the expedition progresses, the phenomenon of the external eye, which is one of its purposes, disappears. To prevent this, it is necessary/recommended to change the company every two years.

The ISO 27001 information security standard, which has become mandatory in our country in recent years, and the Personal Data Protection Law No. 6698 (KVKK for short) require security tests.

Optimized with PageSpeed Ninja