The meaning of the word "penetration" in the concept of Penetration Test can be translated into Turkish as "digging through" or "sneaking in". The purpose of the test is to determine and prevent the results that will occur in digital and physical infrastructures if an unauthorized person acts by penetrating security measures.
Penetration tests, which are one of the leading offensive cyber security studies, are trying to infiltrate all the infrastructures of the system as a real attacker. Unlike vulnerability analysis, vulnerabilities detected are exploited just like hackers and all security violations that can be made within the system are tried to be realized. With penetration tests, which have become a necessity for the institutions under its management by various authorities, it is aimed to take the security importance by infiltrating the systems before the attackers.
In penetration tests where the number of experts increases according to the size of the projects, team members selected from globally valid certified experts such as CEH, OSCP, OSWP have expertise in more than one subject. Infiltration tests performed by UITSEC experts are carried out using the most up-to-date techniques. Thanks to the advanced intelligence network and security center, you can determine the consequences of your institution and infrastructure under a possible current cyber attack by applying the most advanced and popular techniques detected in your systems.
The most up-to-date safety recovery studies are also carried out during penetration tests, where you can also measure the detection and prevention capabilities of your safety systems. The test type and approaches presented during penetration tests are as follows.
Infrastructure tests performed within the framework of Penetration Tests are provided, but not limited to the following.
- Communication Infrastructure and Active Devices Tests
- DNS Service Tests
- Domain and User Computers Tests
- E-mail Service Tests
- Database Systems Tests
- Web Applications Tests
- Mobile Applications Tests
- Wireless Network Systems (Wi-Fi) Tests
- Voice over IP (VoIP) Tests
- Server Systems Tests
- Industrial Control Systems (SCADA) Tests
- Social Engineering Tests
- Virtualization Systems Tests
- Distributed Denial of Service (DDoS) Tests
- IoT Systems Tests
- Source Code Analysis
- Specialized infrastructure tests like SAP
Working Method / Methodology
Within the scope of Penetration Test service, studies are carried out with the following procedure.
Globally accepted methodologies are applied and adapted in Penetration Tests.
- OWASP
- NIST SP-800
- OSSTMM
During the information collection phase, information about the infrastructure, personnel and business model of the institution is collected. The main purpose of this step is to determine the targets of the attacks that can be carried out in the whole structure. UITSEC experts assess possible risks by predicting before evaluating vectors. The success dependencies of the attack are examined (for example, an IPS system in-between can affect the success rate), and all the steps of predictive development and attack scenario development are carried out at this stage, such as determining what attacks can be made in the infrastructure.
Vulnerability Analysis method is used to identify and evaluate the vulnerabilities found and the security risks that may occur. With the detection of vulnerabilities, studies are carried out to exploit the system and its security. Some of the vulnerability announcements only describe the method and the exploit is not published.
In case of exploitable vulnerabilities, our experts make the necessary improvements and perform the attacks. In cases where the exploit code cannot be developed, the technique described is completely manual and the steps are documented in detail. In the post-abuse phase, the value of the abused system and its use in the future are obtained.
Each infiltration route detected after the penetration test study is reported according to the risk level. All vulnerabilities are measured with the Common Vulnerability Scoring System's (CVSS V3) score information.
The most basic approach that distinguishes penetration tests from vulnerability tests, namely hacker attack routes, constitutes an important part of the study. Each attack route is reported with screenshots. Current and best applicable solutions and suggestions are presented together with the findings for the elimination of the detected findings.
In line with the report presented, it is ensured that the security of the institution is ensured by performing verification tests on whether the findings determined in an agreed time frame are closed or not.
UITSEC's world-class cybersecurity expertise and experience enable you to clearly determine whether your infrastructure meets the needs in terms of enterprise security.