Penetration tests are one of the basic ways of assessing security level of an IT system. The purpose is a practical assessment of the security level of the system in terms of vulnerability to unauthorized interference from the Internet.
Virtline performs tests in two stages: automatic scanning of the network using specialized tools, as well as verifying security by manual techniques. Every service available on the Internet is manually subjected to simulations of attacks using various types of applications and exploits. Each test is finished by preparing a detailed report discussed with the client.
The elements of automatic scanning include:
- Scanning for vulnerabilities (including IPv4/IPv6/hybrid networks)
- Detection of vulnerabilities without authentication
- Finding errors in system configuration
- Finding outdated, unsupported software
- Finding default passwords in use or guest accounts
- Testing password strength (brute-force attack)
- Possibility of scanning network devices
- Switches (Juniper, Check Point, Cisco, etc.)
- Network drives
- Possibility of scanning various operating systems (Windows/Linux/MacOS etc.)
- Risk assessment based on five severity levels (Critical, High, Medium, Low, Informational).
The components of manual network penetration tests include:
- System identification using available network services (eg WWW, SMTP, FTP, Telnet)
- Searching for computers and network devices available from the Internet, discovering types and versions of their operating systems and other software in order of detecting known vulnerabilities
- Penetration of the system using TCP and UDP port scanners and security scanners commonly used by hackers
- Analysis of network topology accessible from the Internet
- Analysis of the results obtained from the scanning application
- Security breach simulation
- Assessing the system’s resilience to destructive attacks with help of professional tools
- Evaluation of security system’s response to attacks
- Analysis of firewall system security
- Analysis of penetration tests results in order to assess the threat to the integrity of the system and the possibility of accessing data by an unauthorized person.