PENETRATION TESTING (PT) IS THE PROCESS OF EVALUATING THE CURRENT SECURITY STATE OF A SYSTEM OR NETWORK TO FIND VULNERABILITIES THAT AN ATTACKER COULD EXPLOIT TO GAIN UNAUTHORIZED ACCESS TO SYSTEMS AND INFORMATION.
This process involves identification of security weaknesses that may result due to improper security configuration of system or application, known or unknown vulnerabilities in hardware or software systems.
Black Box Penetration Testing is a method of testing the security level of an organization to simulate an attack which a hacker might undertake to exploit the weaknesses in target network and applications and breach them. Black Box Penetration Testing is performed without any prior knowledge of the organization system, network, or applications.
In Black Box Penetration Testing, we mainly focus on company infrastructure, business logic flaws, applications and services provided by customer. Cloud4C Team follows industry best practice methods and approach to perform Black Box Penetration testing. Black Box penetration testing will be performed on all discoverable applications, servers and network devices.
Service ObjectiveThe objectives of the Black Box Penetration Testing service are:
Simulate a real hacking scenario (i.e. Think like a hacker) to test the strength of existing security defences and countermeasures.
Validate the configurations of Information Technology (IT) Assets and produce a list of known vulnerabilities present in systems and applications and mitigate those before they are exploited by adversaries.
Provide a detailed report on each security bug and suggest better remediation guidelines for each of the security issue.
Scope of ServiceThe scope of Black Box Penetration Testing is all discoverable IT assets. The IT assets include firewalls, routers, VPN, IDS/IPS, Web servers, Application servers, Database servers, etc.
When performing Penetration Testing, our tests are compliant to safe checks designed to limit any negative impact on the organization’s production environment.
Process of Black Box Penetration TestingIn delivering the Black Box Penetration Testing services, Cloud4C will use a combination of automated and manual scanning methods and will utilize commercial and publicly available tools, as well as custom scripts and applications that were developed by Cloud4C.
Penetration testing process involves following steps:
Gathering preliminary data or intelligence on the target organization. The data is gathered to better plan for the attack. Information gathered in this step includes IP address ranges, public email addresses, web sites and others.
- Scanning & Enumeration:
Gathering more information about the connected systems and running applications and services in the organization’s network. Information such as operating system type and version, user accounts, email addresses, service version and release numbers are also gathered.
- Identify vulnerabilities: Based on information gathered in the previous two phases, we will identify weak services running in your network or applications that have known vulnerabilities
Using readily available code or create customized one to take advantage of identified vulnerabilities to gain access to the target vulnerable system.
- Privilege escalation:
In some cases, the existing vulnerability provides low level access only such as normal user access with limited privileges. In this step, we will attempt to gain full administrative access on the machine.
PrerequisitesThe client should provide details of Primary Contact (PC) that must be available to Cloud4C during the entire engagement. The representative must have sufficient authority to schedule testing and address any issues that may arise.
DeliverablesUpon completion of the External/Internal Penetration Testing, a detailed report will be sent to client, including the following:
- Executive Summary
Summary of the purpose of this assessment, as well as a brief explanation of the threats that the organization is exposed to from a business perspective.
A detailed, technical explanation of the findings of the assessment along with steps and proofs of the findings.
- Conclusion & Recommendations: This section provides all recommendations and summary of the issues found during the security assessment.
- Executive Summary
Service delivery timeThe Black Box Penetration Testing service on 5 IT Assets can be completed in ten business days.