Penetration Test

Penetration Testing is an evaluation method used to evaluate how secure an organization's information systems are. These tests are performed by simulating real-world attack scenarios to determine how prepared a system, network, equipment or facility is for a real attack.

Why Penetration Test?

The methodologies of penetration testing are based on standards established by the cybersecurity community, relevant government agencies, and private sector organizations. These standards allow penetration tests to produce more consistent, reliable and repeatable results. In Turkey, there are guidelines for penetration tests with the TS-13638 standard by the Turkish Standards Institute. However, standards such as NIST-SP800-115, PTES, OSSTMM, and OWASP are widely accepted and implemented worldwide for penetration testing and security audits. Cyberel Cyber Securit provides services in accordance with local and global standards.

Many important regulations and standards such as BRSA, EMRA, PCI-DSS, ISO 27001, Trust Stamp and KVKK require penetration tests. These tests should be performed periodically at specified time intervals or whenever significant changes are made to the system. We can think of the penetration test as the annual check-up of an information system. These tests identify potential security vulnerabilities and vulnerabilities of the company.

Penetration testing is critical in cybersecurity and is essential for an organization to continually evaluate and improve its security posture. Therefore, penetration testing is becoming increasingly important in the modern business world.

Penetration Test Stages

01

Data Collection

In cybersecurity, information gathering plays a critical role in the success of a penetration test. This stage aims to gather in-depth information about the target system or organization. With technical (whois/dns queries) and non-technical (search engines, social media, newsgroups, etc.) methods, information that can help the attacker determine a targeted strategy is collected.

02

Network Mapping

In a penetration test, information about the target is collected, followed by verification and in-depth analysis of that information. Network mapping is used to determine the network structure and topology of the target. A detailed network map is created with operations such as port scans, service analysis and network device detection.

03

Classification

At this stage, an in-depth analysis is performed on living systems. Detected ports, running services and version information of these services are collected by banner grabbing method. The information obtained is compared with vulnerability databases to detect potential vulnerabilities. Particular attention is paid to active network devices, administrative services and version information.

04

Vulnerability Detection

In this critical stage, possible vulnerabilities on the target system are determined. In the light of the information obtained, the vulnerabilities of the target system are identified and the potential exploitation risks of these vulnerabilities are evaluated. Potential security vulnerabilities are analyzed in detail with automated vulnerability scanning tools and manual methods. At this stage, the potential for exploiting the identified vulnerabilities is also evaluated.

05

Obtaining Rights

After detecting vulnerabilities, studies on exploiting these vulnerabilities begin. Operations such as authorization elevation, data access and system control are attempted on the target system. In this process, care is taken not to damage the target system.