Penetration test (or “pentest” as it is often called) is a method for assessing the security of an information system by simulating actual attacks in real life conditions.
In order to achieve that, highly trained SCRT engineers will act like actual hackers and try to detect and exploit any security breach that would allow compromising the target information system.
Depending on the customer's needs and the desired attack scenario these attacks can be performed against various target types like a whole information system, a subset of chosen subnets or a single application. They can also target more specific target types like WiFi networks, VoIP infrastructures or SCADA environments.
In order to cover the whole spectrum of relevant attacks SCRT engineers can perform attacks based on various attack profiles. These attack profiles are mostly determined by two criteria: positioning and access level.
Positioning determines the source of the attacks with respect to the targeted information system. It can be any one of the following scenarios:
- External: In this scenario, SCRT engineers play the role of an external hacker attacking from the Internet.
- Internal: In this scenario, SCRT engineers play the role of an internal hacker acting from within the customer's information system.
Access level determines how the attacker would usually interact with the targeted system. It can also be any one of the following scenarios:
- Without credentials (black-box): In this case, the attacker does not possess a logical access to the targeted systems. He does not have a user account or any knowledge of the system.
- With credentials (grey-box) : In this case, the attacker does have access to the system through a set of credentials and may or may not have knowledge of how the system actually works.
- With full access (white-box) : In this scenario attackers have access to all the relevant information regarding the target information system. This may include various user accounts, network and infrastructure schemas or applications source code.
Most of today's computer attacks rely on or at least include “social engineering” components. Be it targeted spear-phishing scenarios aimed at fooling users into infecting their workstations or more generic attacks aimed at obtaining sensitive information from unaware users.
Social engineering is a type of attack aimed at exploiting the users in order to gain some level of access into a computer system. Indeed badly informed people may – without even noticing it – help an attacker into achieving his goal by revealing to him critical information like passwords or other similar sensitive data.
In order to test the level of awareness of a company's employees against this type of scenarios, SCRT proposes to perform social engineering attacks targeting them. These attacks may be based on common scenarios (e.g. a targeted phishing attack) or they can be customized to fit a customer's specific needs (e.g. including physical intrusion attempts in sensitive building areas).
Social engineering attacks may be performed in a standalone basis or they may simply be part of a more global penetration test. Allowing SCRT engineers to include social engineering attacks during a penetration test greatly increases the likelihood of obtaining real-life like results. Indeed actual attackers would not hesitate to perform social engineering during an attack in order to achieve their goals.
© 2002-2017 SCRT. All rights reserved.