PENTEST (OU TEST D'INTRUSION)

Pentesting (or "ethical hacking") is an intrusion test, the objective of which is to simulate a cyber attack in real conditions, in order to detect vulnerabilities that could be exploited on a computer network, on a digital product, on an application, etc.

 

The pentest is therefore, in other words, a security audit, a so-called "black box audit". All security audits aim to assess the security level of a network infrastructure, to identify potential entry points for malicious actors, in order to correct these flaws.

 

There are three main types of security audit: the black box audit (the pentest), the grey box audit, and the white box audit, all so called to refer to the amount of information available to the attacker, here the consultant.

 

1- In a black-box audit, the consultant has little or no information. The consultant has information available to any attacker: an IP address, a URL. The objective is then mainly to determine, for a product, an application or a network infrastructure, which entry points exist, and how long it takes for an attacker to enter the system?

 

2- During a grey box audit, the consultant generally has access to a user account with the least privileges (i.e. without administrator privileges). The primary objective is to determine to what extent it is possible to exceed these privileges in order to go further and carry out an attack.

 

3- The white-box audit is the most transparent and exhaustive of the three. The consultant has all the information he needs (configuration and internal architecture elements) in order to carry out an in-depth analysis. We also offer white-box audits, with variable perimeters and durations depending on your needs. Do not hesitate to consult this page to find out more.

 

 

 

​

Pentest (or black box audit)

 

The particularity of the black box audit is that it is carried out in conditions as close as possible to the real conditions of an attack. Thus, the consultant has no (or very little) information about the company. So-called "ethical" hackers put themselves in the shoes of an attacker who would target an organisation. Insofar as the attacker (i.e. the consultant) has no information about the organisation being audited, the scope of the attack can be very broad (although it is still possible to pre-define an audit scope).

 

The consultant then generally has an IP address or URL, through which he will attempt to carry out a targeted attack.

 

It is then necessary to determine: 

• What are the potential entry points to a network, an information system, a product or a digital application?

• How can these vulnerabilities be exploited by malicious actors?

• How long would it take for an attacker who discovered a security vulnerability to exploit it?

• And what could be the consequences of exploiting these vulnerabilities (this is the "vulnerability exploitation" part).

 

 

 

Exploiting vulnerabilities or not?

 

Within the framework of a black box audit, the consultant can go as far as the exploitation of the flaws discovered, if the company so requests.

 

In this case, not only does the consultant explain which vulnerabilities have been exploited to enter the system, but he will also demonstrate this by showing, for example, the confidential data to which he was able to gain access.

 

 

 

When to perform a pentest / penetration test?

 

It is possible to carry out a pentest at any time.

 

The pentest is a particularly useful audit technique for verifying the effectiveness of the implementation of countermeasures recommended following a white-box audit and remediation campaign. In particular, it allows us to verify, following a white-box audit, that the corrective measures implemented are effective and relevant.

 

However, when you feel ready, you can have a pentest performed on your infrastructure, your information system, your product or your application at any time.