Intrusion test methodology
Synetis carries out non-destructive penetration tests (internal, external, application) on various IS components. These tests simulate the behavior of a malicious individual, whether external or not to your organization. Each of the identified vulnerabilities is qualified using the CVSS v3 methodology (the Common Vulnerability Scoring System is used to characterize and evaluate the impact of computer vulnerabilities). An action plan is then proposed at the end of each audit.
The principle of penetration testing (also known as pentesting) is to discover vulnerabilities on an audited system and to verify their exploitability and their impact, under the real conditions of an attack on the system, in the place of a potential attacker.
For example, during a web application audit (web pentest), the auditors will try to find vulnerabilities in the same way as an attacker would. Synetis auditors look for vulnerabilities such as those referenced by the Open Web Application Security Project (OWASP).
During internal intrusion tests, Synetis auditors will place themselves from the point of view of a malicious individual placed within your premises, on your company network (without and then with legitimate access, i.e. in a black box, then a grey box). It is also possible to start the audit directly from a corporate workstation. This type of test will allow you toevaluate the efficiency of the network and system partitioning, to verify the hardening of the resources to which the attacker could have access. Often, these intrusion tests are performed in a Windows environment.
The growth in the use of SaaS andCloud hosting services over the last few years has made themparticularly interesting targets for attackers, opening new doors from the outside to internal accesses on the company's information system. Recent events have made it all the more urgent for companies to open up new flows from the outside to allow their employees to work remotely: VPN access, remote office access, port opening, etc. An external intrusion test carried out by Synetis is then able to list the vulnerabilities of your system.
Depending on your needs, the methodologies followed can be black box (point of view of an unauthenticated attacker), grey box (point of view of an authenticated user) or even white box (full access to the specifications).
Protection and monitoring of
Our Audit experts
answer your questions