Disclosing of weak points at security of an information system
Penetration tests forms an important component of a security analysis. The attempts to infiltrate into the different parts of company’s information system (from inside and outside) are carried out with application of diverse tools. The results from these tests should be disclosing of weak points at security of an information system, stored data and testing subject infrastructure.
Penetration tests are looking for and apply methods how to attack an information system just as potential computer criminals would use. These activities’ main goal is to examine information system security against infiltration and simultaneously point out to the analyzed company where the weak points are and how information system could be assaulted.
Based on testing environment we can implement penetration tests in several variants:
- external penetration tests – verification of an internet connection and security of your system against attacks from the Internet
- internal penetration tests – verification of internal network and equipment security against attacks from within the company – e.g. malicious employees’ conscious or unknowing behavior or malicious behavior of other subjects who have the right of access into the internal network
The attacks can cause following damages:
- service unavailability – so-called DoS or DDoS attacks (Denial of Service or Distributed Denial of Service) – it causes, that the service on which the attack was lead, will cease working with legitimate users’ claims – it may “froze”, eventually server may restart
- unauthorized access – the attack can cause situation in which the intruder will get an unauthorized access to equipment, servers, services or data. Then he/she can perform unauthorized configurations, erase or modify files, etc. Frequently is this infected server used as a base for attacks on other devices
- obtaining of confidential information – attacks could results in obtaining of sensitive information
Benefits of penetration tests implementation:
- it strengthens company’s information system security and consequently its reputation in customers and business partners
- it averts possible violations of organization’s system resources both from the outside and also from the inside (illegal SW installation, undesirable interferences into the system configuration, etc.)
- it reduces expenses for restoration of affected system