In preparation for the pentesting , a plan is made with a set of targeted attacks, depending on the technology used in the company and its security needs. For this, the auditors have methodologies some specific according to the it security and cyber security singapore or security standards that we want to implement, and others more general that help them to carry them out systematically.
There are also different types of penetration tests depending on the initial information that the auditor has, thus, they can be:
white box: if they have all the information about the systems, applications and infrastructure, being able to simulate that the attack is carried out by someone who knows the company and its systems;
gray box: if you have some information but not all;
black box: if you do not have information about our systems; in this case, it simulates what a third-party cybercriminal would do.
However, when we hire a pentesting service, in addition to agreeing on the purpose of the service, the object of the analysis and what kind of test we want them to carry out, as it is a “permitted” attack, one have to take into account some legal issues .
With this test, the auditor or company hire will try to bypass the security measures of our computer equipment or our applications, putting the functioning of the systems at risk, as well as the information they contain, which could be confidential, reserved or private.
Accessing these computers and their information would incur criminal conduct, unless it is done with the proper authorization. For this reason, the pentesting contract will include an authorization by the owner of the equipment and systems, clear and unequivocal , that will authorize the violation of the organization’s security measures on certain perfectly identified computers, selected for the occasion.