What is Penetration Testing?
It is a process in which a penetration tester tries to take on the role of an attacker (hacker) and gain access to system data that does not belong to him. The difference between him and a real attacker is his motivation. While the hacker tries to find a way into the system for his benefit (financial, political, or otherwise), the penetration tester aims to find as many ways as possible to get into the system and report it to its owner. The owner of the system thus learns where potential vulnerabilities are in his system, and he has a chance to fix them based on the penetration test results.
The penetration testing service that we offer has these goals. A malicious attacker can attack any website created in the MUNI environment. That is why we try to detect as many vulnerabilities in these systems as possible in time. But we can't do it of our own free will and without calling on the system owners - in which case we would be no different from real attackers.
Who is it for?
Penetration testing is intended for anyone from the university who creates or manages a service (such as a website) available from the Internet and wants to verify whether it is sufficiently secure against potential attackers.
How it Works?
The process of penetration testing begins by the applicant. Due to the nature of testing, it is not possible to perform the service "proactively", and therefore it is necessary to agree with the interested party on the details of testing - what is part of the test, what to avoid, who to contact in case of critical findings, etc.
After the agreement of details and the date of testing, the technical part itself follows. A team of testers will meet to perform a penetration test on the agreed time. The team then writes a report that is sent to the penetration testing applicant. This report contains all the findings described in technical and "managerial" language so that it is possible to understand the overall security status of the tested system. It provides recommendations for technicians on what steps to take to improve this status.
If necessary, it is possible to request a retest to verify the successful correction of the errors found.
What not to Forget?
It is important to realize that penetration testing is a potentially destructive process. During testing, it is impossible to guarantee that the system will not experience a temporary outage or that data integrity will not be compromised. Therefore, we always ask interested parties to provide us with a copy of the system, preferably with simulated data, to ensure we cannot invade system users' privacy. Nowadays, virtual machines and containerization are not a problem.
What to do if you are interested in penetration testing? Just contact us using the form on the page csirt.muni.cz, and then we will agree on the details of testing.