Pentesting 101 – what you should know?

The big majority of attacks performed over the systems available via Internet are made in the application layer due to the easiness of launching an attack and the lack of app protection. For verifying the security of IT infrastructures an audit is carried out, but this action is insufficient in many situations in determining the ways an attacker can abuse and corrupt services or applications. Pentesting is the most efficient way of verifying the effectiveness of security measures because this will allow real time protection in case of an attack.

penetration-testing ccsir

The pentests should be made as much as possible before launching the application in a productive environment, after the functionality and efficiency has been tested, in order to identify early on the vulnerabilities that could lead to an information leak, blocking the access to the application or total corruption of the systems.

In order to make a pentest successful the next steps should be followed:

  • Planning and preparing
  • Collecting and analysing information
  • Detecting vulnerabilities
  • The actual attack against systems
  • Reporting and analysing vulnerabilities that were found
  • Cleaning applications and systems

Approaching the tested infrastructure can be made in many ways according to the client objective, the only thing that is different between them is the information received from the client. In this way we can make three kinds of tests:

  • Black box: simulate a real attack from outside based only on public information, with low aggressivity for detecting the sensibility and rate of detection by implemented security systems
  • Grey box: the pentester has limited information from the client and the rest also from public source
  • White box: the client offers inside information for the systems and application targeted or offers a copy of them, in a controlled environment, so the tests can be more aggressive and this way you can review each component even if they can be public accessed or not

A penetration test cannot offer you a complete overview over the system or network security, this being the main reason of tests made within a predefined period of time. The undiscovered vulnerabilities during the pentest or those that can appear after updates, the installation of a new software or reconfigurations of the system can lead to new security holes. This is the main reason that periodic pentests and security audits along with monitoring constantly are the most efficient ways to prevent security issues.

The efficiency of signature detection

It has been more than 20 years since the discovery of first efficient method for detecting and eliminating general threats or infections for regular computer users. This method uses signature detection, both in antivirus type software and in IPS systems (two resembling solutions but used in different environments).

The efficiency of signature detection

Old fashion signature protection

The biggest problem of antivirus software developing companies is convenience. Since the early 2000s there has been noticed a disturbing trend – all the companies measured the quality and efficiency of detecting viruses by the number of signatures they owned and apparently is still the same, although this software rather offers a fake feel of protection because you can’t protect a system from a new threat that doesn’t exist in their signature database.
Unfortunately, the number of signatures grows day by day increasing the resource usage (CPU, RAM, etc.) of the software even if they are trying to implement cloud solutions.

It’s interesting how nowadays, an era dominated by advanced technology, “the bad guys” have a big advantage over the security companies using well-known methods (see polymorphism) to bypass this old and outdated detection system. The time of those who created malware software for fame and respect in the underground world has passed and now became one of the most important ways of obtaining private information. This way the attackers may get substantial financial benefits. Some are building careers from malware software development and more, the majority of the attacks aren’t carried by one individual but by organized groups and sometimes by resourceful institutions.

signature detection

How IPS solutions protect your infrastructure, in numbers

Yet, I have bigger reserves in talking about IPS solutions manufacturers. Let’s take, for example, an IPS that gives 4500 signatures for protecting your network; from all of these signatures probably just about 20% are useful because it’s less likely to have this big number of solutions from companies like IBM, Sophos, Cisco, HP, Dell, Oracle, Symantec, AOL, etc. in one place (I read some names from the signature list). Theoretically they have cover most of the known problems and this is the reason why they give us this diversity. Now, from the ~1000 useful signatures, if you have a company with more than 3000 employees with high internet traffic, there are chances that only ~35% of that amount of signatures are usable. The danger of many signatures is marked as “critical” (60%), having an “High-performance impact” on the network and this is why they can’t even be placed in “Logging mode” because they will stop the system activity. The rest of 40% are marked like “Low-Medium performance impact” and they should reach first in “Logging mode”(because the information from the producer is not always 100% accurate) to see exactly the impact made on the network and after that you can put them in “Blocking mode”. So effectively how many of the 4500 signatures are really useful? Little to protect yourself in a real way and considering an investition of this type.

Case study

The future of online security stays in systems based on file behavior analysis, executed and observed in a controlled environment. I can give you an example from one of my personal research: from few thousands(~8000) of detections(only .exe files) for a period of 9 months by a firewall executing a behavior analysis, only ~17.5% were detected by antivirus software! And speaking of statistics, did you knew that 80% of Carberp infected computers ran daily updated antivirus software?


Of course this is a topic of bigger complexity, we can talk much more about it and get into deep branches of this field, but I only wanted to point your attention to this, in my opinion one of the biggest global issues right now.

How You Can Become a Member of CCSIR?

The membership role of the Cyber ​​Security Research Center from Romania is a special status obtained by the people who are involved in the organisation projects. All the members embrace our vision and have deep experience in the cyber security space, both offensive and defensive approaches.

become a member of ccsir

CCSIR Member Benefits

As a member you have some benefits, such as:

  • access to a group of highly technical people;
  • access to our internal research topics and discussions;
  • access to our network of information security specialists;
  • access to build and promote your security related projects through our international network;
  • financial, human, logistic and hardware resources to get your security related project done;
  • the ability to publish INFOSEC related articles to the community, both romanian and international one;
  • discounts or free access to different training programs, private and public meetings or conferences organised by CCSIR and partners

Still intereted

Find out more.


Cyber Security Research Center from Romania(CCSIR) is a Non-Governmental Organization with the sole purpose of promoting, supporting, implementation and coordination of security research in the information security field in Romania, as well as international actions with short, medium and long term partnerships in the information security arena.