Penetration Testing looks to validate the risk posed by specific security vulnerabilities or malfunctioning processes. Frequent and more importantly comprehensive penetration testing, can help organisations reduce the impact of potential emerging security risks and prevent unauthorised access to critical systems and confidential information.
A penetration test, sometimes referred to as a pen-test or security assessment, has multiple objectives including:
- Evaluating an organisation’s ability to protect itself against internal and external cyber attacks,
- Assessing the security of an organisation’s assets by exploiting known and unknown vulnerabilities and configuration errors.
- Evaluating an organisation’s ability to detect and respond to successful cyber attacks and data breaches.
Penetration Tests usually involve both manual human testing and the use of automated technologies to to systematically attempt to compromise business assets. Assets can include:
- The corporate or customer facing website,
- The IT infrastructure like network device, wireless routers
- A mobile app
- A customer application like an online database
- Business processes
Why Use Us to Carry out Security Assessments
We only utilise CREST Certified CHECK Team Leaders with international experience for any of our engagements so that our clients benefit from the experience of the Penetration Tester enabling us to allow access to some of the elite Penetration Testers in the United Kingdom. It gives us peace of mind to know that our clients will have had a very comprehensive test by a vastly experienced and accredited penetration tester.
Types of Testing We Offer:
- Internal Infrastructure Testing (Domain wide – Black box testing ) – This is from zero knowledge with only physical access to one network port of your organisation, we attempt at compromising the network , grabbing password database, cracking and analysing the nature of passwords popular within the organisation, auditing the patch management policies, account policies, security settings and how group policy is faring against the server, desktop and other domain systems.
- Internal Infrastructure Testing (Focussed) – This testing differs from the above service with exception of focussed testing on a set of systems. This does not involve any patch management, password cracking areas unless there is a compromise of systems in scope for test. This will provide network footprint picture, along with any vulnerabilities associated with the software/services running on identified open ports.
- External Infrastructure Testing – This is a network infrastructure test performed over the internet. This is mainly performed against internet facing servers such as web servers, email servers, firewalls, and other network devices.
- Web Application Security – Both mobile and web applications are tested for flaws in multiple areas. This includes input validation (injections such as SQL injection, or Cross Site Scripting (XSS)), use of encryption, registration and authentication controls, authorization and/or session management, application structure, password policies, business logic areas. All OWASP and SANS 25 top controls are covered in our methodology to ensure comprehensive testing is performed against client application.
- Hardening Review – Build reviews are performed on the operating systems to prepare organisation for benchmarking internal hardening processes necessary before rolling out new builds or improve existing server operating systems.
- Device Reviews – This area covers auditing configurations from hardening perspective against devices such as switches, routers, firewalls
Reporting & Remediation:
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated in report format and presented to your IT and information security systems managers to help make strategic decisions and prioritise remediation work.