Penetration testing looks to validate the risk posed by specific security vulnerabilities or malfunctioning processes. Frequent and more importantly, comprehensive penetration testing can help organisations reduce the impact of potential emerging security risks and prevent unauthorised access to critical systems and confidential information.
A penetration test, sometimes referred to as a pen-test or security assessment, has multiple objectives including:
- Evaluating an organisation’s ability to protect itself against internal and external cyber attacks.
- Assessing the security of an organisation’s assets by exploiting known and unknown vulnerabilities and configuration errors.
- Evaluating an organisation’s ability to detect and respond to successful cyber attacks and data breaches.
Penetration tests usually involve manual human testing and the use of automated technologies to systematically attempt to compromise business assets. Assets can include:
- The corporate or customer facing website.
- The IT infrastructure, such as a network device or wireless routers.
- A mobile app.
- A customer application, such as an online database.
- Business processes.
Why Use Us to Carry out Security Assessments?
We only utilise CREST-Certified CHECK Team Leaders with international experience for any of our engagements so that our clients benefit from the experience of the penetration tester, enabling us access to some of the elite penetration testers in the UK. It gives us peace of mind to know that our clients will have had a very comprehensive test by a vastly experienced and accredited penetration tester.
Types of Testing We Offer:
- Internal Infrastructure Testing (Domain wide – Black box testing ) – from zero knowledge with only physical access to one network port of your organisation, we attempt to compromise the network, grabbing password database, cracking and analysing the nature of passwords popular within the organisation, auditing the patch management policies, account policies, security settings and how group policy is faring against the server, desktop and other domain systems.
- Internal Infrastructure Testing (Focussed) – this testing differs from the above service with the exception of focussed testing on a set of systems. It does not involve any patch management, password cracking areas unless there is a compromise of systems in scope for test. This will provide a network footprint picture, along with any vulnerabilities associated with the software/services running on identified open ports.
- External Infrastructure Testing – a network infrastructure test performed over the internet. This is mainly performed against internet-facing servers, such as web servers, email servers, firewalls and other network devices.
- Web Application Security – mobile and web applications are tested for flaws in multiple areas. This includes input validation (injections such as SQL injection or Cross Site Scripting (XSS)), use of encryption, registration and authentication controls, authorisation and/or session management, application structure, password policies and business logic areas. All OWASP and SANS 25 top controls are covered in our methodology to ensure comprehensive testing is performed against client application.
- Hardening Review – build reviews are performed on the operating systems to prepare organisations for benchmarking internal hardening processes necessary before rolling out new builds or improve existing server operating systems.
- Device Reviews – this area covers auditing configurations from a hardening perspective against devices such as switches, routers and firewalls.
Reporting & Remediation:
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated in report format and presented to your IT and information security systems managers to help make strategic decisions, and prioritise remediation work.