Penetration Testing

Your vulnerability data is only as accurate as it is current

Penetration tests offer a deep holistic test of your complete security posture from world-class security practisioners


Hackers are becoming smarter and more dangerous daily. A cyber breach can result in not only financial loss, but also data and intellectual property leakage and a damaged reputation. The devastation caused to a company from a single hack can be unrecoverable

Why you should use a penetration testing / ethical hacking service?

  • Tests are mandated by industry regulatory compliance bodies such as PCI, ISO, HIPAA
  • Present the feasibility of an attack and the potential risks from such an event taking place
  • Explain the business impact of the vulnerabilities being discovered and exploited by a malicious user
  • Demonstrate what a hacker / malicious user would be able to achieve
  • Expose issues which an automated scanner would not always identify 
  • A regular risk-based assessment of your cyber security

    •
  • Simulate creative thinking by a motivated a capable hacker

    •
  • Tests determine how well your organisation's security policies protect your assets by trying to gain access to your network and information assets in the same way a hacker would
  • Pre / Post go-live for a new system / application
  • As an independent check on external service providers / vendors
  • To support audit requirements 

    •
  • As part of an incident response 

    •
  • To exercise incident detection and escalation

  • Allows exercise of multiple mechanisms;
  • Intrusion detection Host-based security
  • Security event logging
  • Password strength
  • Incident response
  • Security awareness
  • Security processes
  • Patching processes
  • Coding standards adherence
  • True risk often emerges from a combination of lesser vulnerabilities.





Penetration Testing Service Types

  • Annual
  • Quarterly
  • Automated
  • On-demand
  • Subscription based
  • Remote and outside services


Benefits of Penetration Tests
    > Identifies vulnerabilities and risks in

    your networking infrastructure

    > Provides detailed remediation steps

    to prevent network compromise

    > Validates the effectiveness of current security safeguards

    > Present the feasibility of an attack and the potential risks from such an event taking place

    > Explain the business impact of the vulnerabilities being discovered and exploited by a malicious user

    > Demonstrate what a hacker / malicious user would be able to achieve

    > Expose issues which an automated scanner would not always identify
    > Cover logic based applications (i.e. web applications) in depth from a user’s perspective

    > Helps protect the integrity of  online assets

    > Supports efforts to achieve and  maintain compliance with industry and government regulations

    > Conducts real-life demonstrations of  covert and hostile activities typical  of malicious attackers’ attempts to compromise perimeter devices and  security controls

    > Network discovery and  reconnaissance - extensive inspection of online hosts and services to  identify issues or vulnerabilities that can lead to exploitation


    Internal & External Network Penetration Tests  
    May include (but not limited to):

    • Databases
    • Applications
    • Operating Systems
    • Credential capture
    • Mainframes
    • Network Infrastructure
    • Middleware
    • SCADA systems
    • Routers / switches / load-balancers
    • Single sign-on
    • Remote network access

    • Wireless networks
    • Mobile device testing 
    • VoIP systems
    • Remote administration
    • Name /allocation services
    • Backup
    • Common Services
    • File sharing
    • Access control
    • Endpoint Devices
    • Cloud platforms


    Internal Penetration Testing  
    An internal security test takes place either on the customers premises or partly run remotely, where all systems including servers, workstation and network devices are accessible.

    Internal tests can include wireless testing, firewall rules review, VOIP assessment, server forensic audits, architecture review and more.

    Testers explore if your network is properly segmented using VLAN best practices.

    External Testing 

    External network security assessments are usually run off-site against your internet-facing system components and perimeter network. This can include testing for proper load balancing, SSL configurations, and DNS settings.

    Verify that public documents are stripped of any potentially useful sensitive information, DNS records and public information gained through search engines cannot be used to bypass any security functionality on employee portals such as webmail, VPNs or collaborative software.

    These assessments are often conducted in conjunction with a web application test.


    Internal
    External
    • Network Vulnerability Scan
    • Validation of Scan Results
    • Manual Pen Testing
    • Most Exploitable Findings
    • Unauthenticated Web App Scanning
    • Layer 2 Testing (Broadcast, ARP)
    • Vertical Escalation
    • Segmentation Testing
    • Any Exploitable Vulnerabilities (Targets)
    • Horizontal Escalation (Targets)
    • Attack Chains
    • Data Exfiltration Testing
    • Enterprise Escalation
    • Testing From Client Subnets
    • Horizontal Escalation (Enterprise)
    • Any Exploitable Vulnerabilities (Enterprise)
    • Client Side / Browser Attacks
    • Advanced Protocol Attacks
    • Password Analysis
    • Network Vulnerability Scan
    • Unauthenticated Web App Scanning
    • Validation of Scan Results
    • Manual Pen Testing
    • Most Exploitable Findings
    • Any Exploitable Vulnerabilities
    • Vertical Escalation
    • Horizontal Escalation
    • Attack Chains
    • Escalation To Adjacent Systems
    • Limited Phishing
    • Client Side Attacks
    • Social Engineering
    • Custom Protocol Attacks
    • Escalation To Internal Network



    How does Penetration Testing DIFFER from Vulnerability Scanning?

    Vulnerability scanning evaluates a system for potential vulnerabilities or weak configurations, is largely automated and can only ever find a subset of security issues. Penetration testing, on the other hand, is a mix of manual, automated and custom script processes performed by humans. A penetration tester will use tools as a part of their work, but they apply their human ingenuity to exploit vulnerabilities and illustrate what an attacker might be capable of when targeting a particular system.