Penetration Testing

Penetration Testing


Your Vulnerability data is only as accurate as it is current 

Penetration tests offer a holistic test of complete security posture

Why use Penetration Testing / Ethical Hacking?


  • A regular risk-based assessment of your cyber security
  • Simulate creative thinking by a motivated a capable hacker
  • Tests determine how well your organisation's security policies protect your assets by trying to gain access to your network and information assets in the same way a hacker would. 
  • To support assessment of compliance 
  • Pre / Post go-live for a new system / application 
  • As an independent check on external service providers / vendors 

  • To support audit requirements 

  • As part of an incident response 

  • To exercise incident detection and escalation

  • Allows exercise of multiple mechanisms;
    • Intrusion detection 
    • Host-based security 
    • Security event logging 
    • Password strength 
    • Incident response 
    • Security awareness 
    • Security processes 
    • Patching processes 
    • Coding standards adherence 
    • True risk often emerges from a combination of lesser vulnerabilities.



Penetration Testing Service Types

  • Annual
  • Quarterly
  • Automated
  • On-demand
  • Subscription based
  • Remote and outside services


Benefits of Penetration Tests
  • Present the feasibility of an attack and the potential risks from such an event taking place.
  • Explain the business impact of the vulnerabilities being discovered and exploited by a malicious user.
  • Demonstrate what a hacker / malicious user would be able to achieve.
  • Expose issues which an automated scanner would not always identify.
  • Cover logic based applications (i.e. web applications) in depth from a user’s perspective.
  • Assess Vulnerabilities
  • Test Defenses
  • Comply with Regulations 

Internal & External Network Penetration Tests  
May include (but not limited to):

  • Databases
  • Operating Systems
  • Credential capture
  • Mainframes
  • Network Infrastructure
  • Middleware
  • Routers / switches / load-balancers
  • Single sign-on
  • Remote network access devices
  • Remote administration
  • Name /allocation services
  • Backup
  • Common Services
  • File sharing
  • Access control
  • Endpoint Devices
  • Cloud platforms


Internal Penetration Testing  

An internal security test takes place on the customers premises, where all systems including servers, workstation and network devices are accessible.

Internal tests can include wireless testing, firewall rules review, VOIP assessment, server forensic audits, architecture review and more.

Testers explore if your network is properly segmented using VLAN best practices.


External Testing 

External network security assessments are a one-off in-depth assessment of your externally facing, perimeter network. This can include testing for proper load balancing, SSL configurations, and DNS settings. These assessments are often conducted in conjunction with a web application test.



Internal
External
  • Network Vulnerability Scan
  • Validation of Scan Results
  • Manual Pen Testing
  • Most Exploitable Findings
  • Unauthenticated Web App Scanning
  • Layer 2 Testing (Broadcast, ARP)
  • Vertical Escalation
  • Segmentation Testing
  • Any Exploitable Vulnerabilities (Targets)
  • Horizontal Escalation (Targets)
  • Attack Chains
  • Data Exfiltration Testing
  • Enterprise Escalation
  • Testing From Client Subnets
  • Horizontal Escalation (Enterprise)
  • Any Exploitable Vulnerabilities (Enterprise)
  • Client Side / Browser Attacks
  • Advanced Protocol Attacks
  • Password Analysis
  • Network Vulnerability Scan
  • Unauthenticated Web App Scanning
  • Validation of Scan Results
  • Manual Pen Testing
  • Most Exploitable Findings
  • Any Exploitable Vulnerabilities
  • Vertical Escalation
  • Horizontal Escalation
  • Attack Chains
  • Escalation To Adjacent Systems
  • Limited Phishing
  • Client Side Attacks
  • Social Engineering
  • Custom Protocol Attacks
  • Escalation To Internal Network

How does Penetration Testing DIFFER from Vulnerability Scanning?

Vulnerability scanning evaluates a system for potential vulnerabilities or weak configurations, is largely automated and can only ever find a subset of security issues. Penetration testing, on the other hand, is a manual process performed by a human. A penetration tester will use tools as a part of their work, but they apply their human ingenuity to exploit vulnerabilities and illustrate what an attacker might be capable of when targeting a particular system.