Protecting your IT infrastructure, data and reputation of your organisation is now more, than ever critical to its ability to be successful. Security testing (or pen testing) is designed to detect vulnerabilities within a system and/or infrastructure that are potentially exploitable from unauthorized users.
A key part this is security testing. We offer 3 types of testing as standard, along with some bespoke offerings;
Web Application Penetration Testing
This is a comprehensive security review which will involve testing web and mobile applications to help uncover vulnerabilities and poor security controls. During the test we will attempt to exploit any weaknesses and insecure functionality within the application.
The test will include web facing infrastructure including your servers and network devices.
These tests can cover websites, customised and mobile apps, as well as apps such as SharePoint, Intranet and Exchange.
External Penetration Testing
This test is a simulation of a hack against your business from outside of your network. There are 3 methodologies that can be applied;
- Blind – client provides no information.
- Clear – client provides a lot of information. This can be seen as best value as it removes the reconnaissance phase.
- Opaque – somewhere in the middle, the client decides how much information they want to provide
The test is designed to identify weakness and vulnerabilities that could be exploited to gain unauthorised access to your systems, assets and data. This test is often referred to a Network Penetration Test.
Internal Penetration Testing
This test focusses on your internal network, should an attacker gain access via email, breached router or from a local machine (lost or stolen). Attacks can come from many sources, including a current or previous employee. Social engineering is one common approach by both hackers and testers.
The purpose of the test is to identify any vulnerabilities such as misconfiguration of systems, which could allow an employee or other user to access, remove or delete confidential information and data held on your network. Common vulnerabilities include wireless network, mobile device and cloud-based storage and applications.
All of our tests are a simulation of a hack, using all of the tricks and tools of real-world hackers. The tester will be using a combination of their own processes, tools and experience along with cutting edge tools.
An effective vulnerability assessment program allows an organisation to understand its security weaknesses, assess the risks associated with those weaknesses, and put protections in place that reduce the likelihood of a breach. Conducted on a regular basis, vulnerability assessments help ensure the security of networks, particularly when changes have been made such as adding new services, installing new equipment, opening new ports, moving to the cloud. Each vulnerability assessment provides the organization with information about weaknesses in its environment, offers fresh insights into degrees of risk, and suggests ways to best mitigate the risks associated with those weaknesses and evolving threats.”
So the difference between this and a PEN test is a PEN test will go deeper. A vulnerability assessment will find all the potential weaknesses but a PEN test will then attempt to exploit these and see if they are in fact a realistic attack point. Vulnerability assessments are great for internal networks, there can be hundreds, if not thousands of devices to test, it is not cost effective to PEN test each and every device where as a vulnerability assessment is mostly automated and can run and run with no human intervention