But the principle idea behind carrying out this type of assessment is to expose information security weaknesses by simulating an attacker attempting to circumvent security controls and gain unauthorized access. It should not be confused with a vulnerability assessment or ‘scan’, which you can find here.
All applications and platforms have vulnerabilities, a penetration test, or network pen test should demonstrate the ability of the defensive systems to stop or slow down an attacker before they access sensitive information.
The benefit of performing a penetration test is that it is an excellent way to identify weaknesses within the information security posture of an organisation by proving concepts of weakness which are then scaled in order of severity, meaning your team can focus on the areas of concern or emphasize the importance of certain aspects in terms of business impact with management, or as a way of testing your disaster / incident response capabilities.
As part of a holistic security approach we strongly recommend that all aspects of your infrastructure be tested.
(attackers have no scope and will attack what they please)
Some of the types of penetration testing our professional testers can perform include:
Simulation of an attack by a malicious threat actor over the internet.
We avoid relying on automated or commercial tools during a penetration test, as it does not reflect real world circumstances, our methodology, briefly described below:
Penetration testing has a series of phases, and our methodology closely follows that of real attackers:
What attackers look like (and we try to mimic closely)
Utilisation of both passive and non-passive techniques to gather intel, largely for the purposes of system foot-printing, and targets for social engineering.
We also gather technical information for use in later stages where we can find it.
Use of various commercial and open source tools to locate hosts, services apps and vulnerabilities if they are publicly known. Search for management interfaces and any protection mechanisms that might be in place.
Exploit hosts and or applications inside the scope with the intent of gaining access. Attempt to retrieve any sensitive information that might be available, and any associated increases in levels of access.
Escalate privileges! Leverage the penetrated systems to get new access, quickly pivoting across the network and into other areas, repeating until either full access is achieved or we are detected. The point at which a breach is detected is the most valuable information gained from a penetration test.Talk with us
Sometimes referred to as an ‘insider threat assessment’, but that doesn’t quite reveal the full picture or scope of this type of assessment.
The goal here is to discover how well your business responds to and protects itself from an active incident inside your network perimeter.
The strength of your crypto, network segmentation and detection capability will be put under intense scrutiny.
It can be based on a number of assumptions, to simulate activity such as:
Many businesses partner closely with other firms, including sharing information assets or resources.
What would happen if one of your business partners, subsidiaries or another party with access to the corporate file server was breached?
The trust given to the third party could be leveraged against your business, too – our expert penetration testers can simulate and test your vulnerability and response capabilities.Talk with us
An assessment of all assets and their strengths and weaknesses. Our testers can identify real world weaknesses in your physical, electronic, social, business processes and structure which allows us to discover your level of defence against a variety of attacks, ranging from for example, teenagers wanting to cause trouble through to sophisticated attacks.Talk with us
We are able to test software applications and mobile apps (IOS & Android) to assess their exposure to external threats and how these vulnerabilities could potentially lead an attacker into your network or database.
Talk with us
If you’re processing payments on mobile, or collecting sensitive customer information you need to have your app independently verified.