Decrypting

Penetration Testing, or Ethical Hacking comes in many shapes and forms; internal, external, white box and black box.

But the principle idea behind carrying out this type of assessment is to expose information security weaknesses by simulating an attacker attempting to circumvent security controls and gain unauthorized access. It should not be confused with a vulnerability assessment or ‘scan’, which you can find here.

All applications and platforms have vulnerabilities, a penetration test, or network pen test should demonstrate the ability of the defensive systems to stop or slow down an attacker before they access sensitive information.

The benefit of performing a penetration test is that it is an excellent way to identify weaknesses within the information security posture of an organisation by proving concepts of weakness which are then scaled in order of severity, meaning your team can focus on the areas of concern or emphasize the importance of certain aspects in terms of business impact with management, or as a way of testing your disaster / incident response capabilities.

As part of a holistic security approach we strongly recommend that all aspects of your infrastructure be tested.

(attackers have no scope and will attack what they please)

Some of the types of penetration testing our professional testers can perform include:


Simulation of an attack by a malicious threat actor over the internet.

We avoid relying on automated or commercial tools during a penetration test, as it does not reflect real world circumstances, our methodology, briefly described below:

Penetration testing has a series of phases, and our methodology closely follows that of real attackers:

  • Good attackers don’t use expensive vulnerability scanners
  • Good attackers don’t use automated penetration testing
  • Good attackers don’t stop after the first successful exploit

What attackers look like (and we try to mimic closely)


Reconnaissance

Utilisation of both passive and non-passive techniques to gather intel, largely for the purposes of system foot-printing, and targets for social engineering.

We also gather technical information for use in later stages where we can find it.

Emuneration

Use of various commercial and open source tools to locate hosts, services apps and vulnerabilities if they are publicly known. Search for management interfaces and any protection mechanisms that might be in place.

Exploitation

Exploit hosts and or applications inside the scope with the intent of gaining access. Attempt to retrieve any sensitive information that might be available, and any associated increases in levels of access.

Escalation

Escalate privileges! Leverage the penetrated systems to get new access, quickly pivoting across the network and into other areas, repeating until either full access is achieved or we are detected.  The point at which a breach is detected is the most valuable information gained from a penetration test.

Talk with us

Sometimes referred to as an ‘insider threat assessment’, but that doesn’t quite reveal the full picture or scope of this type of assessment.

The goal here is to discover how well your business responds to and protects itself from an active incident inside your network perimeter.

The strength of your crypto, network segmentation and detection capability will be put under intense scrutiny.

It can be based on a number of assumptions, to simulate activity such as:

  • A staff member, contractor or individual intentionally or unintentionally allows or commits malicious activity inside your perimeter.
  • A staff member or contractor falls victim to a spearphishing attack.
  • Countless other scenarios that may result in a perimeter breach.
Talk with us

Many businesses partner closely with other firms, including sharing information assets or resources.

What would happen if one of your business partners, subsidiaries or another party with access to the corporate file server was breached?

The trust given to the third party could be leveraged against your business, too – our expert penetration testers can simulate and test your vulnerability and response capabilities.

Talk with us
Red Team Penetration Testing

An assessment of all assets and their strengths and weaknesses. Our testers can identify real world weaknesses in your physical, electronic, social, business processes and structure which allows us to discover your level of defence against a variety of attacks, ranging from for example, teenagers wanting to cause trouble through to sophisticated attacks.

Talk with us

We are able to test software applications and mobile apps (IOS & Android) to assess their exposure to external threats and how these vulnerabilities could potentially lead an attacker into your network or database.

If you’re processing payments on mobile, or collecting sensitive customer information you need to have your app independently verified.

Talk with us
Fields marked with an * are required
Find out more
Recent Posts

Not-For-Profit & Education Discounts

18 July 2016

a team of highly skilled ethical hackers

Read More

Whitehack Information Security Consultant Finds Critical Vulnerability within AVG Owned Domain

30 June 2016

a team of highly skilled ethical hackers

Read More

ABC Four Corners Films Segment at WHITEHACK

03 June 2016

information security auditors, interview, four corners

Read More

ABC Radio Chat: TrainLink & Myspace Hack

31 May 2016

a team of highly skilled ethical hackers

Read More

Categories
News
Security