Penetration testing is a valuable first step in identifying current vulnerabilities while demonstrating how attackers can significantly impact the client’s business.
Penetration testing services mimic an attacker’s intent on initiating unauthorized business transactions, accessing critical corporate client information, financial records and other sensitive information. By simulating logical attacks to systems, networks and applications our engineers provide an in-depth understanding of the security threats and methods of compromise.
The result is a detailed roadmap that helps our clients prioritize areas of weakness in their network perimeter or web applications. Penetration testing can be conducted in several ways. The most common variable is the amount of knowledge of the implementation details of the system being tested. “Black- box” testing assumes no prior knowledge of the infrastructure to be tested. In Black Box testing Industries engineers must first determine the location and the extent of the systems before commencing their analysis. At the other end of the spectrum, “white-box” testing requires complete knowledge of the client’s infrastructure to be tested, often including network diagrams, source code and IP addressing information.
Penetration Testing Methodology is a systematic, risk-based approach in which risk is a function of the severity of consequences of an undesired event, the likelihood of adversary attack, and the likelihood of adversary success in causing the undesired event. The Penetration Testing compares relative information security risks. If the risks are deemed unacceptable, recommendations can be developed for measures to reduce the risks. Although adversary characteristics generally are outside their control, clients can take steps to make themselves a less attractive target and reduce the likelihood of attack to their information assets.
Penetration Testing is designed to:
Combine the use of the sophisticated, up-to-date techniques used by ‘hackers’ and best-of-breed, proven, technical products with experienced professional staff to undertake a thoroughly planned and managed process of investigation.
Examine weaknesses that may be present, which could be exploited by an attacker aiming to compromise the confidentiality, integrity or availability of electronic systems and data.
Examine weaknesses in the installation of the systems, and advise the nominated technical representative/contact in procedures to correct and secure the service throughout the assessment process.
Propose solutions to monitor and audit the security of the application and critical infrastructure.
Testing may be performed with no prior knowledge of the site -“black-box”- or with full disclosure of the topology and environment –“white-box”. Testing typically involves a comprehensive analysis of publicly available information about the target, a network enumeration phase where target hosts, and security devices such as screening routers and firewalls are identified and analysed. Vulnerabilities of the target hosts within scope are then identified, verified, exploited and the implications are assessed.
A zero-knowledge test, performed by testers who have no real information about the target environment, is designed to provide the most realistic penetration test possible. It usually includes gathering a significant amount of information about the target system before launching the attack. A full-knowledge test, on the other hand, is performed with the tester having as much information about the target environment as possible. It is designed to simulate an attacker who has intimate knowledge of the target organization’s systems-such as a real employee.