What is a penetration test?
A penetration-test, is the process of actively evaluating your information security measures. Note the emphasis on ‘active’ evaluating; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.
Vulnerability Assessment vs. Penetration Test
A Vulnerability Assessment is a process of identifying and analyzing a system or network for any potential vulnerabilities, flaws or weaknesses that could leave it open to exploitation.
It is performed using:
- Full credentials Supplied or limited to basic user credentials dependent on level of test.
- Full access to Network diagrams and schematics.
- Full access to Configuration scripts and files.
A Penetration Test is essentially an evaluation of a system or networks current state of security and its likelihood to be susceptible to a successful attack by a malicious hacker or nefarious user. The process involves enumeration and scanning for any technical flaws or vulnerabilities. After such flaws are found, attempts are then made to penetrate inside the network and gain a foothold. Once this has been established, attempts are then made to utilize trusts and relationships to gain further ingress into the domain.
Type of Test:
- White-Box
The testing team has complete carte blanche access to the testing network and has been supplied with network diagrams, hardware, operating system and application details etc, prior to a test being carried out. This does not equate to a truly blind test but can speed up the process a great deal and leads to a more accurate results being obtained. The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This type of test equates to a situation whereby an attacker may have complete knowledge of the internal network.
- Black-Box
No prior knowledge of a company network is known. In essence an example of this is when an external web based test is to be carried out and only the details of a website URL or IP address is supplied to the testing team. It would be their role to attempt to break into the company website/ network. This would equate to an external attack carried out by a malicious hacker.
- Grey-Box
The testing team would simulate an attack that could be carried out by a disgruntled, disaffected staff member. The testing team would be supplied with appropriate user level privileges and a user account and access permitted to the internal network by relaxation of specific security policies present on the network i.e. port level security.
Why conduct a penetration test?
From a business perspective, penetration testing helps safeguard your
organization against failure, through:
- Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
- Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your
organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
- Protecting your brand by avoiding loss of consumer confidence and business reputation.
From an operational perspective, penetration testing helps shape information security strategy through:
- Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
What should be tested?
Ideally, your organization should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven’t conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc.
Sometimes the ‘what’ of the process may be dictated by the standards that your
organization is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed.
For a few pages of a report sample, please click here.
What to do to ensure the project is a success ?
The scope should be clearly defined, not only in the context of the components to be (or not to be) assessed and the constraints under which testing should be conducted, but also the business and technical objectives. For example penetration testing may be
focused purely on a single application on a single server, or may be more far reaching; including all hosts attached to a particular network.
To receive your Penetration Test , please submit your payment of $999.00
|