Penetration Testing Explained
WHY DO WE NEED TO TEST FOR SECURITY HOLES IN OUR BUSINESS SYSTEMS AND APPLICATIONS?
Penetration Testing – what is it?
Penetration testing (also called pen testing or ethical hacking) is the process of probing for vulnerabilities (security holes) in your networks and applications.
Penetration testers are skilled and certified individuals that use a combination of tools, scripts and their own qualified methods from their experience to prove how vulnerable your infrastructure is.
It is essentially an orderly form of hacking in which the ‘attackers’ (certified professionals) are paid to act on your behalf to find and test weaknesses that criminals could exploit.
The subsequent report will then inform your choice of cyber security controls.
Vulnerabilities that cyber-attacks could exploit might result from:
Poor configuration;
Flaws in devices or software; or
Weaknesses in processes.
Experienced security professionals will mimic the techniques used by criminals, but without causing damage, enabling you to address the security flaws that leave your organisation vulnerable.
Why is penetration testing important?
Security audits that are conducted to identify vulnerabilities in your computer networks is critical to your organisation’s security.
An automated vulnerability assessment or scanning tool can give you valuable information about your security status, but cannot give you a proper understanding of the security issues you face.
Only a penetration test carried out by a trained security professional can do that.
New cyber security vulnerabilities are identified and exploited by criminals every week.
Previously patched vulnerabilities can also be reintroduced as your infrastructure or applications change over time.
To protect yourself, you should regularly conduct security testing to:
Identify security flaws so that you can resolve them or implement appropriate controls;
Ensure your existing security controls are effective;
Test new software and systems for bugs;
Discover new bugs in existing software;
Support your organisation’s compliance with the EU GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, and other relevant privacy laws or regulations;
Enable your conformance to standards such as the PCI DSS (Payment Card Industry Data Security Standard); and
Assure customers and other stakeholders that their data is being protected.
Types of penetration test
Different types of penetration testing will focus on different aspects of your organisation’s logical perimeter – the boundary that separates your network from the Internet.
Infrastructure (network) penetration tests
Infrastructure vulnerabilities include insecure operating systems and network architecture, such as:
Flaws in servers and hosts;
Misconfigured wireless access points and firewalls; and
Insecure network protocols (the rules that govern how devices such as modems, hubs, switches and routers communicate with each other).
Network penetration tests aim to identify and test these security flaws.
External infrastructure (network) penetration tests
Internal infrastructure (network) penetration tests
Wireless network penetration tests
Web application (software) penetration tests
Web application tests focus on vulnerabilities such as coding errors or software responding to certain requests in unintended ways.
These include:
Testing user authentication to verify that accounts cannot compromise data;
Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) or SQL injection;
Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities; and
Safeguarding database server and web server security.
Social engineering penetration tests
As technical security measures improve, criminals increasingly use social engineering attacks such as phishing, pharming and BEC (business email compromise) to gain access to target systems.
So, just as you should test your organisation’s technological vulnerabilities, you should also test your staff’s susceptibility to phishing and other social engineering attacks.
There is only one real remedy to social engineering attacks though…education. Cyber Security Awareness Training Courses reduce your staff causing a security instance within your organisation, but testing your users help you identify where the security knowledge and behaviour gaps are and where to focus the training needs.
Download Flyer and Sample Reports
References and Certifications
If you would like to speak to one of our existing customers, we are happy to arrange that. Please note that a lot of customers wish to remain anonymous and not to serve as a reference due to the sensitivity of the work we perform. Naturally we always comply with our customers. We do however have some clients who are happy to serve as references. Should you require validation of our consultant’s certifications, we can arrange that as well.
Our Security Consultants
All of our Security Consultants have at least 5+ years professional work experience. Many of our Security Consultants have worked with government & financial organisations. They hold the highest vendor and government certifications. Additionally, many of our consultants hold various active government clearance levels. Our consultants are certified and operate to Penetration Test compliance standards. All of our Penetration Testers and Security Consultants undergo an extensive vetting and background process before working at Primo Connect Limited. In fact, a lot of our consultants have either a law enforcement or intelligence service background.
International Penetration Testing Certifications:
Offensive Security Certified Expert (OSCE)
Offensive Security Certified Professional (OSCP)
Offensive Security Wireless Professional (OSWP)
Licensed Penetration Tester (LPT – EC-Council)
Certified Ethical Hacker (CEH – EC-Council)
Certified Security Analyst (ECSA – EC-Council)
Computer Hacking Forensic Investigator (CHFI – EC-Council)
Certified Information Systems Security Professional (CISSP – ISC)
UK CREST Registered Penetration Tester
GIAC Certified Forensics Analyst (GCFA)
GIAC Exploitation Researcher & Advanced Penetration Tester (GXPN)
GIAC Reverse Engineering Malware (GIAC GREM)
INFOSEC – NSA Information Systems Security Professional
4011 Recognition – U.S. National Security Agency (NSA)
4013 Recognition – U.S. National Security Agency (NSA)
DoD Information Assurance Awareness