Penetration testing provides the “hacker’s” perspective inside and outside of the network perimeter. Security testing specialists attempt to infiltrate the client’s network, systems and applications using not only common technologies and techniques, but also specialized tools and some unexpected methods, such as social engineering and combined techniques (“multi-vector” attacks). The result is a detailed report identifying key vulnerabilities and suggested protection tactics – an action plan to improve the organization’s security posture.
Penetration Testing services provide absolute confirmation that a vulnerability does exist by exploiting the weakness to gain unauthorized access to the device or to create a denial of service condition by causing the device to fail. Penetration tests are generally performed after a vulnerability assessment to confirm identified vulnerabilities, but they can also be performed on their own using known exploits. Normally when penetration testing is required, we use the results of the preceding VA activities to identify, prioritize and select the most likely attack vectors for conducting a successful penetration test. Vulnerabilities are assembled into a set of attack vectors and ranked according to the likelihood of success and the level of access provided to the vulnerable system to produce an overall attack strategy.
Similar to VA testing, we follow a systematic methodology to conduct penetration testing, and work with our clients to ensure the proposed test approach and risks are understood prior to any testing being conducted, and that an exit criteria is negotiated and agreed upon (e.g. ability to read a specific file, ability to create or modify a database record, etc.).
Social engineering is intended to test the “human” aspect of security. Typical social engineering activities include targeted attacks against a list of people/email addresses as supplied by the client or derived from Open Source intelligence searching using public search engines and resources. The goal is to attempt to extract information from staff or gain remote access to workstation assets. Three examples of the manner in which this type of information can be solicited from a client’s personnel include:
Please Contact Us for further information.