Regular penetration testing forms an essential part of a positive Cyber Security strategy and helps to identify and eliminate gaps in your organisation’s defences by attempting to breach some or all of the target system’s security, using the same tools and techniques as an adversary might.
A well scoped penetration test (a.k.a a pen test) can provide Organisations with an insight into the security issues that could be exploited by the ‘bad guys’ with clear and concise guidance on how to fix them and protect your systems and data.
A pen test is an ethical cyber security assessment conducted to identify, safely exploit and help eliminate vulnerabilities that reside across an organisation’s IT environment. It is recommended that all organisations commission testing at least once per year, with additional assessments following significant changes to infrastructure, applications or prior to major product launches. Large Organisations and Government Departments that process vast amounts of personal information or financial data should consider conducting pen tests more frequently.
Before selecting a suitable provider, it’s important to be familiar with the types of pen test available, as engagements vary in focus, depth and duration. Common penetration testing engagements include:
Infrastructure Penetration Testing
An assessment of on-premise network infrastructure, including firewalls, system hosts and devices such as routers and switches. Can be framed as either an ‘internal penetration test’, focusing on assets inside the corporate network, or an ‘external penetration test’, targeting internet-facing infrastructure. To scope a test, you will need to know the number of internal and external IPs to be tested, network subnet size and number of sites.
Wireless Penetration Testing
A test that specifically targets an organisation’s WiFi network configuration and can help to identify rogue access points, weaknesses in encryption and WPA vulnerabilities. To scope an engagement, testers will need to know the number of wireless and guest networks, locations and unique SSIDs to be assessed.
Web Application Testing
An assessment of websites and custom applications delivered over the Internet (or sometimes within your internal network), looking to uncover coding, design and development flaws that could be maliciously exploited. Before approaching a testing provider, it’s important to ascertain the number of apps that need testing, as well as the number of static pages, dynamic pages, input fields and login process to be assessed.
Mobile Application Testing
The testing of mobile applications on operating systems including Android and iOS to identify authentication, authorisation, data leakage and session handling issues. To scope a test, providers will need to know the operating system types and versions they’d like an app to be tested on, number of API calls and requirements for jailbreaking and root detection.
Build & Configuration Review
Review of network builds and configurations to identify misconfigurations across web and app servers, routers and firewalls. The number of builds, operating systems and application servers to be reviewed during testing is crucial information to help scope this type of engagement.
Cloud Security Assessments
Cloud systems, whether they are infrastructure as a service (IaaS) such as Amazon’s AWS or Microsoft’s Azure, platform as a service (PaaS), or software as a service (SaaS), are prone to security misconfigurations, weaknesses, and security threats just as traditional systems are. Some of the information needed to scope these assessments include the cloud services used, number of cloud accounts, number of cloud firewalls, number of cloud servers and any cloud databases in use.
Whether it be a diverse infrastructure or complex Web Application our certified pen testers can be trusted to provide a comprehensive testing programmes to meet your business needs, helping to identify any vulnerabilities that could be exploited by the bad guys.
Unlike other Security Companies, our team of Cyber Security Specialists provide a strong level of ‘aftercare’ ensuring that our Clients have the required level of support to fix the vulnerabilities that we identify.
For more information on how we can support you with our Penetration testing services please contact us on 0161 706 0244 or email info@cybersecurityspecialists.co.uk to speak with a member of the team.