Prove You are Secure from Malicious Activities Both Inside & Out
Whether you need to prove regulatory compliance, satisfy a request from your boss, or need to show security maturity to a client (or clients), a penetration test is a great mechanism to accomplish your goals.
What is a Penetration Test?
Penetration testing, also known as Ethical Hacking, is a method of evaluating the security of your network infrastructure, i.e. computer systems, networks, people or applications – by simulating an attack from malicious outsiders (unauthorized) and/or malicious insiders (authorized) to identify attack vectors, vulnerabilities and control weaknesses. It involves the use of a variety of manual techniques supported by automated tools and looks to exploit known vulnerabilities.
Our experienced testers identify specific weaknesses in an organization’s security operation. By safely attempting to discover and exploit the vulnerabilities of your network, applications, people, and more, we find the “leaks” in your system before damage occurs.
What do you want to test?
Network penetration testing, a type of ethical hacking, is a method of evaluating the security of your network using simulated attacks to identify and exploit vulnerabilities in your network infrastructure. Malicious attacks are simulated using a variety of manual techniques supported by automated tools. Our penetration testing methodology goes beyond the detection process of simple scanning software to identify and prioritize the most vulnerable areas of your network and recommend actionable solutions.
Providing end users with freedom and mobility associated with WLAN is increasingly viewed as a “need to have” in today’s workplace, but providing this wireless access creates an additional network security concern.
Because radio waves can travel through ceilings, floors, and walls, transmitted data often reaches unintended recipients on different floors/outside the building. These recipients can be harmless – but too often, there are malicious parties searching for an opportunity to access your company’s data, and a WLAN vulnerability may provide that opportunity.
We offer Application Penetration Testing services that simulate attacks on your applications to expose vulnerabilities. We use our expertise in information security and compliance to give you effective testing and thorough reporting. Our process is tailored to your needs and protects your business from losing valuable and confidential information. Contact us for more information on application penetration testing and security consulting services for your company.
Social Engineering is a distinct and far less technical form of penetration testing that emulates the activities of a malicious user and the variety of techniques used to gain information that further aides or eases the progress of their attack.
Database Vulnerability Assessments are integral to a systematic and proactive approach to database security. This form of penetration testing reduces the risk associated with both web- and database-specific attacks, and is often required for compliance with relevant standards, laws & regulations.
Physical security is the most basal form of Information Security. Physical security describes the ability of a business to protect their information from physical attacks, like an intruder stealing a laptop or accessing private information while an employee is away from their desk.
Cautionary measures may include locks, sensors, camera systems, and other devices that are designed to prevent an intruder from gaining physical access to your business. A failure of these controls can immediately result in the theft of a laptop, access to an internal network, access to a wiring closet, or even access to a data center.
Do I really need a Penetration Test?
This might sound like a ridiculous question but please hear us out…
Penetration testing is often confused with other forms of technical security testing, particularly Vulnerability Assessments. The information obtained, effort required, and cost are very different between these two assessments. Please don’t go and pay for a penetration test when all you may need is a vulnerability assessment. We have seen too many organizations burned by security companies because they were sold a bag of goods they did not need.
If you are unsure about your particular assessment needs, reach and out and we’ll be happy to point you in the right direction!
Frequently Asked Questions
Your company could use Penetration Testing to:
- Confirm that your environment is as secure as you believe
- Prove to a third party that an environment is secure and trustworthy
- Quickly assess the security of a less mature control environment (in a sense, a technical risk assessment)
- After a major change (e.g., the installation of a high risk system/application) to ensure that the security controls are operating as intended
Our testers often carry dozens of tools and will select which tools to use based on the type of test and the specific technologies that you are running. Common Penetration Testing tools include:
- Vulnerability scanners (e.g., Nessus, Qualys, NTO Spider)
- Automated exploit engines (e.g., Metasploit Professional, Canvas)
- Password Crackers (e.g., John the Ripper)
- Sniffers/proxies/tamper tools (e.g., BurpSuite, Cain & Abel)
Generally, pen tests have two distinct phases: In the first “reconnaissance” phase, the tester gathers as much information as possible to achieve the objectives of the engagement. This is often done using a vulnerability assessment tool. This can be helpful in discovering how vulnerable your system is. In the second “exploit” phase, the tester will leverage vulnerabilities identified during the “reconnaissance” phase. This gives you a measure of how likely it is that your vulnerabilities can be exploited and if so, what the impact is to your organization.
Simple penetration tests in a smaller company may last a day or less. Larger tests for a global enterprise could extend over multiple weeks. When done properly, penetration testing is unlikely to cause serious disruptions in your business. However, it is impossible for any reputable pen testing company to guarantee a test completely free of disruption. We do not use Denial of Service testing, un-tested tools, or un-validated exploit code. In 12 years, less than 5% of our tests have caused minor disruptions, such as a short period of slowed network traffic.
We pride ourselves on keeping your business up and running.
We only involve your employees if your objectives include testing incident detection (e.g., we are assessing whether your Security Operation Center is paying attention) or if you want your team to work collaboratively with our test team to learn about Penetration Testing.
We provide formal reporting on the testing process including a gap analysis, relevant findings, and a mitigation roadmap for addressing vulnerabilities and strengthening your network. Where possible the report will also include:
- Root cause analysis
- Peer-group benchmarking
- Good practice benchmarking
- Executive summaries
- Technical summaries