Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with…
Penetration testing is essentially recreating malicious attacks in order to exploit and identify gaps within an organisational system.
Why an organisation should consider continuous penetration testing?
Often penetration testing is completed on the basis of a bi-annual or annual test. There-after the findings are subject to change at the next subsequent release of a new vulnerability, the next patch cycle or an asset or software configuration change.
By automating penetration testing, tests can be completed on regular basis (such as fortnightly or monthly) and provide continuous feedback to clients on their security posture. The use of automated tools can also reduce the overall costs traditionally associated with adhoc style testing. Not only reducing the attack surface with more timely information, such a regime can assist in reducing compliance costs.
Why complete a Penetration Test?
These penetration tests enable an organisation to gauge how susceptible it is to an attacker (whereby an attacker had similar access to the Penetration tester as agreed in the testing scope).
The results enable organisations to:
- Intrusion Prevention System (IPS) Effectiveness
- Identify risks including the information available for misuse, alteration, destruction or to be held to ransom
- Determine which systems are vulnerable to exploitation (both externally and internally dependant on the test type)
- Determine if they are culturally at risk due to a lack of awareness amongst team members
- Identify at-risk personally identifiable information and other sensitive data
- Address insufficient authentication and authorization in different services
- Identify and address weak user credentials
- Identify configuration flaws, including excessive user privileges.
Secure-ISS’s typical engagement scenarios can be broken into two distinct types, External and Internal.
What is External Penetration Testing?
An external penetration test – Is a security assessment conducted through the Internet by an ‘attacker’ with no preliminary knowledge of your system. Such a test provides organisations with an understanding of how their business looks to a hacker or malicious actor on the other side of the internet. Such ‘Black Hat’ exercises are conducted with or without client management awareness
What is Internal Penetration Testing?
An internal penetration test – Is a security assessment with scenarios based on an internal attacker, such as a visitor with only physical access to your offices or a contractor with limited systems access. Such a test provides organisations with an understanding of how vulnerable their business is to a malicious actor that has subverted the external or perimeter defences of the business.
Simulated attacks follow the typical attack hacker attack chain:
How often should penetration testing be completed?
Penetration tests should be done on a regular basis, bi-annually or annually (at a minimum) or after large infrastructure changes or security initiatives are delivered into an organisation.
A number of additional services can be bought to bear with the penetration testing including:
- PCI DSS 3.0 testing and reporting (should your organisation has this particular requirement or any other compliance needs)
- Social Engineering Testing (such as phishing attacks)
- Application Security and Load Testing Services
- Security Awareness Training
Packages can be tailored to meet your organisation’s requirements with the inclusion of any of the optional services and/ or combining both Internal and External packages. Most services can be delivered remotely, however certain facets must be completed onsite.
What are the outcomes from Penetration Testing?
Our Penetration testing services are designed to reveal security shortcomings within your infrastructure which could be exploited to gain unauthorized access to critical components of your business. Results are provided in a final report with an executive summary outlining test results and illustrating attack vectors.
The report content (suitable for both Executive and Technical audiences) includes:
- Detailed technical information on the testing process
- Actionable outcomes including results, vulnerabilities (revealed); and
- Recommendations around remediation items.
Our Penetration testing services support your defence in depth security posture by providing actionable insights into both your internal and external security mechanisms.