Penetration Testing

What is penetration testing?

Penetration testing is a systematic process of probing for vulnerabilities in your applications and networks. It is essentially a controlled form of hacking in which the ‘attackers’ operate on your behalf to find the sorts of weaknesses that criminals exploit.

The penetration testing process involves assessing your chosen systems for any potential weaknesses that could result from poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.

An experienced penetration tester can mimic the techniques used by criminals without causing damage. These tests are usually conducted outside business hours or when networks and applications are least used, thereby minimising the impact on everyday operations.

To find out more about our penetration testing services, get in touch with one of our experts today.

Why conduct a penetration test?

An organisation should carry out a penetration test:

  • In response to the impact of a serious breach on a similar organisation;
  • To comply with a regulation or standard, such as the PCI DSS (Payment Card Industry Data Security Standard) or the ISMS (Information Security Management System);
  • To ensure the security of new applications or significant changes to business processes;
  • To manage the risks of using a greater number and variety of outsourced services; and/or
  • To assess the risk of critical data or systems being compromised.

Different types of penetration test

There are different types of penetration test, each focusing on a particular aspect of an organisation’s logical perimeter.

External network (or infrastructure) penetration test
Objectives

The objective of an external network penetration testing is to identify security vulnerabilities in how an organisation connects with the Internet and other external systems. This includes servers, hosts, devices and network services.  If an organisation’s interfaces are not designed correctly, criminals will be able to enter the network and perform malicious activities.

Common security issues
  • Unpatched operating systems, applications and server management systems.
  • Misconfigured software, firewalls and operating systems.
  • Unused or insecure network protocols.
Internal network penetration test
Objectives

The objective of an internal Network penetration test is to determine what vulnerabilities exist that are accessible to both an authenticated and non authenticated user to ensure that the network is critically assessed for both the potential exploit of a rogue internal user, and an unauthorised attack.

Common security issues
  • Weak / default passwords
  • Inappropriate privileges
  • Access control issues / information leakage
  • Inadequate patching of systems
  • Unsecured workstations
  • Vulnerabilities in intranet applications
Web application penetration test
Objectives

The objective of web application penetration testing is to identify security issues resulting from insecure development practices in the design, coding and publishing of software. Applications
are a vital business function for many organisations as they are used to process payment card data, sensitive personal data and/or proprietary data.

Common security issues
  • The potential for injection (the lack of validation allows attackers to control the user’s browser).
  • Privilege escalation (users have access to more parts of the site or application than they should).
  • Cross-site scripting.
Wireless network penetration test
Objectives

The objective of wireless network penetration testing is to detect access points and rogue devices in an organisation’s secured environment.

Common security issues
  • Rogue or open access points.
  • Misconfigured or accidentally duplicated wireless networks.
  • Insecure wireless encryption standards, such as WEP (Wired Equivalent Privacy).
Simulated phishing test
Objectives

The objective of phishing and social engineering penetration testing is to assess employees’ susceptibility to break security rules or give access to sensitive information.

Common security issues
  • Susceptibility to phishing emails.
  • A willingness to hand over sensitive information to people without knowing who they are.

Giving people physical access to a restricted 

What will I find in my penetration test report?

A penetration test performed by SCS will, on average, identify 3 critical, 8 high-, 43 medium- and 11 low-risk findings per report.

Rating

Critical

Description

The threat agent could gain full control over the system or application, or render it unusable by legitimate users, by using well-known methods and exploits.

Number of findings

3

Rating

High

Description

The threat agent could gain full control over the system or application or render it unusable by legitimate users.

Number of findings

8

Rating

Medium

Description

The threat agent could gain some level of interactive control or access to data held on the system.

Number of findings

43

Rating

Low

Description

The threat agent could gain information about the systems, which could be used to facilitate further access.

Number of findings

11

 

Leave a Reply

Your email address will not be published. Required fields are marked *