UA-1074328-1

Penetration Testing

IntaForensics® consultants focus on current and impending cyber security risks, advising and supporting clients to ensure they understand the dangers and implications of a successful attack. In a world where your data is a highly sought-after commodity, making sure it is protected must be regarded as a top priority for all organisations.

ccss-certlogo500x500 iasme-certlogo500x500 cyberessentials-certlogo500x500 pci-certlogo500x500-2 crest-certlogo500x500 attcyber-certlogo500x500

Penetration Testing

Penetration testing, also known as pen testing and ethical hacking is a methodology employed by our technical specialists to evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited.

The process may be performed manually or through the use of software applications and is designed to simulate an attack upon an entity. It should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

IntaForensics offers Penetration testing engagements to suit our client’s needs, enabling them to reinforce their Cyber Security Policies and Procedures to better protect them from future threats. Our Penetration testers are trained in Network, Web and Infrastructure testing disciplines and can offer versatile engagement solutions to any testing environment.

The Payment Card Industry Data Security Standards (PCI DSS) requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes to a merchant’s network or applications. Penetration testing can be a complex and vast subject and ensuring your penetration test meets the necessary requirements can be a challenge. IntaForensics has trained our penetration testers with the PCI-DSS requirements in mind and where required, our methodologies and approach are designed specifically with the PCI-DSS penetration test guidance in mind to ensure that when we conduct a PCI-DSS penetration test, it will meet the necessary criteria.

Our penetration testing methodology

Scoping

This includes planning and reconnaissance whereby the scope and goals of the project are established. Intelligence is gathered to understand how the target works and the output at this stage is a document that contains a number of key elements, including but not limited to:

  • Technical boundaries of the test
  • Type of tests proposed
  • Anticipated timeframes
  • Any specific requirements
  • Details of any constraints imposed by the client

Testing/Scanning

Use of established techniques designed to establish how the target environment responds to a variety of intrusion attempts.

Gaining & Maintaining Access

Identification of the extent to which ‘unauthorised’ access could be gained to the environment under test. This may also reveal the type of assets potentially exposed via interception of network traffic, data theft and privilege escalation. Can a degree of persistence be achieved? The idea of this is to imitate Advanced Persistent Threats (APTs) which may remain hidden in a network for months with the objective of targeting sensitive data.

Analysis & Reporting

A comprehensive report is produced for the client, detailing the specifics of any vulnerabilities exploited, the type and location of data exposed and any other pertinent items. Recommendations for resolving any identified issues will be provided in addition to an opinion on the accuracy of the clients. It is very likely that a debriefing exercise will also be held whereby the client can clarify any issues and ask for additional information.

Types of penetration testing

Blackbox

Without Login Credentials

Black Box tests are where the penetration tester knows nothing of the infrastructure to be tested. It is more indicative of a real-world, attack, but this method may not always expose all vulnerabilities.

Greybox

With User Credentials

Greybox tests are the most popular form of test that takes a balanced approach between white and black boxes. A grey box test discloses just enough information to perform a thorough, methodical test, whilst keeping the scenario relevant and realistic. This method may estimate how much damage a disgruntled employee could cause.

Whitebox

With Full Admin Credentials

White Box tests are where the penetration tester has access to full, in-depth information on the infrastructure to be tested. Whilst not as realistic as a black box test, it allows for a very thorough test.

As regular customers of IntaForensics, I highly recommend the company for the services delivered by Damian Walton and his team. I couldn’t praise their Cyber Essentials services and support highly enough.

Ryan James, Managing Director - nFocus

Cyber Essentials – Simple, Effective and Affordable Cyber Security for the Legal Profession

With reams of sensitive personal data and transactions that involve large sums of money, the legal sector remains a huge […]

Read More

Calling all Registered Charities: Get Cyber Essentials at a special discount with IntaForensics

Charities play a crucial role in society, providing support and relief to those who need it most in their darkest […]

Read More

The Anatomy of a Ransomware Attack: Ten Steps to Defending Your Company Against Cybercrime

According to data from Egress, a ransomware attack occurs every eleven seconds. The frequency of attacks on a daily basis […]

Read More

Have a Case? Contact us Today

Contact Us