Penetration testing, also known as pen testing and ethical hacking, is a cyber-attack which is employed by our technical specialists to evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited by cyber criminals. The cyber-attack process can be performed manually, or through the use of software applications and is designed to simulate an attack upon a system. It should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.
IntaForensics offers penetration testing engagements to suit our client’s needs, enabling them to reinforce their cyber security policies and procedures to better protect them from future threats. Our penetration testers are trained in Network, Web and Infrastructure testing disciplines and can offer versatile engagement solutions to any testing environment.
The Payment Card Industry Data Security Standards (PCI DSS) requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes to a merchant’s network or applications. Penetration testing can be a complex and vast subject and ensuring your penetration test meets the necessary requirements can be a challenge. IntaForensics has trained our penetration testers with the PCI-DSS requirements in mind and where required, our methodologies and approach are designed specifically with the PCI-DSS penetration test guidance in mind to ensure that when we conduct a PCI-DSS penetration test, it will meet the necessary criteria.
Types of Penetration Testing
Black BoxWithout Login Credentials
Black Box tests are where the penetration tester knows nothing of the infrastructure to be tested. It is more indicative of a real-world, attack, but this method may not always expose all vulnerabilities.
Grey BoxWith User Credentials
Grey Box tests are the most popular form of test that takes a balanced approach between white and black boxes. A grey box test discloses just enough information to perform a thorough, methodical test, whilst keeping the scenario relevant and realistic. This method may estimate how much damage a disgruntled employee could cause.
White BoxWith Full Admin Credentials
White Box tests are where the penetration tester has access to full, in-depth information on the infrastructure to be tested. Whilst not as realistic as a black box test, it allows for a very thorough test.
Our Penetration Testing Methodology
This process includes planning and reconnaissance whereby the scope and goals of the project are established. Intelligence is gathered to understand how the target works and the output at this stage is a document that contains a number of key elements, including but not limited to:
- Technical boundaries of the test
- Type of tests proposed
- Anticipated timeframes
- Any specific requirements
- Details of any constraints imposed by the client
IntaForensics use established techniques, designed to establish how the target environment responds to a variety of intrusion attempts. Identification of the extent to which ‘unauthorised’ access could be gained to the environment under test. This may also reveal the type of assets potentially exposed via interception of network traffic, data theft and privilege escalation. Can a degree of persistence be achieved? The idea of this is to imitate Advanced Persistent Threats (APTs) which may remain hidden in a network for months with the objective of targeting sensitive data.
A comprehensive report is produced for the client, detailing the specifics of any vulnerabilities exploited, the type and location of data exposed and any other pertinent items. Recommendations for resolving any identified issues will be provided in addition to an opinion on the accuracy of the clients. It is very likely that a debriefing exercise will also be held whereby the client can clarify any issues and ask for additional information.
As regular customers of IntaForensics, I highly recommend the company for the services delivered by Damian Walton and his team. I couldn’t praise their Cyber Essentials services and support highly enough.
Ryan James, Managing Director - nFocus
Up to 12,000 schools could become targets of cyber-attacks in 2022 This frightening statistic comes after more than three quarters […]Read More
Cyber Attacks: Attacker Techniques and the Business Impact Many businesses across the UK are concerned about the impact that a […]Read More