Penetration Testing

IntaForensics® is a Crest Approved Penetration Tester. Our Pen Testing Specialists evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited. In a world where your data is a highly sought-after commodity, making sure it is protected must be regarded as a top priority for all organisations.

ccss-certlogo500x500 cyberessentials-certlogo500x500 iasme-certlogo500x500-1 pci-certlogo500x500 attcyber-certlogo500x500 crest-certlogo500x500

Penetration Testing

Penetration testing, also known as pen testing and ethical hacking, is a cyber-attack which is employed by our technical specialists to evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited by cyber criminals. The cyber-attack process can be performed manually, or through the use of software applications and is designed to simulate an attack upon a system. It should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

IntaForensics offers penetration testing engagements to suit our client’s needs, enabling them to reinforce their cyber security policies and procedures to better protect them from future threats. Our penetration testers are trained in Network, Web and Infrastructure testing disciplines and can offer versatile engagement solutions to any testing environment.

The Payment Card Industry Data Security Standards (PCI DSS) requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes to a merchant’s network or applications. Penetration testing can be a complex and vast subject and ensuring your penetration test meets the necessary requirements can be a challenge. IntaForensics has trained our penetration testers with the PCI-DSS requirements in mind and where required, our methodologies and approach are designed specifically with the PCI-DSS penetration test guidance in mind to ensure that when we conduct a PCI-DSS penetration test, it will meet the necessary criteria.

Types of Penetration Testing

Black Box

Without Login Credentials

Black Box tests are where the penetration tester knows nothing of the infrastructure to be tested. It is more indicative of a real-world, attack, but this method may not always expose all vulnerabilities.

Grey Box

With User Credentials

Grey Box tests are the most popular form of test that takes a balanced approach between white and black boxes. A grey box test discloses just enough information to perform a thorough, methodical test, whilst keeping the scenario relevant and realistic. This method may estimate how much damage a disgruntled employee could cause.

White Box

With Full Admin Credentials

White Box tests are where the penetration tester has access to full, in-depth information on the infrastructure to be tested. Whilst not as realistic as a black box test, it allows for a very thorough test.

Our Penetration Testing Methodology

This process includes planning and reconnaissance whereby the scope and goals of the project are established. Intelligence is gathered to understand how the target works and the output at this stage is a document that contains a number of key elements, including but not limited to:

  • Technical boundaries of the test
  • Type of tests proposed
  • Anticipated timeframes
  • Any specific requirements
  • Details of any constraints imposed by the client

IntaForensics use established techniques, designed to establish how the target environment responds to a variety of intrusion attempts. Identification of the extent to which ‘unauthorised’ access could be gained to the environment under test. This may also reveal the type of assets potentially exposed via interception of network traffic, data theft and privilege escalation. Can a degree of persistence be achieved? The idea of this is to imitate Advanced Persistent Threats (APTs) which may remain hidden in a network for months with the objective of targeting sensitive data.

A comprehensive report is produced for the client, detailing the specifics of any vulnerabilities exploited, the type and location of data exposed and any other pertinent items. Recommendations for resolving any identified issues will be provided in addition to an opinion on the accuracy of the clients. It is very likely that a debriefing exercise will also be held whereby the client can clarify any issues and ask for additional information.

Scoping

Our penetration testing team will work with you to understand your environment and map out your areas of risk. This will form the basis to define the scope and goals of the penetration test, including the systems and testing methods to be used.

Testing/Scanning

We perform the testing methods to understand how the target environment responds to intrusion attempts. All testing is performed in line with the documented scope, and will only use testing methods that have been agreed.

Gaining & Maintaining Access

By exploiting any identified vulnerabilities, the testing will determine if they can be used to achieve a persistent presence in the system— long enough for a bad actor to gain in-depth access. This is to simulate real-world advanced persistent threats, which often remain in a system for months in order to steal sensitive data.

Analysis & Reporting

A comprehensive report is produced for the client, detailing the specifics of any vulnerabilities exploited, the type and location of data exposed and any other pertinent items. Recommendations for resolving any identified issues will be provided.

As regular customers of IntaForensics, I highly recommend the company for the services delivered by Damian Walton and his team. I couldn’t praise their Cyber Essentials services and support highly enough.

Ryan James, Managing Director - nFocus

Up to 12,000 schools could become targets of cyber-attacks in 2022

Up to 12,000 schools could become targets of cyber-attacks in 2022 This frightening statistic comes after more than three quarters […]

Read More

Cyber Attacks: Attacker Techniques and the Business Impact

Cyber Attacks: Attacker Techniques and the Business Impact Many businesses across the UK are concerned about the impact that a […]

Read More

Incident Response to a Cryptocurrency Attack

Incident Response to a Cryptocurrency Attack As the seemingly never-ending tranches of media reports describe, incidents of computer misuse and […]

Read More

Contact our Cyber Security team today

Contact Us