The most accurate way to know your organization’s security posture is to examine your business environment’s the way a hacker would; through manual penetration testing, also called ethical hacking. Our certified penetration testers use industry recognized methodologies and innovative technology to minimize risk, identify vulnerabilities, and help protect your organization against current hacking trends.
Common Questions and Answers
Is a security assessment designed to identify and exploit vulnerabilities affecting networks, systems, websites, and applications. Any weaknesses discovered are provided so they can be addressed in order to mitigate the risk of suffering further damage.
Is the process of identifying , quantifying, and prioritizing the vulnerbilities in a system, network, website, or application.
A vulnerability scan uses automated tools designed to search for known vulnerabilities. A penetration test is a more in-depth assessment that utilizes both machine and human approaches to identify weaknesses. Both solutions are necessary for a truly mature approach.
The penetration testing process can be broken down into five stages:
1) Planning and reconnaissance
Defining the scope and gathering intelligence
Technical tools used to gather further intelligence on our target
3) Gaining Access (Exploitation)
Taking control of one or more devices in order to extract data from a target or use that device as leverage to attack other targets.
4) Maintaining Access (Post-Exploitation)
Steps involved to be able to persist within a target in order to gather as much data as possible. This requires the attacker to remain stealthy to ensure they are not caught in the environment.
5) Covering Tracks
Attacker taking the necessary steps to remove any tracks to determine detection. All states must return to a state of non-recognition prior to gained access.
Testing will be performed gathering various levels of information provided by the client:
Black-Box: Method of testing that examines the application or environment without the knowledge of its structure. This is also known as functional testing. This is typically done to provide an assessment from a black hat hackers point of view.
White-Box: Method of testing that provides full environment details and credentials to systems and applications to allow a comprehensive view. This is also known as structural testing. This is done to understand the full scope risk assessment of their environment.
Grey-Box: Method of testing that provides details about the environment, but no credentials. This is done to assist the tester in limiting the scope but not providing any credentials or access to the systems.
Every measure is taken to ensure our penetration testing is not disruptive, but are instances where this could occur. Legacy servers, operating systems, or software used within your applications that aren’t patched or updated properly could hang during the testing process. We will coordinate our efforts in accordance with the schedule that best accommodates our clients. We work to ensure a client resource is available if any critical vulnerability or weakness that could cause an outage is addressed immediately and handled by the client to eliminate any potential outage.
Time to perform the test should not only only be considered, but adequate time should also be provided on the planning side. The entire effort varies depending on the size and complexity of the penetration test. The larger and more complex the environment can be, the more effort and time is required. The duration of the test should ensure a good representational view of the environment is assessed at that given time. Generally, three to four weeks is the estimated time for the entire engagement from planning to delivery.
Once our penetration test is completed, you will receive a report or deliverable detailing all of the findings, recommendations, and supporting evidence. This should clearly document the scope and boundaries of the engagement; including the dates when the testing was performed.
Penetration tests are often performed once every year, which are typically network and web application. Some standards and processes call for it to be done when changes occur to the application or even the network or even when significant changes are required by compliancy (PCI requirement 11.3). Clients even require new software to be tested before it is put into production.
No. It is our goal to identify vulnerabilities, the risk of them, and advise on the recommended solutions. The degree in how they are addressed is determined by the client. When all of the vulnerabilities are reviewed a mitigation plan should be put in place and each of the vulnerabilities reported should be addressed in that plan. Some of the ways a vulnerability can be addressed is by applying a patch, reconfigure necessary software, turn a particular service off, apply a mitigating control (Firewall) to reduce the risk, or just accept the risk ( this could be the best option depending on the issue at hand).
Cost for penetration testing services can vary. A number of factors that are used to determine pricing include the size of the application and environment, quantity of systems, and the frequency of testing. The estimate provided includes the labor and time required to complete the assessments.
Great! Please feel free to send it to us at firstname.lastname@example.org