The purpose of a Penetration Test is to demonstrate the actual implications of potential security vulnerabilities in a controlled manner. This is applicable both to infrastructure and web applications. A Penetration Test typically simulates real-life threats posed to infrastructure or web services or applications, internal or external depending on the scope of the assignment.
A Penetration Test goes one step further than just discovering the vulnerabilities; it seeks to demonstrate what could be leveraged by a potential malicious attacker by attempting to actively exploit identified vulnerabilities such as missing operating system patches, mis-configured devices or badly coded applications.
All assignments begin with a customer meeting to understand the business drivers behind the Penetration Test. For example, are you about to launch a new web application and want to determine whether it is secure or not? Maybe you are seeking to demonstrate your network security environment to potential new client. Perhaps, with the increase in remote working, you want to be sure your access mechanisms are secure and don't represent a risk to the overall operation of the company.
When the scope of the Penetration Test is agreed, a proposal is created. The proposal clearly identifies the business objectives of the testing, the scope of the testing whether it be the remote access portal, web application, network infrastructure and/or branch office environment, the permissible techniques and strategies for the Penetration Tester to use. It will also provide you with a clear indication of the effort required to complete the assignment. The proposal is based on the customer's original requirements, which will have been agreed during the preliminary phase.
The first step of a Penetration Test is to determine what potential vulnerabilities lie within the target environment or application. Systematic testing allows for the potential identification of vulnerabilities that may be easily exploited or, yield the best results when attempting to compromise a network or application. From this the vulnerabilities are categorised against, criticality and exploitability.
Once the exploitable vulnerability points of entry are identified the Penetration Tester will attempt to gain access to the system or web application in order to obtain evidence of compromise, this maybe the result of a single vulnerability or by multiple interconnected vulnerabilities. This evidence is maintained as substantiated proof and will be documented in the final customer report. At all times the Security Consultant will maintain electronic traffic records and manual notations of their actions by tracking and tracing their own activities to ensure that systems can be normalised once testing is complete.
The reports created are tailored to the individual needs of each customer, which will typically be a final report outlining the findings of the Penetration Test and include:
- Which vulnerabilities were identified?
- Which were found to be exploitable and what evidence of the exploit is available?
This will provide evidence of which system was compromised, and was retrieved in order to prove that access was obtained. The reports are designed to be relevant and readable at all levels from the CIO/Board-level to the ICT teams responsible for the Systems.
We further aims to reduce technical jargon to a minimum whilst maintaining a high-quality and usable report. In addition, we are able to provide technical briefings and security awareness training to support the improvement of systems following on from the report once delivered.