The purpose of a Penetration Test
is to demonstrate the actual implications of potential security vulnerabilities
in a controlled manner. This is applicable both to infrastructure and web
applications. A Penetration Test typically simulates real-life threats posed to
infrastructure or web services or applications, internal or external depending
on the scope of the assignment.
A Penetration Test goes one step
further than just discovering the vulnerabilities; it seeks to demonstrate what
could be leveraged by a potential malicious attacker by attempting to actively
exploit identified vulnerabilities such as missing operating system patches,
mis-configured devices or badly coded applications.
All assignments begin with a
customer meeting to understand the business drivers behind the Penetration
Test. For example, are you about to launch a new web application and want to
determine whether it is secure or not? Maybe you are seeking to demonstrate
your network security environment to potential new client. Perhaps, with the
increase in remote working, you want to be sure your access mechanisms are
secure and don't represent a risk to the overall operation of the company.
When the scope of the Penetration
Test is agreed, a proposal is created. The proposal clearly identifies the
business objectives of the testing, the scope of the testing whether it be the
remote access portal, web application, network infrastructure and/or branch
office environment, the permissible techniques and strategies for the
Penetration Tester to use. It will also provide you with a clear indication of
the effort required to complete the assignment. The proposal is based on the
customer's original requirements, which will have been agreed during the
preliminary phase.
The first step of a Penetration
Test is to determine what potential vulnerabilities lie within the target
environment or application. Systematic testing allows for the potential
identification of vulnerabilities that may be easily exploited or, yield the best
results when attempting to compromise a network or application. From this the
vulnerabilities are categorised against, criticality and exploitability.
Once the exploitable vulnerability
points of entry are identified the Penetration Tester will attempt to gain
access to the system or web application in order to obtain evidence of
compromise, this maybe the result of a single vulnerability or by multiple
interconnected vulnerabilities. This evidence is maintained as substantiated
proof and will be documented in the final customer report. At all times the
Security Consultant will maintain electronic traffic records and manual
notations of their actions by tracking and tracing their own activities to
ensure that systems can be normalised once testing is complete.
The reports created are tailored to
the individual needs of each customer, which will typically be a final report
outlining the findings of the Penetration Test and include:
- Which vulnerabilities were identified?
- Which were found to be exploitable and what
evidence of the exploit is available?
This will provide evidence of which
system was compromised, and was retrieved in order to prove that access was
obtained. The reports are designed to be relevant and readable at all levels
from the CIO/Board-level to the ICT teams responsible for the Systems.
We further aims to reduce technical
jargon to a minimum whilst maintaining a high-quality and usable report. In
addition, we are able to provide technical briefings and security awareness
training to support the improvement of systems following on from the report
once delivered.