What is Penetration Testing?
Penetration testing (also called pen testing, ethical hacking or blue teaming) is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.
A true penetration test does not rely on just tools (vulnerability scanning). A test is the next stage of taking these scans and adding human intelligence-led testing to build a thorough picture of an organisation’s security and exploitable vulnerabilities.
An internal penetration test assumes that through some means the hacker has gained access to your network, perhaps through Malware (malicious software specifically designed to disrupt, harm or gain unauthorised access to a device or computer system) in an email, social engineering or through a vulnerability on your externally facing systems.
Some companies sell vulnerability assessments as a penetration test, but they are not. A Vulnerability Assessment is more focused on the use of automated tools which search systems for known vulnerabilities and make assumptions. A penetration test attempts to actively exploit weaknesses in an environment and requires high levels of expertise.
Whilst there is merit in running a vulnerability assessment prior to a penetration test to reduce workload, some disreputable security companies run multiple vulnerability scans against a number of customer environments to maximise the amount of money they receive for minimal effort. It’s always a good idea to consider that if you have the skills in-house, then it is sensible to run a scan and fix any issues it finds before your penetration test starts.
Our testing is intelligence-led using a blend of methodologies. Our testing consultants use a series of automated scanning tools, customised scripts and internally written tools followed by manual testing techniques to emulate what a hacker could do, without the loss of data and associated breach costs.
Our technical team do not carry targets to sell, so they will not recommend products or services to buy from us. If you want advice on purchasing, then ask your tester what they recommend and call your Sales Consultant for pricing.
Reporting consists of three key elements: -
- Management Summary (Executive Summary)
- A non-technical outline of the findings and the number of issues/risks found. Includes a pass or fail of the test with a summary of findings with analysis of the risk versus the impact
- The technical details of the vulnerabilities found and the associated remediation