There’s often a blurred line between vulnerability testing and actual penetration testing. When a vulnerability assessment is conducted, the assessment is, primarily, based on automated tools that identify potential weaknesses in your environment. A Penetration test goes further and deeper than a Vulnerability Assessment and a tester (human rather than a robot) will safely exploit security weaknesses in order to gain further access to your critical systems.
Why complete a Penetration Test in your organisation?
Vulnerabilities can exist in operating systems, services and applications. They can be created through application flaws, improper configurations and end-user behaviours. A penetration test can help to validate adherence to internal policies and the effectiveness of controls across the enterprise.
When performed regularly they can bring many benefits
Prioritisation of security risks
Demonstrates mature security culture within the business
Meet regulatory and compliance standards, such as PCI DSS
Demonstrate to your clients that securing their data is important
Internal Penetration Tests
Infrastructure Penetration Test
The internal network-layer penetration test is typically conducted on-site, however, depending on the size and scale of the agreed scope, this could be conducted remotely through a device installed on-site creating a secure connection. Network layer penetration testing identifies weaknesses with the configuration of hosts, servers and any security flaws due to missing patches or misconfigurations.
This allows you to have a ‘real world’ understanding of how your environment looks and what could be exploited by the nefarious actions of a hacker or rogue employee.
Network segmentation testing
Network segmentation ensures that sensitive business functions are isolated from other areas of the network. Segmentation testing ensures that this isolation is effective and appropriate so that sensitive business functions remain secure.
System Configuration Review
System build reviews cover devices which are not networking components, e.g. Servers, Desktops, Laptops, phones/tablets etc. The review will cover the hardware setup/configuration and then the operating system specifics that interact with that hardware.
Network device configuration review
A network device configuration review is a formal review of the configuration of firewalls, routers and switches which are used to isolate and segment your network. The review covers the software levels of the devices, the general configuration and the implemented rule-sets, which are used to enforce proper segmentation between network security zones.
For each assessment, a comprehensive report split into two sections will be produced. The first section provides an executive summary written in plain English. This is provided from a “risk-based” perspective so the impacts are clearly understood. The second section provides a detailed analysis of the vulnerabilities identified, accompanied with clear remediation advice and is aimed at technical staff who will be remediating the issues.
Wireless assessments are conducted on-site, so that the assessor can access the wireless networks. The wireless assessment can cover internal, approved wireless network configuration and security; guest, third party or internet only wireless network configuration and security. Identification of any unauthorised wireless devices at each location being tested, determining the security status of authorised wireless devices within the defined scope of the test.
External Penetration Test
Web Application Penetration Test
Web application testing is conducted from the One Compliance secure datacentre and aims to identify application layer vulnerabilities. Throughout the testing process the application will be subject to both automated and manual tests, and the tester will determine if the application is susceptible to the Open Web Application Security Project (OWASP) top-10 list of application vulnerabilities. Further testing is available for specialist areas including the OWASP mobile top 10, SANS, NIST or compliance framework-based testing. This test can also be completed for internal web applications through a device installed on-site which evaluates the web application from an insider’s perspective.
Mobile Application Tests
In the modern world, more companies are pushing out apps to their clients and staff members for a multitude of reasons. Again, these can pose a significant risk of losing data and testing them regularly is essential to any security plan.
Amongst the areas reviewed, One Compliance will test password hashing, storage of data and the cryptography. Additionally, the mobile platform features such as IOS keychain, fingerprint scanners and relevant API’s will be tested.
A vulnerability assessment is not as intensive as a penetration test but does collect the “low hanging fruit”. A strong security management programme incorporates both frequent vulnerability (weekly/monthly/quarterly) assessments and less frequent penetration tests (quarterly/annually) depending on the size of your business and your specific goals.
Having a strong vulnerability management programme in place ensures that you are:
Aware of vulnerabilities introduced into your network sooner
Able to provide up to date management reports on progression
Leverage the results when penetration testing to maximise to allow the test to go deeper thus providing better results