Penetration Testing

Penetration testing goes further than a Vulnerability Assessment. Where a vulnerability assessment uses primarily automated tools to identify weaknesses in your environment, a penetration tester will actively attempt to exploit those weaknesses in order to gain further access to your critical system components.

  • Internal Penetration Test
    • Infrastructure penetration test
      The internal network-layer penetration test is typically conducted on-site, however, depending on the size and scale of the agreed scope, this could be conducted remotely through a device installed on-site which a consultant connects via a secure connection. Network layer penetration testing identifies weaknesses with the configuration of hosts, servers and any security flaws due to missing patches or misconfigurations. V ulnerabilities are indexed by version 2 of the Common Vulnerability Scoping System (CVSS), or defined as “Information, Low, Medium, High or Critical” by the tester.
      • PCI DSS 11.3, 11.3.2, 11.3.3
    • Application penetration test
      Web application testing is conducted from the One Compliance secure datacentre and aims to identify application layer vulnerabilities. Throughout the testing process the application will be subject to both automated and manual tests, and the tester will determine if the application is susceptible to the Open Web Application Security Project (OWASP) top-10 list of application vulnerabilities, often referred to as the OWASP top 10. Further testing is available for specialist areas including the OWASP mobile top 10, SANS, NIST or compliance framework based testing. This test can also be completed for internal web applications through a device installed on-site. Our testers can then evaluate the web application from an insider’s perspective.
      • PCI DSS 11.3, 11.3.3
    • Network segmentation testing
      Network segmentation ensures that sensitive business functions are isolated from other areas of the network. Segmentation testing ensures that this isolation is effective and appropriate so the sensitive business functions remain confidential.
      • PCI DSS 11.3.4, 11.3.4.1
    • Wireless infrastructure test
      Wireless assessments must be conducted on-site, so that the assessor can access to each of the wireless networks to be tested. The wireless assessment can cover internal, approved wireless network configuration and security; guest, third party or internet only wireless network configuration and security; identification of any unauthorised wireless devices at each location being tested, determining the security status of authorised wireless devices within the defined scope of the test.
      • PCI DSS 1.2.3, 2.1.1, 4.1.1, 11.1

  • External Penetration Test
    • Infrastructure penetration test
      • PCI DSS 11.3, 11.3.1, 11.3.3
    • Application penetration test
      • PCI DSS 6.6, 11.3, 11.3.3

  • System Configuration Review
    • Server configuration review
      System build reviews cover devices which are not networking components, e.g. Servers, Desktops, Laptops, phones/tablets etc. The review will cover the hardware setup / configuration and then the operating system specifics that interact with that hardware.
      • PCI DSS 2.1, 2.1.1, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3, 4.1, 4.1.1, 5.1.2, 6.2
    • Desktop/laptop configuration review
      System build reviews cover devices which are not networking components, e.g. Servers, Desktops, Laptops, phones/tablets etc. The review will cover the hardware setup / configuration and then the operating system specifics that interact with that hardware.
      • PCI DSS 2.1, 2.1.1, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3, 4.1, 4.1.1, 5.1.2, 6.2
    • Network device configuration review
      A network device configuration review is a formal review of the configuration of firewalls, routers and switches which are used to isolate and segment your network. The review covers the software levels of the devices, the general configuration and the implemented rule-sets, which are used to enforce proper segmentation between network security zones.
      • PCI DSS 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 2.1, 2.1.1, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3, 4.1, 4.1.1, 5.1.2, 6.2

For each assessment, the consultant will provide a comprehensive report which is split into two sections. The first section provides an executive summary written in plain English. This is provided from a “risk based” perspective so the impacts are clearly understood. The second section provides detailed analysis of the vulnerabilities identified, accompanied with clear remediation advice and is aimed at technical staff who will be remediating the issues.

Please Contact us to arrange a discussion with one of our consultants.

Note: If you have not already conducted a vulnerability assessment, a penetration test is unlikely to provide the best value. Best industry practice is to first conduct and remediate an vulnerability assessment, then conduct the penetration test.

Note: The PCI DSS and ISO27001 controls identified may only be partially covered by the services listed. The dependency is on the scope of the environment to be tested. If the scope is not properly defined, then any testing may not be appropriate.