Cybercrime and Cyber espionage is continually threatening the security of IT systems, networks and applications. We read frequently of new vulnerabilities or the occurrence of large-scale information security breaches as attacks become more sophisticated. With numerous products available offering system protection to the growing number of threats, it can be difficult for stake holders to choose which solutions will be most effective in raising the level of cybersecurity.
The Value of Penetration Testing
Penetration testing methodically tests the security of your IT infrastructure and its users. By controlled means it identifies and exploits network vulnerabilities to determine whether unauthorized access or malicious activity is possible. It typically includes network penetration testing and application security testing from both outside the network in an attempt to circumvent firewalls and from within to test for example, the network segmentation policy.
A properly scoped penetration test will identify and assess security weaknesses and gaps and provide insight into what a business actually needs to most effectively protect itself before purchasing a specific security product. IT networks can never be made 100% secure due to the dynamic nature of the threat. However, an experienced professionally certified penetration tester can expose gaps in security and assess and prioritize the actions to be taken to best protect your network and the information it contains from internal and external cyber threats.
Types of Penetration Test
Penetration tests may focus on different aspects of your information security process to providing a “health check” of that part or layer of the system under test. The tests below are the most common and suitable for most companies but scoped and tailored to meet the requirements of your organization.
Advice can be given on the type and scope of tests most suitable for your organization based on the experience of professionally qualified IT Security Consultants who are certified by leading certification vendors within the IT security industry including SANS/GIAC, ISACA and ISC2.
Network Penetration Test
This test assesses the current security level of your network infrastructure and should be carried out on an annual basis. It includes both external and internal tests which identify and exploit possible vulnerabilities associated with e.g. Firewalls, VPNs, IPS/IDS, link layer protocols, Router protocols, Application layer network protocols and open ports.
Test of Servers and Clients
These are some of the most often targeted system components by hackers and malware. They exploit issues such as missing security patches, insecure configurations or weak passwords. As these issues tend to be easily exploited the number of successful attacks is relatively high. Areas included in this type of test are Patch Management, Password Policies, Audit Policies User Rights Assignments, System Services to name a few.
Web Applications Penetration Test
Web-applications can be complex programs which almost certainly contain exploitable vulnerabilities. As such they are preferred targets for attackers which may give them access to sensitive company data or unauthorized access to user accounts. To mitigate this risk tests are carried out according to the OWASP standard. It tests process flows and security controls including SQL injection, Authentication and Session Management, Security Misconfiguration, Cross-Site Scripting (XSS), Cross-site Request Forgery, Missing Functional Level Control and Invalidated Redirect and Forward and other issues in an attempt to gain access to sensitive data or the network.
Social engineering covers the broad range of malicious activities executed through human interactions. It uses physiological manipulations to trick users into making security mistakes or giving away sensitive information. It can involve targeting employees over the internet with phishing emails, phone calls to gain the victims trust and subsequently reveal sensitive information or give access to critical resources.
A training seminar can be offered tailor made for specific needs and can cover as example, broader issues such as how it is used and how can it be prevented. It also covers specific issues such as:
- Phishing/Spear phishing email
- SMA phishing
- Dumpster driving
- Phone phishing
- Social media
- USB/Parking lot attacks.
IoT Penetration test
Security experts predict the number of internet connected things will grow to around 50 billion by 2020, exceeding the number of traditional computers on the internet. However, security is rather immature as the technology is relatively new. This means an attacker may be able to compromise and gain control of devices or infect devices with malware in order to target users or anyone interconnected on the internet. Unsecure IoT devices may also be used as “jumping stones” to gain access to consumer or company networks where sensitive or personal data is typically located.
Vulnerability tests carried out to OWASP IoT Project standards will identify current vulnerabilities and provide a comprehensive assessment indexed to standards to help developers and administrators fix the vulnerabilities. These may include:
- Insecure Web Interface
- Insufficient Authentication/Authorization
- Lack of Transport Encryption
- Insecure Cloud or Mobile Interface
- Insufficient Security Configuration
- Insecure Software/Firmware
- Poor Physical Security
Penetration Test of Mobile Devices
The popularity of mobile devices such as tablets and smartphones in the work place means that confidential company data no longer resides just on clients or servers within your company’s physical security perimeter. This data may be dispersed on dozens or thousands of mobile devices outside the company physical security perimeter. In addition, network access to company resources are likely to be configured on these devices. Unfortunately, these devises are subject to being lost, stolen or hacked wirelessly, putting company confidential data and internal network at risk.
Tests are carried out in accordance with OWASP Mobile Security Project standards and vulnerabilities found our indexed accordingly.
After these tests you will be able to gain control of mobile devices exploitable outside the company’s physical perimeter as well as locate and fix vulnerabilities before they are exploited by hackers.