A lot of time and money goes into protecting business systems and information, but how do you know that your controls are effective and that your environment is secure?
A penetration test is essentially an authorised ‘ethical’ cyber-attack against your IT systems. Designed to test the effectiveness of your cyber security controls at preventing exploitation of vulnerabilities by using the same tools and techniques as actual cyber criminals.
Regular penetration testing has evolved into best practice as part of a comprehensive cybersecurity strategy, but it is also a regulatory requirement for many industries. With your authorisation, our team of cyber security experts will act as ‘cyber criminals;, testing the strength of your security. We will provide visibility of exploitable weaknesses and make tailored recommendations to help you address any security gaps.
Our cyber team has extensive experience delivering penetration testing options, be it on-premises, cloud or hybrid. We will design a test that’s right for your organisation’s operational context. Options include:
- internal penetration testing – infrastructure, wireless, systems and applications;
- external penetration testing – perimeter, infrastructure, access ; and
- web application penetration testing – applications, websites, APIs.
We work with you to understand your penetration test objectives and create a tailored approach that provides visibility of your attack surface and importantly your current level of exposure. These options include:
- multi vector penetration testing; and
- threat-led penetration testing.
External penetration test
We will act as an external attacker and use tactics, techniques and procedures used by attackers in an attempt to breach your public facing systems. This will identify exploitable vulnerabilities and open paths into your environment.
Internal penetration test
Typically, the target of a cyber-criminal is to gain access to your internal environment, in our experience a determined and skilled attacker is likely to achieve this target. Through internal penetration testing we simulate the actions that an attacker is likely to take after they have gained access to assess the effectiveness of your controls that prevent them from achieving their full objectives.
We craft specialised attacks against your web applications and programming interfaces to identify exploitable weaknesses that could be comprised by an attacker.
Multi-vector social engineering
Over 90% of cyber-attacks involve a human element. A social engineering test will help you assess and understand the susceptibility of your staff from being manipulated to perform unwanted actions by an attacker to gain access to information, credentials or to your systems. Common attack methods could include email, phone, face to face, USB drops, and social media mining.
We will attempt to breach your physical security measures to gain access to your network and sensitive information. Common attack methods leverage social engineering techniques and your staff’s awareness and challenge culture.
Threat-led penetration testing
Our threat-led penetration testing is objective-oriented versus being scope defined. This approach replicates all the stages of an attack lifecycle with attack targeting and vector use driven by the intelligence that we gather through mapping of your attack surface, performing open-source threat intelligence gathering and identifying attack paths with the highest likelihood of success.
Why conduct a penetration test?
- Regulatory requirement and customer expectation
- Gain visibility of your risk and exposure
- Validate the effectiveness of your cyber security controls
- Understand your exposure to emerging threats
- Understand your investment requirements to manage cyber risk
Scoping a penetration test
Scoping a penetration test can be challenging, our team of cyber experts will work with you to understand the needs and objectives of your organisation and tailor an approach that is right for you.
To find out more, please contact Stuart Leach or Richard Curtis.