penetration testing services

Identify weaknesses and vulnerabilities before hackers or bots do.

What is Penetration Testing?

A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.

 

Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

 

A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.

A man wearing headphones performing a penetration test
A Full Service Approach

The Types of Pen Testing we offer

What should a penetration test tell you?

Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.

 

A well scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.

Staying One Step Ahead

Why does your business need pen testing?

The most important times to perform a pen test are when:

You’ve recently made changes to your infrastructure
You’ve recently undergone a merger or acquisition
You’re looking to comply with Security Standards (see our Cyber Essentials Support)
You’re launching new services or applications
You’re bidding on new commercial contracts
You’ve not performed any Penetration Testing recently.

Using penetration testing effectively

A penetration test can only validate that your organisation’s IT systems are not vulnerable to known issues on the day of the test.

 

It’s not uncommon for a year or more to elapse between penetration tests. So, vulnerabilities could exist for long periods of time without you knowing about them if this is your only means of validating security.

 

Third-party penetration tests should be performed by qualified and experienced staff only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved.

 

Governmental organisations should use companies that are part of the CHECK scheme. Non-Governmental organisations should use a provider in these certification schemes CREST, Tiger Scheme, Cyber Essentials.

Cyber security services image showing a person entering a password and username into a laptop

How often do you really need to Pen Test?

The standard recommendation for a Penetration Test is yearly due to the increasing number of threats and methods attackers have access to, however, it can be as often as monthly if circumstances require.

If you find yourself using Penetration Testing services with a high degree of regularity, we suggest you review the solutions available from RS22 in DAST (Dynamic Application Security Testing) and BAS (Breach & Attach Simulation). These solutions are continuous and prevent many common mistakes occurring. 

What is Vulnerability scanning

Vulnerability scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security program. This covers areas such as the patch management process, hardening procedures and the software development lifecycle (SDLC). Services or products that offer vulnerability scanning are also commonly known as vulnerability assessment systems (VASs).

 

As part of an effective vulnerability management programme (VMP), vulnerability scanning solutions can be an affordable way to automatically detect security issues within an organisation’s networks. However, the market for vulnerability scanning products and services covers many specialised areas and includes a broad range of options.

 

Vulnerability scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security program. This covers areas such as the patch management process, hardening procedures and the software development lifecycle.

Standard Penetration vs Continuous Penetration Testing

There are some core differences between a standard Penetration Test, and Continuous Penetration Testing.

Standard Penetration

A standard Penetration Test is a review of your network at a single moment in time and provides comprehensive and detailed coverage of your current position. It uses both automated and human creativity and knowledge to review any and all methods to gain access to your network. After this, you receive a report suggesting the changes you can make for maximum security value. However, any changes you make after this can cause new gaps to appear.

Continuous Penetration

Continuous Penetration Testing is an automated software that prevents a user or team from publishing mistakes in configuration or coding that could be exploited by attackers at a later stage. See our page on BAS (Breach & Attack Simulation) and DAST (Dynamic Application Security Testing) for more information.

Common Security Vulnerabilities Identified in a Pen Test

Knowledge is power. And knowing where your weakest areas are allows you to improve them and become stronger in that area. Here is a list of the areas of discovery that your Penetration Test can provide.

The Core Stages of a Penetration Test

Knowledge is power. And knowing where your weakest areas are allows you to improve them and become stronger in that area. Here is a list of the areas of discovery that your Penetration Test can provide.

1. Scoping

Together we define the expectations of the Pen Test such as type of test, times & dates and other requirements that will be necessary. We agree on a price depending on your business circumstances and the amount of work involved, usually, it is evaluated on the number of days over which the Penetration Test will take place. This can be anywhere from 3 days to 4 weeks.

2. Order

You confirm that you’re happy with the agreement and authorise the relevant paperwork.

3. Testing

As each test is different, and many businesses use a pick-and-mix style of selection relative to their own needs, the testing takes place on the agreed days. You will ensure that our testers have access to the site on the required days, if you are seeking tests which require a physical tester.

4. Reports

Once the work is done, we generate the relevant reports and provide them to you.. The reports we generate will come with a complete description of each identified issue, advice on how to remedy them and evidence of the issues wherever necessary.

5. Remediation

This bit is usually up to you. We’re happy to help should you require additional support or tools, but many agree that knowing what to do is half the battle and the other half is just getting on and plugging the gaps.

Frequently Asked Questions (FAQs)

As often as necessary. The more frequently you make changes to your infrastructure or services, the more probability there is that a gap can open up in your defences. Some businesses like to perform them on a regular basis either monthly, quarterly or annually depending on the number of changes they’ve implemented.

Depending on the size and scale of the business as well as the number of elements under scrutiny, a Penetration Test can take anything from a few days to three or four weeks. The testing process is only a portion of the total time required, as our agents will then generate the reports and evaluate the most suitable remediations for your business as a unique entity.

This varies considerably and is best when discussed directly with a representative. Your quote will depend on the size of your network, the type of testing package you opt for, the required number of days and the number of days required to generate the reports. The question you should ask yourself is “How much would it cost my business to be the target of a successful malicious cyber-attack?” and work backwards from there.

Yes, some parts of a penetration test can be performed remotely. However, some form of attacks may occur on the business premises – to assess and measure these vulnerabilities, an onsite assessment may be required.

We generate the reports which include the issues discovered, the remediation advice to help resolve those issues and the evidence of the potential impact of those issues wherever necessary.

The Pentest is performed by one of our CREST accredited partners.

Reliable. Secure.

RS22

Unit 5, Three Spires House, Station Road, Lichfield, Staffordshire. WS13 6HX

Sales? Questions? Chat?

Connect With RS22

Other Links: