- Phone: 0121 389 9022
- Email: sales@rs22.co.uk
penetration testing services
Identify weaknesses and vulnerabilities before hackers or bots do.
What is Penetration Testing?
A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.
Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.
A penetration test should be thought of as similar to a financial audit. Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.
The Types of Penetration Testing we offer
In Phishing, targeted attacks are made to a user’s Email and Phone system. In a Phishing Assessment, these targeted attacks are made in much the same way as one might expect to find them in the real world, but they originate from a trusted source in a safe environment. This means that you can detect who of your colleagues needs training in order to recognize a phishing attack so that you can prevent a real breach.
This is performed on-site. A member of our team would attempt to exploit vulnerabilities within any of the wireless networks used by your organization. If successful, an attacker may be able to gain access to your internal network, gathering additional means of extracting information or even being able to gain direct access to sensitive material. The results of the Wireless Security Assessment are then shared with you, and steps to remedy the situation are suggested.
Remote access solutions, such as VPNs are used by organisations to provide staff remote access to the network. However, this added flexibility of remote services is exploited by attackers who generate lists of common usernames and passwords, seeking entry to your network. Due to the recent influx of remote workers, this is a highly important aspect to consider in today’s IT Security Landscape. By using automated and manual tools, our team of Penetration Testers identify vulnerabilities and provide you with a suitable remediation plan to make your remote access solutions more secure.
In the IT Security world, Social Engineering is when people directly pose to be someone other than they are. They use uncertainty within staff as an advantage to gain access to sensitive information, such as passwords or usernames, or even direct access to your machines, which can then be used in turn as a stepping-stone to even more sensitive data. In this test, your staff may directly be tested in their responsiveness to unknown individuals attempting to physically enter a site.
As the names imply, an internal assessment evaluates the security of your company’s Internal Networks, used solely by staff or other employees, whereas an external assessment focuses on the external networks that are available to the general public. An external test centers it’s search around the infrastructure that hosts your website and applications, rather than the applications themselves.
An application assessment targets the common vulnerabilities in traditional web applications. Attackers often exploit these vulnerabilities to gain access to personal user information or deface a website and cause general disruption or denial of service (DDoS Attacks). For compliance purposes, all organisations require a Web Application Penetration Test.
An Application Programming Interface (API) Test is centered upon the attacks that can be made directly through the internet. Targeting beyond the front end.
What should a penetration test tell you?
Typically, penetration tests are used to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime.
A well scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.
Why does your business need penetration testing?
The most important times to perform a penetration test are when:
Using penetration testing effectively
A penetration test can only validate that your organisation’s IT systems are not vulnerable to known issues on the day of the test.
It’s not uncommon for a year or more to elapse between penetration tests. So, vulnerabilities could exist for long periods of time without you knowing about them if this is your only means of validating security.
Third-party penetration tests should be performed by qualified and experienced staff only. By their nature, penetration tests cannot be entirely procedural, an exhaustive set of test cases cannot be drawn up. Therefore, the quality of a penetration test is closely linked to the abilities of the penetration testers involved.
Governmental organisations should use companies that are part of the CHECK scheme. Non-Governmental organisations should use a provider in these certification schemes CREST, Tiger Scheme, Cyber Essentials.
How often do you really need to Penetration Test?
The standard recommendation for a Penetration Test is yearly due to the increasing number of threats and methods attackers have access to, however, it can be as often as monthly if circumstances require.
If you find yourself using Penetration Testing services with a high degree of regularity, we suggest you review the solutions available from RS22 in DAST (Dynamic Application Security Testing) and BAS (Breach & Attach Simulation). These solutions are continuous and prevent many common mistakes occurring.
What is Vulnerability scanning
Vulnerability scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security program. This covers areas such as the patch management process, hardening procedures and the software development lifecycle (SDLC). Services or products that offer vulnerability scanning are also commonly known as vulnerability assessment systems (VASs).
As part of an effective vulnerability management programme (VMP), vulnerability scanning solutions can be an affordable way to automatically detect security issues within an organisation’s networks. However, the market for vulnerability scanning products and services covers many specialised areas and includes a broad range of options.
Vulnerability scanning is a broad term, used to describe the automated process of detecting defects in an organisation’s security program. This covers areas such as the patch management process, hardening procedures and the software development lifecycle.
Standard Penetration vs Continuous Penetration Testing
There are some core differences between a standard Penetration Test, and Continuous Penetration Testing.
Standard Penetration
A standard Penetration Test is a review of your network at a single moment in time and provides comprehensive and detailed coverage of your current position. It uses both automated and human creativity and knowledge to review any and all methods to gain access to your network. After this, you receive a report suggesting the changes you can make for maximum security value. However, any changes you make after this can cause new gaps to appear.
Continuous Penetration
Continuous Penetration Testing is an automated software that prevents a user or team from publishing mistakes in configuration or coding that could be exploited by attackers at a later stage. See our page on BAS (Breach & Attack Simulation) and DAST (Dynamic Application Security Testing) for more information.
Common Security Vulnerabilities Identified in a Penetration Test
Knowledge is power. And knowing where your weakest areas are allows you to improve them and become stronger in that area. Here is a list of the areas of discovery that your Penetration Test can provide.
- Configuration: simply put this is the human error test. You will be able to see what doors and windows you’ve left open that can be taken advantage of by malicious agents.
- Encryption: This is to make sure that you’re using encryption methods to prevent data in transit from being tampered with or targets for eavesdropping.
- Programming: This examines software source code to detect flaws that could lead to data exposure.
- Session Management: Testing to determine if cookies and tokens can be exploited to hijack sessions and use this as a stepping stone to escalate privileges and access.
The Core Stages of a Penetration Test
Knowledge is power. And knowing where your weakest areas are allows you to improve them and become stronger in that area. Here is a list of the areas of discovery that your Penetration Test can provide.
1. Scoping
Together we define the expectations of the Penetration Test such as type of test, times & dates and other requirements that will be necessary. We agree on a price depending on your business circumstances and the amount of work involved, usually, it is evaluated on the number of days over which the Penetration Test will take place. This can be anywhere from 3 days to 4 weeks.
2. Order
You confirm that you’re happy with the agreement and authorise the relevant paperwork.
3. Testing
As each test is different, and many businesses use a pick-and-mix style of selection relative to their own needs, the testing takes place on the agreed days. You will ensure that our testers have access to the site on the required days, if you are seeking tests which require a physical tester.
4. Reports
Once the work is done, we generate the relevant reports and provide them to you.. The reports we generate will come with a complete description of each identified issue, advice on how to remedy them and evidence of the issues wherever necessary.
5. Remediation
This bit is usually up to you. We’re happy to help should you require additional support or tools, but many agree that knowing what to do is half the battle and the other half is just getting on and plugging the gaps.
Frequently Asked Questions (FAQs)
As often as necessary. The more frequently you make changes to your infrastructure or services, the more probability there is that a gap can open up in your defences. Some businesses like to perform them on a regular basis either monthly, quarterly or annually depending on the number of changes they’ve implemented.
Depending on the size and scale of the business as well as the number of elements under scrutiny, a Penetration Test can take anything from a few days to three or four weeks. The testing process is only a portion of the total time required, as our agents will then generate the reports and evaluate the most suitable remediations for your business as a unique entity.
This varies considerably and is best when discussed directly with a representative. Your quote will depend on the size of your network, the type of testing package you opt for, the required number of days and the number of days required to generate the reports. The question you should ask yourself is “How much would it cost my business to be the target of a successful malicious cyber-attack?” and work backwards from there.
Yes, some parts of a penetration test can be performed remotely. However, some form of attacks may occur on the business premises – to assess and measure these vulnerabilities, an onsite assessment may be required.
We generate the reports which include the issues discovered, the remediation advice to help resolve those issues and the evidence of the potential impact of those issues wherever necessary.
The Pentest is performed by one of our CREST accredited partners.
Related Services
Reliable. Secure.
RS22
Unit 5, Three Spires House, Station Road, Lichfield, Staffordshire. WS13 6HX