Penetration testing is when an authorised person is invited to check your system for a way to get in. It can be done in a number of ways depending on the requirement of the recipient of the test. It is now becoming more common to have penetration (or pen) testing done as part of the compliance for insurance, as well as accreditations such as Cyber Essentials or ISO 27001.
We offer low level penetration testing of your computers network, website and associated systems, to find vulnerabilities which could be infiltrated by a 3rd party or malicious source. If we find anything we will report it back, so these ‘holes’ can be fixed.
There are various methods we can employ to try and ˜hack" your system. From Social Engineering your staff to finding flaws in your network or attempting to add strange code to your website. We do not claim to be able to break in to everything we see, nor do we think we are best at doing this. It is a very specialist field in which we ourselves can only cover certain areas, so we do source other ˜Ethical Hackers" or Pen Testers to do the parts we probably can only dream of. This of course will be scoped and quoted for depending on the situation and requirement.
Levels of Testing
- Social Engineering
- Physical Security
- Website Testing
- Wireless and Infrastructure
- Firewall and External Access Testing
- Insider Vulnerability Tests
- Database Testing
- Malware and Ransomware Simulations
A black box attack is a simulation carried out without any prior knowledge of the site or business. This is the same type of method which will be usually carried out by an external illegitimate hacker. It will involve finding a target, scanning it for vulnerabilities before trying to break in and exploiting anything that can be found on the system within. The attack may also include brute forcing of passwords, and breaking of functions, without much regard for the business€™s functional welfare or data. Most black box attacks are carried out at night time, so alarm bells are not triggered during normal operational hours, and therefore the process stopped.
A white box test is when the person performing the test knows more about or everything about the company involved. This will be done by request of the company involved and performed legitimately. Generally, it would be performed with the system administrator\'s credentials, and so will have full access to all areas. This is sometimes not deemed a true penetration test, as it does not show what is available from the outside of the organisation.
Grey box testing is what we generally do if we were to do a test on your system. As the name would imply, it is a cross between the two other types. For starters, we can do nothing without explicit permission to do so, but as outsiders we would have to gather the information together by other means, either by what is publicly available, openly given to us or by exploitation, such as Social Engineering, Phishing, or Vishing, as well as finding externally vulnerable points of attack which we might be able to use.
Before we begin
Before we can perform any amount of testing on your system we require, by law, a signed contract to allow us to carry out the analysis or data capture involved. We will meet up with you to discuss what you need out of the test, whether it be just to see if you are vulnerable to an outside attack, for insurance purposes or quite simply for staff training. Once the contract is signed we can then start work on planning the test.
What is required from you
Depending on what sort of attack we are performing, would depend on the requirements from you or your technical team. This will be of course discussed in the initial meeting.
**** General Disclaimer ****
We do not keep or transfer information on to any third party, as part of, during or after a penetration test, unless otherwise requested by the business owner, or a qualifying third party, such as the police or insurance companies. All of our tests are designed to be non-intrusive to the network or systems as a whole, however as part of the demonstration, systems can sometimes slow certain functions down. If such is the case, out of hours testing may be more appropriate and you are perfectly within your rights to request that we stop at any time. Any exploitation or vulnerabilities found within your system will not be divulged to any third party with which they can be used against you or us, in a malicious attack or for financial gain, beyond the realms¿½the contract put in place by ourselves. Attacks to your systems, network and business as carried out by us are purely for demonstration purposes and are in no way harmful or detrimental to either party, persons or the live data. We recommend that a full and complete backup of your data and infrastructure devices be carried out before any penetration testing is done, as we can cannot be held responsible for any data loss.