15 January 2018

No organisation is immune from cyber-attack, so it is important to regularly test your IT Infrastructure for vulnerabilities before they are exploited maliciously.

 

With the tactics used my cybercriminals constantly evolving, the importance of regular cyber security assessment cannot be overstated. Penetration testing allows you to test your business’ cyber defences against the latest hacking tools, tactics and procedures to identify vulnerabilities and address them in a timely fashion.

Did you know? Nearly two thirds of breaches involve hacking 
Verizon, 2017 Data Breach Investigations Report

 

Finding vulnerabilities before the bad guys

 

As the attack surface grows, and cyber threats increase in both volume and sophistication, it is essential to possess a comprehensive understanding of your organisation’s cyber security posture. Undertaking regular assessment of security controls for potential vulnerabilities forms a key part of this.

A penetration test (pen test) is an assessment performed by a team of ethical security professionals and is designed to help identify, safely exploit, and remediate vulnerabilities that exist across networks, infrastructure, websites, applications, and more.

The ethical hackers commissioned to perform a pen test utilise same the tools, techniques and procedures as genuine black hat attackers, helping them to identify a broad range of common and complex vulnerabilities, including:

  • Insecure setup or configuration of networks, hosts and devices
  • Flaws in authentication and session management
  • Input validation errors
  • Information leakage
  • Out-of-date software and applications

 

Detecting hidden weaknesses

 

Pen tests are often confused with vulnerability assessments, so it is important to understand the difference between the two before commissioning a provider to perform one.

While a vulnerability scan is an automated test that uses off-the-shelf scanning tools to search for common vulnerabilities, a pen test is much broader in scope, utilising a combination of machine and human-led intelligence to identify and, crucially, exploit gaps in defences.

Internal and external penetration testing can take a variety of forms – from web application and mobile application tests to network, build and configuration reviews. The scope of each test is agreed prior to testing, so all engagements can be tailored to fulfil custom requirements.

By eliminating vulnerabilities that evade automated assessments, and providing the advice needed to remediate issues, penetration testing enables organisations to better understand and significantly reduce cyber security risk.

 

A comprehensive security assessment

 

The time it takes for an ethical hacker to complete a penetration test depends upon the scope of the assessment but can be as short as a day or two. Variables can include size of network, whether testing is performed remotely or on-site, and the number of IPs, applications and services to be assessed.

For efficiency, system information, such as network details and passwords, can either be shared with the testing team in advance of the test (known as whitebox testing), or for a lengthier but more authentic testing experience, withheld (blackbox testing).

Tests can also be tailored to meet complex regulatory requirements, including those outlined in the GDPR, and reporting can also be tailored for PCI-DSS or SWIFT CSP compliance.

The reporting and remediation phase is a crucial stage in the pen test process, and organisations should look for a penetration testing company that allocates the necessary resources to write up a full report and supply the remediation guidance necessary to address all identified vulnerabilities and help channel future security investments.

 

Why choose Redscan for pen testing?

As an award-winning provider of penetration testing services, Redscan is well placed to help your organisation significantly reduce its cyber security risk. By working closely with your in-house team to understand your security needs, our CREST and OSCE accredited ethical hackers provide the outputs need to facilitate instant security improvements. All our ethical hacking engagements are strictly client confidential and designed to avoid disruption to business operations.

Scheduling a test with our security consultants is quick and easy. We’ll help guide you through the scoping process and produce a clear, no obligation quotation for sign off.

Learn more about our penetration testing services

 

Read more:

Why your business’ cyber security risk is increasing

Key reasons to outsource your cyber security in 2018

10 ways to strengthen your organisation’s cyber security in 2018

 

back to all posts