Practice makes perfect, and in cyber/information security that practice comes in the form of penetration testing.
Practice makes perfect, and in cyber/information security that practice comes in the form of penetration testing (pen testing)
A pen test is a simulated cyber-attack against your systems, designed to highlight vulnerabilities that could be exploited. At Stratigence our pen tests range from general vulnerability scans to targeted, system-specific attacks, and can be used to evaluate the security of a range of systems and technologies, including:
- Web applications
- Cloud services
- Network and infrastructure
- Operating systems
Our approach to pen testing is as follows:
Step 1: Initial consultation
During the preliminary consultation we will assess your pen testing requirements, before advising on likely timeframes and costs.
Step 2: Create a test plan
Why are we pen testing, what are we testing, and how are we testing it? The security test plan will outline the answers to these questions, and confirm the approach, schedule, scope and types of tests that will be performed.
Step 3: Gather information
While other companies will perform blind testing, our experience tells us that gathering information both accelerates the process and makes for better results. We gather information in two ways:
- From you: We inspect the high-level architecture of the in-scope systems and services.
- From open sources: We see whether any confidential data can be obtained through public resources.
Step 4: Conduct the test
- The test approach: We utilise a combination of automated and manual tests, much of which can be conducted remotely, but some of which may require site access (particularly internal network testing.)
- The test execution: All tests are executed as per the security test plan. If the testing reveals any critical vulnerabilities, the appropriate contact will be informed immediately.
- Exploitation: While the broad aim of pen testing is to identify vulnerabilities, you’ll sometimes want to know whether those vulnerabilities can be exploited, and to what degree. We can exploit a vulnerability on request to highlight the potential damage such an event could cause.
Step 5: Deliver report/recommendations
Once testing is complete, you’ll be given the security test plan and a penetration test report – a comprehensive summary that outlines each of the vulnerabilities discovered, as well as an overall risk rating. Remediation advice will be offered for each vulnerability.
Step 6: Follow up
Threats change, your systems change, and thus your vulnerabilities will be in a constant state of flux. Now that we are familiar with your systems, we can quickly refine and re-execute pen testing on a regular basis to ensure you stay protected.