The goal of penetration testing is to examine the possibilities of accessing key elements within your company.
In order to simulate a real attack, the testing takes place without knowledge of the infrastructure and without cooperation from employees. The testing can be limited, but we don’t recommend it. Hackers don’t set limits for themselves either! :-)
Why Use Manual and Semi-Manual Penetration Tests?
Every day, hackers use a slew of tools to actively test the security applications and system components of various internet services. One of the options of avoiding an unfortunate security breach is to think like them and test infrastructure using their own methods. These penetration tests find the weak points in your systems and applications.
Contrary to automated scans used by a number of other companies for their lower costs, penetration tests reveal the actual effects of the discovered vulnerabilities. That can come from finding logical errors in the application or system configuration or a combination of vulnerabilities that scanners cannot uncover.
A manual approach is also harder to detect and better reflects the appearance of a (potentially successful) real attack. Regular penetration tests are also part of the PCI-DSS security standard that must be maintained when working with payment cards.
Penetration Testing Areas:
Social engineering attacks that leverage human actions and corporate processes
Web application testing
External testing of network infrastructure and services offered
A penetration test of wireless networks
We can also expand the test to audit mobile applications, your infrastructure’s resistance to (D)DoS attacks, and a web application stress test. We chiefly recommend testing resistance to (D)DoS attacks when your company has some form of (D)DoS security that you want to check.
Full-Scope Penetration Tests
Overall security always corresponds to the level of technical security combined with the human factor. Various social engineering schemes are usually employed to make real attacks easier. Employees therefore need to know about these possible scenarios and how to react to them appropriately.
For a complete picture of your security situation, penetration tests should also include:
An analysis and testing of specific “weak points” in terms of probable vectors of attack (i.e. malware delivered as a resume to the HR department, invoices, offers, etc.)
Launching and evaluating company-wide phishing campaigns (i.e. in emails, phone calls, etc.)
Checking the security of physical access to corporate spaces
Evaluating the risks of using internal corporate infrastructure
Training employees according to your needs
The specific parameters of the test are always agreed to with clients ahead of time according to their needs.
Testing Methodologies Used:
Penetration Test Results
A detailed report about all vulnerabilities discovered comes with all tests performed, including:
A summary of vulnerabilities listed according to the severity of the risks posed, which helps sets priorities when repairing the deficiencies
An executive summary of the penetration test results including a listing of the discovered vulnerabilities with the biggest potential effect on your company according to the previously agreed goals and key recommendations for their repair
A detailed technical analysis of all identified vulnerabilities and recommendations for technical experts to effectively implement countermeasures