Penetration Testing from SMARTSEC
CREST ACCREDITED PENETRATION TESTING
Penetration testing is a simulated real world attack on networks, systems and applications. The aim is to identify vulnerabilities and weaknesses that could be abused by malicious threat actors internally or externally. Often a Penetration Testing is also known as a Pen Test or a Security Test or even ethical hacking.
SMARTSEC is able to provide the appropriate context around identified vulnerabilities, the impact of those vulnerabilities along with the threat and likelihood of a breach occurring allowing your business to make the most appropriate decisions.
Penetration Testing Process
SMARTSEC follow robust methodologies during all of our Penetration Testing engagements. Although all our Penetration Tests are tailored to our client needs we use appropriate methodologies for breadth and depth of testing and to ensure consistency.
SCOPING
A chance to understand the details/intricacies of the engagement.
Identification
Identifying the details of running services and attack points.
Exploitation
Exploitation of identified vulnerabilities or other flaws
Reporting
Clear concise reporting with appropriate context and risk identification
Enumeration
Understanding the target environment
Analysis
The analysis of any vulnerabilities identified
Pivot
Pivot to other end-points within the environment
Debrief
On hand to debrief the report and walk through findings and recommendations
External Penetration Testing
External testing is conducted over the internet and typically is the most cost-effective route for most organisations. Most organisations have a variety of applications, API's services and infrastructure exposed publicly. An external Penetration Test is designed to determine whether or not an external threat actor is able to exploit any of those exposes services.
Internal Penetration Testing
Typically used for when an organisation wants to test what an internal attacker could potentially gain access to. The Penetration Tester will be given access to a device that is connected to the internal network, they will try to exploit and navigate their ay through the network to try and exfiltrate sensitive data, or access critical systems. Systems, Internal applications and Wifi can all be targeted during internal Penetration Testing.
Types of Penetration Testing Strategies
Black Box Testing
A Blackbox test is from the perspective of an external attacker. No information is given to the Penetration Tester. This is considered the most authentic type of engagement as it purely mimics an external adversary, however, it is also bears the most cost for the business.
Grey Box Testing
A balance of both, only limited information is provided, this could be in the way of login credentials for example. A grey box test sits nicely for breadth and depth and can be used to simulate both internal and external attack vectors. It is less costlier than an Black box test.
White Box Testing
A white box test is where all information is divulges to the Penetration tester. This is the most cost-effective type of Penetration Test and provides the most value - for example with upfront knowledge the tester can simulate many attack vectors total breadth and depth coverage.