Video Game

Penetration Testing from SMARTSEC

CREST ACCREDITED PENETRATION TESTING

Penetration testing is a simulated real world attack on networks, systems and applications. The aim is to identify vulnerabilities and weaknesses that could be abused by malicious threat actors internally or externally. Often a Penetration Testing is also known as a Pen Test or a Security Test or even ethical hacking. 

 

SMARTSEC is able to provide the appropriate context around identified vulnerabilities, the impact of those vulnerabilities along with the threat and likelihood of a breach occurring allowing your business to make the most appropriate decisions. 

Banner_CRESTPT-003-300x193.png

Penetration Testing Process

SMARTSEC follow robust methodologies during all of our Penetration Testing engagements. Although all our Penetration Tests are tailored to our client needs we use appropriate methodologies for breadth and depth of testing and to ensure consistency.

SCOPING

A chance to understand the details/intricacies of the engagement.

Identification

Identifying the details of running services and attack points.

Exploitation

Exploitation of identified vulnerabilities or other flaws

Reporting

Clear concise reporting with appropriate context and risk identification

Enumeration

Understanding the target environment

Analysis

The analysis of any vulnerabilities identified

Pivot

Pivot to other end-points within the environment

Debrief

On hand to debrief the report and walk through findings and recommendations

External Penetration Testing

External testing is conducted over the internet and typically is the most cost-effective route for most organisations. Most organisations have a variety of applications, API's services and infrastructure exposed publicly. An external Penetration Test is designed to determine whether or not an external threat actor is able to exploit any of those exposes services. 

Internal Penetration Testing

Typically used for when an organisation wants to test what an internal attacker could potentially gain access to. The Penetration Tester will be given access to a device that is connected to the internal network, they will try to exploit and navigate their ay through the network to try and exfiltrate sensitive data, or access critical systems. Systems, Internal applications and Wifi can all be targeted during internal Penetration Testing.

Types of Penetration Testing Strategies

Black Box Testing

A Blackbox test is from the perspective of an external attacker. No information is given to the Penetration Tester. This is considered the most authentic type of engagement as it purely mimics an external adversary, however, it is also bears the most cost for the business. 

Grey Box Testing

A balance of both, only limited information is provided, this could be in the way of login credentials for example. A grey box test sits nicely for breadth and depth and can be used to simulate both internal and external attack vectors. It is less costlier than an Black box test.

White Box Testing

A white box test is where all information is divulges to the Penetration tester. This is the most cost-effective type of Penetration Test and provides the most value - for example with upfront knowledge the tester can simulate many attack vectors total breadth and depth coverage. 

Contact us Today to see how we can help your business