In a nutshell, a penetration test otherwise known as a “pen test”, is a way of testing your organisation’s security posture. Penetration testing simulates an attack on your systems using real world tactics, techniques and practices in order to discover any vulnerabilities before the bad guys do. Pen testing answers the question:
“Can a hacker gain access to my system, and if so, how would they go about doing it and how easy is it?”
Penetration testing — tests your infrastructure, network devices, web applications, Internet of Things (IoT) devices, and/or human personnel through the eyes of both a malicious threat actor or hacker and an experienced cyber security expert to discover vulnerabilities that can be exploited and identify areas where your security posture can be improved.
When we have completed our testing we provide you with a report of what we did and what we found. If we identify any vulnerabilities we explain what they are, show you what we did to exploit them and provide you with pragmatic recommendations to correct each one.
CyberRisk performs the following types of penetration testing:
Application penetration testing — Identifies application layer flaws such as Cross Site Request Forgery, Cross Site Scripting, Injection Flaws, Weak Session Management, Insecure Direct Object References and more.
Infrastructure penetration testing — Focuses on identifying network and operating system level flaws including misconfigurations, software vulnerabilities, unnecessary services, weak or default passwords and use of insecure protocols.
Wireless penetration testing — Wireless networks are vital for providing employees with mobile access to systems and data, but they also can also act as an entry point for hackers. We check your wireless network for rogue access points, poor encryption algorithms, default setups, WPA bruteforce and packet injection weaknesses and key vulnerabilities.
IoT penetration testing — We identify hardware and software flaws with Internet of Things devices including weak or default passwords, insecure protocols, poorly secured application programming interfaces and misconfigurations .
Social Engineering — Our team will attempt to manipulate and trick your team members into providing unauthorised access to confidential information and/or physical access to what should be restricted locations, including tactics like authority disguises, employee impersonation, USB drops, phishing, and other common methods.
Our comprehensive penetration testing methodology follows a number of steps, ensuring that we perform our work to the highest standard and provide you with the best value for money. Typically, the steps we perform are:
- Information Gathering — perform reconnaissance against the target(s)
- Vulnerability Analysis — discover flaws in systems and applications using a combination of automated tools and manual checks. We use both commercially available tools and our own internally developed techniques
- Exploitation — simulating a real-world attack we attempt to exploit any vulnerabilities we have discovered
- Post-Exploitation — what can an attacker do next? What’s their next target?
- Reporting — Explaining what we did and how we did it. We provide you with a comprehensive report of the vulnerabilities we identified and recommendations to mitigate any risk
Contact us to discuss your penetration testing requirements.