> PENETRATION TESTING

The concept of cyber security is a complete foreign entity to many. Especially at a business level, its amazing how many businesses still do not have sufficient security solutions, on both their network and endpoints. Too often we hear from customers when it’s too late. Cyber security should not be a reaction, but rather a proaction to prevent any potential breach. A bit of investment beforehand, can save a lot of money in the long run, especially if you are holding any sensitive information on your network.

Also known as ethical hacking, penetration testing or ‘pen testing’ is the process of probing a network to discover vulnerabilities in network security or outdated software that a malicious party could exploit. Using a variety of specialised tools and techniques, the tester is able to examine the network from different positions of attack, in order to determine whether or not there is a reasonable level of security. The harder it is for somebody with malicious intent to penetrate your defences, the more likely they are to move on to the next target.

JARGON BUSTER! There are many terms and acronyms surrounding cyber security that can make the whole topic overwhelming. Below we’ve assembled a few of the most common terms, and explained them as simply as possible! Click on the terms to reveal the descriptions.

> PROFILES OF HACKER

> TYPES OF ATTACK

An ‘ethical hack.’ The tester has been given permission and only hacks for the purpose of good.

May hack for the purpose of good but without permission. Most commonly found hackers on the internet. Don’t tend to hack for personal gain, although may sometimes extort a business if a significant vulnerability is found.

Hacking for malicious purposes, also known as ‘crackers.’

Hacks motivated by social or political agendas.

Generally hackers are quite careful to cover their tracks to avoid being detected or traced. Suicide hackers do not care about this and only care about causing as much damage as possible before they are stopped, with no fear of the consequences.

No real knowledge of what they’re doing. Running already built malware and malicious scripts in order to hack, without the skills to develop their own exploits.

A piece of malware including a backdoor that allows the attacker remote access to the target machine, usually activated as an email attachment.

Code injection technique that allows attacker to edit entries in a SQL database to provide different outcomes, such as denial of service, or even altering the price of a product within an online store.

XSS (Cross site scripting) is a web application attack, that involves injecting client-side scripts into web pages, that then run on the machines visiting the website.

ARP (address resolution protocol) poisoning involves attackers sending lots of bogus ARP requests to networking equipment in order to trick it into thinking their device is the gateway for all traffic into and out of the network. This allows attackers to intercept all traffic in and out of the network, potentially “sniffing” out any unencrypted credentials.

Privilege escalation is an exploit whereby an attacker can gain higher level privileges on a system with a lower level user. This allows them to carry out potentially damaging actions that they wouldn’t normally have permissions to do.

The process of going through the waste of a company or individual in order to find personal/confidential information thats useful to the attacker

> PEN TEST CATEGORIES

> PEN TEST TEAMS

The tester has full knowledge of the network and access to all systems. More comprehensive, as it allows a 'behind the scenes' look that an outside attacker would not have access to.

The tester has 'some' knowledge of the network or application they're testing. Sometimes referred to as 'translucent' testing.

Most comparable to a real life hack, in that no details are revealed to the tester prior to beginning the test.

A red team is a group of white hat hackers that work to penetrate the target systems simulating an actual attack.

A blue team is an internal group of security professionals attempting to prevent the red team (or real life hackers) from penetrating the defences.

The purple team was born from trying to concile the red and blue teams. A purple team is a traditional red and blue team working closely together in order to maximise cyber defences via constant communication of potential issues.

> OUR SERVICES

Unfortunately, when it comes to cyber security, there is no 'silver bullet.' However, penetration testing is a very good place to start when it comes to reassurance with regards to the level of cyber security you're currently employing. See below for the penetration testing options we offer.

NETWORK PEN TEST

Network – most common attack vector and most undertaken pen test. This probes your network infrastructure to vulnerabilities or weaknesses. Can be undertaken on site, remotely, or a combination of the 2 (recommended.) Common tests would involve firewall scanning, bypassing, configuration testing, DNS zone transfers. Common targets would include SSH, SQL, mail servers, FTP servers etc.

WEB APPLICATION PEN TEST

Testing web based applications for any vulnerabilities. Much more in depth testing components such as java, active X, APIs etc. tests take quite a long time and more in depth knowledge required by the tester. Common attacks would be SQL injection or cross site scripting.

WIRELESS PEN TEST

Tests the security on the wirelsss network. Tests for weak keys and out of date protocols. Will test all devices attached to network including smartphones, tablets, laptops, as well as any other wireless devices such as CCTV cameras etc. this will always be undertaken at the customer site as the tester needs to be in range of the wireless signal.

SOCIAL ENGINEERING PEN TEST

This is where the tester moonlights as someone else in order to gain valuable information directly from employees. This can be done via remote means such as phishing emails or telephone calls, or on site in the way of face to face communication or dumpster diving.

> CONTACT US

For further information regarding our penetration testing services, talk to us on the live chat, or fill in the below form and we'll get back to you ASAP!