What is penetration testing?
Penetration testing is a simulated cyber attack designed to exploit the vulnerabilities of a network by replicating malicious activities. This is undertaken in a safe and controlled environment to monitor activity.
This involves our team visiting your site, plugging into your network and attempting to access systems we shouldn’t be able to. This replicates what would happen if a malicious party got access to your systems via an external breach and then attempted to access your internal systems. It also demonstrates what would be possible for a malicious employee to achieve. In addition, if an internal employee’s account were compromised, e.g. via social engineering, it would show the level of damage that a malicious party could achieve with the compromised account.
From a remote external location, we attempt to access your internal systems via the internet, replicating the activities of a malicious hacker. We attempt to access via systems such as your mail server, virtual private network, firewall and any other system you have which faces the public internet.
We attempt to compromise your web application from a remote external location, e.g. identifying if we can access data we shouldn’t, which sits behind your website in databases. In addition, we try to install rogue code on your web server, which we shouldn’t be able to. We also try to take control of the server hosting the website, which could give us the ability to delete or copy the entire site and all the data.
Do you need a system penetration test?
Malicious hackers are continually trying to breach your systems to obtain personal and private data, intellectual property or locking your systems and data using ransomware. Sometimes you may be aware you have breached because the attack is obvious and widespread. But sometimes, you may have no idea until your clients or law enforcement informs you.
Breaches result in large financial loss through disruption to business, lawsuits being filed against you, loss of clients or large fines from regulatory bodies, not to mention damage to your reputation and thus future business. You need to know where to focus your efforts and funds to most effectively fortify your defences. This is the purpose of system penetration testing.
We set up as penetration testers with a simple goal: to discuss the vulnerabilities we find within the context of your business. When we finish penetration testing your systems, we don’t just hand you a report and walk away. Instead, we meet and discuss the issues identified, look at how your infrastructure operates, and together with your IT team and developers, build a plan for fixing the issues and prioritise the most devastating but with simple remedies.
We also work a little differently in our testing methods. We are academics and practitioners, so when we are not testing, we are researching vulnerabilities in our specialist labs. We examine not only technical issues but flaws with the business logic too, the subtle operational or process flaws. Ours are not simple text book methods and we do not rely on point and shoot tools.
Our testers have Crest Registered Tester status and can perform tests to meet with the Payment Credit Card Industry – Data Security Standard (PCI-DSS)