Contact Us: +44 (0) 845 070 1750 

Consultancy Services-Information Risk and ISO27001|Business Continuity & BS25999|PCI DSS|Data Protection Act (DPA)|Pen Testing  

 Penetration Testing

Penetration Testing (often called “Pen Testing” or “Security Testing”) establishes whether or not the security in place to protect a network or application against external threats is adequate and functioning correctly.

 

Effective Pen Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools and conducted by a certificated, ethical professional. The resulting findings provide a basis upon which security measures can be improved. Penetration testing is, for instance, a requirement of UK central government (eg DWP) Baseline Security Plans.

 

ITG Security Testing Ltd is here to help - call us now on 0845 070 1750 or email us.

 

Alternatively,

from one of our experienced consultancy team.

 

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective Pen Testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS - from initial development through to ongoing maintenance and continual improvement.

Information Security Expertise: 

ITG Security Testing Ltd is part of the IT Governance family. IT Governance is has a long and distinguished history in the provision of information security expertise and solutions, including but not exclusive to the PCI-DSS and ISO/IEC 27001:2005 standards. ITG Security Testing Ltd builds on this foundation to provide comprehensive Pen Testing services that test the security of your networks and applications whilst retaining a broad vision of your business and security objectives, ensuring that our Pen Testing services produce results that your business can use to build on and move forward.

 

Certificated Security Testers:

ITG Security Testing Ltd deploy only trained, certificated and seasoned security testers who have additionally been subject to extensive CV and other regularly conducted internal checks. This ensures that any testing activity is carried out by ethical and client-focused experts.

 

Best-practice methodology:

Our security testing service is delivered in line with the best-practice OSSTMM methodology, developed and published by ISECOM. This methodology ensures that security testing is carried out following a structured, effective and technically appropriate process, to deliver meaningful reports and metrics.

 

‘Black Box Testing’ is based on the security tester having no prior knowledge of the network infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. The only information they have to start with is the IP address to be pen tested. This form of testing simulates an attack from someone unfamiliar with the system- an external hacker, for instance. This is also sometimes called a ‘blind test’.

 

‘White Box Testing’, on the other hand, is based on the tester having complete knowledge of your network infrastructure, including network diagrams, source code, password configurations, and so on. This form of testing is appropriate for identifying vulnerabilities that might be exploited by an insider or by someone who has been able to obtain sensitive security information. This is also sometimes called a ‘full disclosure’ test.

 

‘Gray Box Testing’ is a mix of black and white box testing and is usually carried out in response to a specific perceived threat to your network. It is based on a limited amount of information and for, this reason, is often called a ‘partial disclosure’ test.

Websites are subject to a wide range of potential attacks that exploit an equally wide range of vulnerabilities. Web application testing is a comprehensive process of assessing and identifying website application vulnerabilities and providing a report that includes details of all identified vulnerabilities. OWASP - the Open Web Application Security Project - publishes a best-practice guide to testing web applications, and ITG Security Testers will apply as appropriate the tests identified by OWASP.

ITG Security Testing Ltd can, through the IT Governance partnership with Comodo, provide standard, approved PCI DSS ASV scanning services for organisations that need to achieve and maintain PCI DSS compliance. A PCI ASV scan looks for vulnerabilities at both the network and application layers.

Annual Scanning Contracts

A single security test is useful in telling you what your current security stance is like, and in identifying current vulnerabilities and weaknesses. However, technical information security breaches and hacker attack patterns – both automated and individually driven – evolve extremely rapidly. It is therefore normal for organisations to contract for regular, repeat scans of their infrastructure; these scans are usually performed (depending on the risk assessment) on a monthly, quarterly, or annual basis. ITG Security Testing Ltd can provide attractive prices for annual scanning contracts and thereby help you ensure that your defences remain adequate against identified and evolving risks and that your corrective and preventive actions are closely linked to emerging threats and vulnerabilities.

IT Governance Ltd consultancy and remediation expertise is instantly at hand;

• Your organization and project sponsor do not need to worry about identifying in-house the expertise that may be required to close down any vulnerabilities identified through the testing process.
  
  
• There is minimal disruption to the project should the individual consultant supporting you become ill or unavailable – our consultants use a consistent, comprehensive (but not overly bureaucratic) methodology and each one has their own coach who keeps up to speed on progress and developments so a smooth transition can occur if a new consultant needs to be assigned for any reason.