Penetration Testing

A penetration test or ‘pen test’ is the easiest, most effective way, to demonstrate that exploitable vulnerabilities in your Internet-facing resources are adequately patched, and that you have appropriate technical security controls in place to help protect against cyber-intrusions.
 
We can help you find and patch your vulnerabilities - before someone else finds the holes in your defences. We will test against everything, including the most recent types of attacks and present the vulnerabilities, risks, and recommendations for remediation in an easy-to-understand ‘traffic light’ report, so that you can make practical decisions based on hard facts.
 

Penetration Testing: An essential business investment

Regular vulnerability scanning and penetration testing of all Internet-facing resources is now an essential business investment because:

1. Increasingly complex software on websites and networks means there are more and more security ‘holes’;
2. More and more security researchers – both reputable and criminal – means that exploitable holes are discovered and publicised more quickly. Increasingly the first exploitation of a security hole happens within hours of its existence being publicised;
3. The massive rise in indiscriminate, automated botnet, DDoS (Distributed Denial of Service) and cross-site scripting attacks puts all Internet-facing resources at the direct risk of compromise;
4. Any successful cyber intrusion will lead to significant remediation costs, on top of down-time and lost productivity and before factoring in reputation damage, compliance breach costs and legal actions. 

 
Successful hacking methodologies proliferate quickly and are deployed indiscriminately at high volumes.
 
When automated attacks using massive slave computer networks (‘botnets’) took off in 2008:

• IBM ISS helped large corporations block about 5,000 SQL attacks a day for the first five months of 2008.
• By mid-June, daily attacks spiked to 25,000; by October they topped 450,000 a day!

 
The available evidence suggests that the botnet problem has continued to increase in the 5 years since these figures were made public. The chances are, you have already been attacked. The pertinent questions are: ‘How many times?’ and ‘Do you know about it?’!
 
Between April and June 2012, FireHost blocked nearly 500,000 attacks by SQLi, a well-known and popular method used by cyber criminals to steal data and is among the most malicious and dangerous web-based attacks. Cross-Site Scripting and SQL Injection attacks have become even more prevalent since the third quarter of 2012 [source: FireHost].
 
There is no ‘security through obscurity’. The size, scale or public profile of your organisation does not matter to bots. They automatically scan all available IP address ranges on the Internet, looking for the trusting, undefended organisations whose vulnerable, unpatched systems may contain valuable commercial, financial or personal data or which might, at the very least, be capable of slaving into a botnet for use in attacking other organisations or countries.
 

Why should you conduct a regular Penetration Test?

 
New vulnerabilities are identified and exploited by hackers every week. In many cases, you won’t even know that your defences have been successfully breached until it’s too late.
 
You should conduct penetration tests on a quarterly basis (at least):
 

1. To find weaknesses in your information security system before someone else does, identifying vulnerabilities and quantifying their impact and likelihood of being exploited;
2. Produce evidence in the form of reports to managers that your security measures are adequate and working; demonstrating that your IT spend is appropriate and cost-effective;
3. Ensure compliance with critical standards such as PCI DSS and ISO27001, the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
4. Provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that your organisation is not a weak link in their information security chain.

 
Technical security testing – usually known as ‘Penetration Testing’ (sometimes also called “Pen Testing” or “Security Testing”) establishes whether or not your Internet security will actually withstand external threats, and whether or not it is adequate and is functioning correctly.
Pen testing involves a controlled attack on a network or specific device to discover vulnerabilities. The typical penetration test is conducted by an experienced ‘ethical hacker’ - someone who specialises in breaking into systems – but who does so with the permission of the system owner.
 
There is a range of potential attack vectors and methodologies including open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved. It is rare that our pen testers come across an organisation that does not have some room for improvement. We present the vulnerabilities, risks to the organisation, and recommendations for remediation as hard facts in a ‘traffic light’ report that’s made as easy as possible to understand.
 
Are you doing business with the government?
Penetration Testing is a requirement of the UK central government Baseline Security Plans. Invitation to Tender documents issued by HM Government departments also reference penetration tests; for example, see the Department for Work and Pensions document, The Framework for the Provision of Employment Related Support Services, Security Plan and Guidance for Completion (2010), under section 1.4 Assessment Process, Stage 6 – Penetration Testing and Reporting.
 
Efficient and routine Penetration Testing of your system is the only way of establishing that your networks and applications are genuinely secure against today’s automated cyber attacks.
 
In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective Pen Testing is the only way of establishing that your networks and applications are truly secure.
 

ISO27001 and Penetration Testing

 
Penetration testing is also an essential component in any ISO27001 Information Security Management System (ISMS) - from initial development, through to ongoing maintenance and continual improvement.
 
How does penetration testing fit into your ISO27001 ISMS project? There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:
 

• As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats;

• As part of the Risk Treatment Plan, ensuring that controls that are implemented do actually work as designed;

• As part of the ongoing corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.

 
 

Why use ITG Security Testing Ltd?

 
Information Security Expertise:
ITG Security Testing Ltd is part of the IT Governance family. IT Governance has a long and distinguished history in the provision of information security expertise and solutions, including, but not exclusive to, the PCI-DSS and ISO/IEC 27001:2005 standards. ITG Security Testing Ltd builds on this foundation to provide comprehensive Penetration Testing services that test the security of your networks and applications whilst retaining a broad vision of your business and security objectives.
 
Certificated Security Testers:
ITG Security Testing Ltd deploy only trained, certificated and seasoned security testers who have additionally been subject to extensive CV and other regularly conducted internal checks. This ensures that any testing activity is carried out by ethical and client-focused experts.
 
Best-practice methodology:
Our security testing service is delivered in line with the best-practice OSSTMM methodology, developed and published by ISECOM. This methodology ensures that security testing is carried out following a structured, effective and technically appropriate process, to deliver meaningful reports and metrics.
 
What Security Testing services do we provide?
 
IT Health Checks
 
A CHECK-compatible IT Health Check is an effective way of identifying technical security vulnerabilities in applications, networks, websites and IT infrastructure.
 
Web Application Security Testing
Websites and externally-facing web applications are subject to a wide range of potential attacks that exploit an equally wide range of vulnerabilities. In fact, they are the most common attack vector outside of social engineering techniques is through web applications. Testing is a comprehensive process of assessing and identifying website application vulnerabilities and providing a report that includes details of all identified vulnerabilities. OWASP - the Open Web Application Security Project - publishes a best-practice guide to testing web applications, and ITG Security Testers will apply as appropriate the tests identified by OWASP.
 
Network Testing
Network testing is a comprehensive process of assessing and identifying vulnerabilities and providing a report that includes details of all identified vulnerabilities, flaws within hardware or software configuration or other operational weaknesses that may exist. OSSTMM – Open Source Security Testing Methodology Manual - publishes a best-practice guide to security testing and ITG Security Testers will apply as appropriate the tests identified by OSSTMM. These tests expose security vulnerabilities and weaknesses, assess the impact should a potential security threat occur and provide information for a report that proposes a technical solution. The outcome of these tests demonstrates the security profile of an organisation at a given moment in time. Security is not a steady state, therefore these test need to be repeated at regular intervals or after major changes.
 
Wireless Network Testing
The use of wireless access to a network provides an external hacker with a rich source of potential vulnerabilities to attack. Despite these significant threats, organisations are increasingly deploying Wi-Fi and Bluetooth to satisfy the demand from their staff for mobile and flexible access. Wireless Network Testing identifies potential vulnerabilities and recommends a range of defensive measures which can be deployed to protect and mitigate against these risks. Wireless Network Testing also tests for rogue wireless access points (WAPs) which may be connected to your network and for the data traffic for which you are now likely to be legally responsible.
 
PCI DSS Approved Scanning Vendor (ASV) Services
ITG Security Testing Ltd can, through the IT Governance partnership with Comodo, provide standard, approved PCI DSS ASV scanning services for organisations that need to achieve and maintain PCI DSS compliance. A PCI ASV scan looks for vulnerabilities at both the network and application layers.
 
Annual / Quarterly Scanning Contracts
A single security test is useful in telling you what your current security stance is like, and in identifying current vulnerabilities and weaknesses. However, technical information security breaches and hacker attack patterns – both automated and individually driven – evolve extremely rapidly. It is therefore normal for organisations to contract for regular, repeat scans of their infrastructure; these scans are usually performed (depending on the risk assessment) on a monthly, quarterly, or annual basis. ITG Security Testing Ltd can provide attractive prices for regular scanning contracts and thereby help you ensure that your defences remain adequate against identified and evolving risks and that your corrective and preventive actions are closely linked to emerging threats and vulnerabilities.
 
Consultancy and Remediation Services
 
IT Governance Ltd consultancy and remediation expertise is instantly at hand;

• Your organisation and project sponsor do not need to worry about identifying in-house the expertise that may be required to close down any vulnerabilities identified through the testing process.
• There is minimal disruption to the project should the individual consultant supporting you become ill or unavailable – our consultants use a consistent, comprehensive (but not overly bureaucratic) methodology and each one has their own coach who keeps up to speed on progress and developments so a smooth transition can occur if a new consultant needs to be assigned for any reason.

To provide your business with a complete solution, please see the IT Governance Penetration Testing Packages for further details.
 
To book your Penetration Testing service, or to discuss your requirements, - please call us now on 0845 070 1750 or email us.

• Basel II/III
• Business Continuity Management
• BS25999
• CGEIT
• CISA
• CISM
• CISSP
• CLAS
• Cloud Computing
• COBIT
• Codes of Connection
• Compliance
• CRISC
• Cyber Security
• Data Governance
• Data Protection
• Enterprise Architecture
• Green IT
• Information Security
• ISO 20000
• ISO 22301
• ISO 27001
• ISO 31000
• ISO 38500
• ISO 50001
• IT Audit
• IT Governance
• IT Management Frameworks
• ITIL
• IT Service Management
• Knowledge Management
• M_o_R
• MoV
• MSP
• N3
• P3O
• PCI DSS
• Penetration Testing
  • Ethical Hacking
  • IT Health Check
  • Penetration Testing Packages
  • Penetration Testing = Your Peace of Mind
• PMBOK
• PRINCE2
• Privacy
• Project Governance
• Risk Management Frameworks
• Security Hardware/Software
• SLAs
• Social Media Governance
• Soft Skills
• Management System Standards
• Technical Services
• TickITplus