• Home
• IT Governance

  IT Governance

  ISO 38500

  Calder Moir

  CobiT & ValIT

  Data Governance

  Architecture Frameworks

  King III

  SOA Governance

  Tools & Services

  Books & pocket guides

  ITG Framework Toolkit

  Training Courses

  Consultancy Services

  Green IT

  Books and Pocket guides

  ISO 14001

  EN 16001/ISO 50001

  Toolkits

  Consultancy Services

  Training Courses

  Other IT Governance

  Capability Maturity Model

  Cloud Computing

  IT Audit

  IT Outsourcing

  Social Media Governance

• Risk Management

  ISO 27001

  ISO 27000 Standards

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  Risk Assessment Tools

  Qualifications

  CISA

  CISM

  CISSP

  IBITGQ

  ISO 31000

  Standards & Guides

  BCM Planning

  BS25999

  Books & Pocket guides

  Documentation Toolkits

  Training Courses

  Consultancy Services

  Penetration Testing

  Penetration Testing Services

  Training Courses Books and Guides

  IT Health Check

  Forensics

  Books

  Training Courses

• Compliance

  Data Protection

  BS10012 PIMS

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  PCI DSS

  Books & Pocket Guides

  Documentation Toolkits

  Training Courses

  Staff Awareness eLearning

  Consultancy Services

  Scanning Services

  Sarbanes Oxley

  Books & Pocket Guides

  Toolkits

  Training Courses

  Training Courses

• ITIL / ITSM

  ITIL

  ISO 20000

  Books & Pocket Guides
  Documentation Toolkits

  Training Courses

  Distance Learning

  Qualification Scheme

• PPPM-Projects

  PRINCE2

  Books & Pocket guides

  Training Courses

  Distance Learning

  PMBOK

  Books & Pocket guides

  Training Courses

  Distance Learning

  MSP

  Books & Pocket guides

  Training Courses

  Distance Learning

  P3O

  Books & Pocket guides

  Training Courses

  Distance Learning

  MOP / MOV

  Books & Pocket guides

  Distance Learning

• Best Practice

  ISO 9001

  ISO 27001

  ISO 14001

  OHSAS 18001

  EN 16001/ISO 50001

  Buy Standards

  OGC Best Practice

  TickITplus

• News
• My Account
• 

 Penetration Testing

Cyber attacks are a risk for every business, whatever their size. All Internet-based attacks start with free-floating, automated, ‘black hat’ vulnerability assessments. When a security vulnerability is identified in an Internet connection or application, the first phase of attack is usually also automated and may be limited to planting one or more Trojans to listen out for sensitive information.

Technical security testing – usually known as ‘Penetration Testing’ (sometimes also called “Pen Testing” or “Security Testing”) establishes whether or not your Internet security will actually withstand external threats, and whether or not it is adequate and is functioning correctly.

Effective Penetration Testing involves the simulation of a malicious attack against the security measures under test, often using a combination of methods and tools, and conducted by a certificated, ethical professional tester. The resulting findings provide a basis upon which security measures can be improved.

Efficient and routine Penetration Testing of your system is the only way of establishing that your networks and applications are genuinely secure against today’s automated cyber attacks.

To provide your business with a complete solution, please see the IT Governance Penetration Testing Packages for further details.

ITG Security Testing Ltd is here to help - call us now on 0845 070 1750 or email us.

Alternatively,

from one of our experienced consultancy team.

Why should you conduct a Penetration Test?

In a world where attacks on networks and applications are growing in number at an exponential rate, and the penalties incurred by organisations for failing to defend against such attacks are becoming ever steeper, effective Pen Testing is the only way of establishing that your networks and applications are truly secure. Penetration testing is also an essential component in any ISO27001 ISMS - from initial development through to ongoing maintenance and continual improvement.

Key reasons to conduct a Penetration Test include:

• Identify vulnerabilities and quantify their impact and likelihood of their being exploited
• Propose corrective measures and implement remedial actions
• Ensure compliance to critical standards which include PCI DSS and ISO27001
• Prevent financial loss through fraud, theft or cybercrime
• Protect your company reputation by avoiding loss of customer confidence and reputation
• Protect critical data in line with the Data Protection Act and other privacy requirements.

Please note that Penetration Testing is a requirement of UK central government (e.g. DWP) Baseline Security Plans.

Download our FAQs/White Paper for more information on Security (Penetration) Testing and ISO27001:

Information Security Expertise: 

ITG Security Testing Ltd is part of the IT Governance family. IT Governance has a long and distinguished history in the provision of information security expertise and solutions, including, but not exclusive to, the PCI-DSS and ISO/IEC 27001:2005 standards. ITG Security Testing Ltd builds on this foundation to provide comprehensive Penetration Testing services that test the security of your networks and applications whilst retaining a broad vision of your business and security objectives.

Certificated Security Testers:

ITG Security Testing Ltd deploy only trained, certificated and seasoned security testers who have additionally been subject to extensive CV and other regularly conducted internal checks. This ensures that any testing activity is carried out by ethical and client-focused experts.

Best-practice methodology:

Our security testing service is delivered in line with the best-practice OSSTMM methodology, developed and published by ISECOM. This methodology ensures that security testing is carried out following a structured, effective and technically appropriate process, to deliver meaningful reports and metrics.

‘Black Box Testing’ is based on the security tester having no prior knowledge of the network infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. The only information they have to start with is the IP address to be pen tested. This form of testing simulates an attack from someone unfamiliar with the system- an external hacker, for instance. This is also sometimes called a ‘blind test’. To test an organisation’s security monitoring and incident investigation procedures, we can perform a blind test where only a very few people are aware of the test. This is known as a ‘double blind test’.

‘White Box Testing’, on the other hand, is based on the tester having complete knowledge of your network infrastructure, including network diagrams, source code, password configurations, and so on. This form of testing is appropriate for identifying vulnerabilities that might be exploited by an insider or by someone who has been able to obtain sensitive security information. This is also sometimes called a ‘full disclosure’ test.

‘Gray Box Testing’ is a mix of black and white box testing and is usually carried out in response to a specific perceived threat to your network. It is based on a limited amount of information and for, this reason, is often called a ‘partial disclosure’ test.

Websites and externally-facing Web applications are subject to a wide range of potential attacks that exploit an equally wide range of vulnerabilities. Web application testing is a comprehensive process of assessing and identifying website application vulnerabilities and providing a report that includes details of all identified vulnerabilities. OWASP - the Open Web Application Security Project - publishes a best-practice guide to testing web applications, and ITG Security Testers will apply as appropriate the tests identified by OWASP.

The use of wireless access to a network provides an external hacker with a rich source of potential vulnerabilities to attack. Despite these significant threats, organisations are increasingly deploying Wi-Fi and Bluetooth to satisfy the demand from their staff for mobile and flexible access. Wireless Network Testing indentifies potential vulnerabilities and recommends a range of defensive measures which can be deployed to protect and mitigate against these risks. Wireless Network Testing also tests for rogue wireless access points (WAPs) which may be connected to your network and for the data traffic for which you are now likely to be legally responsible.

ITG Security Testing Ltd can, through the IT Governance partnership with Comodo, provide standard, approved PCI DSS ASV scanning services for organisations that need to achieve and maintain PCI DSS compliance. A PCI ASV scan looks for vulnerabilities at both the network and application layers.

Annual Scanning Contracts

A single security test is useful in telling you what your current security stance is like, and in identifying current vulnerabilities and weaknesses. However, technical information security breaches and hacker attack patterns – both automated and individually driven – evolve extremely rapidly. It is therefore normal for organisations to contract for regular, repeat scans of their infrastructure; these scans are usually performed (depending on the risk assessment) on a monthly, quarterly, or annual basis. ITG Security Testing Ltd can provide attractive prices for annual scanning contracts and thereby help you ensure that your defences remain adequate against identified and evolving risks and that your corrective and preventive actions are closely linked to emerging threats and vulnerabilities.

IT Governance Ltd consultancy and remediation expertise is instantly at hand;

• Your organization and project sponsor do not need to worry about identifying in-house the expertise that may be required to close down any vulnerabilities identified through the testing process.
  
  
• There is minimal disruption to the project should the individual consultant supporting you become ill or unavailable – our consultants use a consistent, comprehensive (but not overly bureaucratic) methodology and each one has their own coach who keeps up to speed on progress and developments so a smooth transition can occur if a new consultant needs to be assigned for any reason.

To provide your business with a complete solution, please see the IT Governance Penetration Testing Packages for further details.

To book your Penetration Testing service, or to discuss your requirements, - please call us now on 0845 070 1750 or email us.

• Home
• Online Shop
• Best Sellers
• New Products
• About Us
• Contact Us
• Join Us
• Expert Panel
• Shipping
• Links
• Free Resources
• Knowledge Bank
• Newsletter
• Terms/Privacy
• Site Map
• Blog

© 2003- IT Governance Ltd.  | eCommerce by Xanthos