Cyber crime is a growing problem, costing businesses and the government millions each year.
Although there are many ways to secure systems and applications, the only way to truly know how secure you are is to conduct an assessment or series of tests, often called a penetration test.
By performing a penetration test, you can emulate the actions of a malicious attacker, giving you a more accurate representation of your security posture at any given time.
Pen tests can be automated with software applications or they can be performed manually, or by using a combination of both methods.
The main objective of penetration testing is to identify security weaknesses and vulnerabilities. A vulnerability is a security hole in a piece of software, hardware, operating system or business process that provides a potential vector to attack the system.
A pen test can also be used to test an organisation’s security policy compliance, its employees’ security awareness and the organisation’s ability to identify and respond to security incidents.
PCI DSS and ISO 27001
Compliance with the PCI DSS and ISO 27001 will usually require regular penetration tests to identify any potential vulnerabilities, ensuring that the organisation has a comprehensive understanding of its risks and treatment options.
By performing controlled attacks, a penetration test can uncover security flaws and vulnerabilities in a realistic way.
There are two approaches to conducting penetration tests. Since the two types of tests are very similar, IT Governance uses the terms ‘level 1’ and ‘level 2’ to avoid confusion. Some organisations refer to the terms ‘vulnerability assessments’ (level 1) and ‘penetration tests’ (level 2).
Penetration testing places more emphasis on gaining as much access as possible (literally breaking into the network or system) while vulnerability testing places the emphasis on identifying those areas that are vulnerable to a cyber attack.
A level 1 penetration test will stop just before compromising a system, while a level 2 penetration test will go as far as they can within the scope of the contract.
IT Governance has a table explaining the differences between the two types of tests.
Conducting both types of penetration test involves reconnaissance – gathering information about the target, identifying potential weak spots and entry points – and then reporting back on the findings. A level 2 penetration test will also include an additional step attempting to gain access to the system or network.
Should the testers successfully compromise the network, the vulnerability is classified into a threat level for the organisation – typically low, medium or high. Most credible penetration testing companies will conclude with a detailed report on the security findings along with thorough recommendations for treating the vulnerabilities.
IT Governance provides a variety of fixed-price, level 1 penetration tests, including network infrastructure, web application and wireless network penetration tests. Alternatively, for a level 2 penetration test, contact us now for a quote.