What is a penetration test?
Penetration testing simulates the behaviour of a real cyber criminal in order to identify issues in the integrity of your systems and advises you how to fix them before they are exploited for real. Penetration tests are typically carried out from outside of your network, but also inside your network to simulate insider threats. If you take cyber security seriously then penetration testing is vital.
Why do you need a penetration test?
With the growing frequency and complexity of cyber attacks, more and more companies are investing in a penetration test. A penetration test is a small cost compared to the disruption caused by a cyber attack. It is estimated that a cyber attack costs a UK company £172,000 on average (source: Quocirca/Trend Micro 2015). Here are some benefits of undertaking penetration testing:
- Protect your company’s profits and reputation – by avoiding financial disaster and negative publicity associated with a compromise of your systems.
- Satisfy regulatory requirements – FCA, PCI DSS, HMG and ISO 27001 demand it.
- Peace of mind – that your information systems are protected from cyber criminals, internal threats and malware.
- Reassurance that your valuable data – is as secure as possible.
- Protection against compliance breaches – and subsequent regulatory fines and potential law suits.
- Evidence to support increased investments – in security personnel and technology.
- Independent expert assurance – that your security controls are working as intended.
It is essential you choose an experienced penetration testing partner provider with real-world knowledge that can help. 2-sec is a market leader trusted by hundreds of companies globally. Here’s why:
Fully accredited – We hold a range of accreditations both at a corporate and individual level including CREST , QSA, PA-QSA, Cyber Essentials Plus, IASME Gold, CHECK, CISSP, CISA, CISM, SANS-GIAC and CEH.
Access to a dedicated Customer Success Manager – We know that you’ll have a lot of questions throughout this process so you’ll have direct phone and email contact with your own go-to person.
Bespoke penetration testing programme – We will develop a test that suits the business profile of your company no matter how big or small.
High levels of customer satisfaction and retention rates – Many of our penetration testing clients have been with us since day one.
An industry leading expert in penetration testing – Our highly experienced security consultants have been performing penetration tests and security assessments for more than two decades.
Innovative range of testing tools – If an open source or commercial tool doesn’t do the job, we write our own, using an experienced team of application security software developers. Our security testing lab comprises of some of the best security testing tools available.
We communicate clearly – Our mission is to ‘simplify security’ and we will communicate any issues or remediation recommendations in a clear and jargon-free way, understood both by your engineering and senior management teams alike.
Easy to understand reporting – We will provide you a detailed breakdown of all your results in an easily interpretable format.
Transparent proposals – With inclusive pricing so you get no unexpected surprises.
How we work
We follow a four step process:
We will work together to define the critical applications, systems and networks to be included.
Hands on interactive testing undertaken by our experienced team incorporating a wide range of attack methodologies including target profiling, target enumeration, automated testing, intelligent exploit attacks and application analysis of business logic.
Communication throughout the process regarding identified issues and associated remediation steps, regular progress reports, automatic critical risk reporting and a comprehensive final test report.
We will give you a step-by-step insight of how we entered your system and what you can do to fix it.
Types of penetration test
Network Penetration Testing
Identifies security problems within your network infrastructure. Network Penetration Testing is likely to involve scanning your network and wireless infrastructure for potential issues. Examples of what might be tested at the network level include:
- Operating systems.
- Internal and external networks including Wi-Fi, routers, switches, firewalls.
- Services deployed in the cloud.
- Virtual private networks (VPN) and remote access services.
- Telephony systems, including Voice-over-IP (VoIP).
Web App Penetration Testing
Detects security issues within a website or web application software that could be exploited by a malicious attacker resulting in irreparable damage or data theft. We test both standard website applications as well as custom-developed code. Testing includes:
- Session management, authentication and authorisation, including cookie tampering.
- Web input validation.
- Business logic vulnerabilities.
- Web server configuration issues.
- Cross-site scripting attacks and SQL injection attacks.
- CWE/SANS Top 25.
- OWASP Top 10.
Bespoke Penetration Testing
We will design a test that suits your individual company profile and environment. Tests could include:
- Mobile applications (IOS/Android), including OWASP Top 10 Mobile Risks.
- Thick client applications.
- APIs (web services).
- Wireless systems.
- Automotive systems.
- Embedded systems.
- Firewall, IPS & IDS Evasion.
- Social engineering.
- Information leakage.
- Physical security.
- Telephony / VoIP systems.
- Third party applications.