Penetration Testing & Ethical Hacking
Sense of Security’s penetration testing (ethical hacking) services test the security of your information systems, by identifying and exploiting weaknesses. We profile your organisation from the perspective of its most likely threats, examine your business processes, information flows and the technology that supports your operations. This allows us to determine the resilience of your environment to malicious attempts to penetrate your systems.
Sense of Security is a member of the Council for Registered Ethical Security Testers (CREST), a body established to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing organisation.
Penetration Testing Methodology and Tools
Sense of Security has a documented, tried and tested, penetration testing methodology based on industry best practices such as the OSSTMM (Open Source Security Testing Methodology Manual) and the PTES (Penetration Testing Execution Standard). This ensures that you receive reliable, repeatable results, and minimises the risk to your systems under test.
Our team uses an arsenal of penetration testing tools similar to those used by attackers on the internet – in conjunction with in-house developed, commercial, and best-of-breed open-source penetration tools.
Keeping up to date with the latest security vulnerabilities, trends and hacking techniques is our business.
We produce a comprehensive business risk-focused penetration testing report covering the approach taken, the techniques used, and the vulnerabilities identified. We then apply our expertise to make prioritised procedural and strategic recommendations to ensure that your systems are secure against future attack.
Vulnerability Assessment vs Penetration Testing (Ethical Hacking)
Vulnerability assessments use testing tools (vulnerability scanners) to identify security vulnerabilities in a system or environment. While they highlight the technical threat, they do not qualify the business threat nor do they assess common attack methods. Thus, the major distinction between a vulnerability assessment and a penetration test (sometimes referred to as Ethical Hacking) is that the vulnerability assessment does not actively exploit the identified problems to determine the full exposure or validate its existence which can lead to inaccuracies in the report (false positives).
Unfortunately, many organisations claiming to perform penetration tests actually “oversell” their services and just provide vulnerability assessments using scanning tools. Although the initial cost may be less, attack scenarios can be overlooked which can lead to a later security breach. Sense of Security does not engage in these practices, and all identified security issues are reported with step by step instructions and screenshots on how to replicate the exploitable condition. Demonstrating the real risk visually provides value to management who may be unable to grasp some of the complex technical concepts involved in this line of work . and highlights the urgency in fixing some issues.
Types of Pen Tests
Our pen testers can perform a range of assessments that simulate attack testing scenarios from individuals with varying degrees of knowledge and access to your systems including:
- External penetration test – casual or focused intruders on the Internet with limited knowledge
- Internal penetration test – disgruntled or careless employees or contractors with legitimate access to the corporate network
- Extranet penetration test – business partners who are part of the corporate Extranet
- Remote access penetration test – casual or focused intruders from known and unknown remote access entry points
- Social engineering test – test the human factor using techniques such as tailgating, pretexting, phishing and baiting
- Physical penetration test – test physical security using real-world intrusion techniques
- Red teaming– emulating a motivated attacker that will use any means possible to obtain access to your systems and data. It is a hybrid approach using many/all of the above methods.
Sense of Security security testing specialists are also experienced with performing tests which address the PCI DSS requirement 11.2 quarterly vulnerability scan (ASV) and annual PCI DSS requirement 11.3 penetration test requirements.
Penetration Testing as Part of Corporate Governance
Penetration tests are a requirement for meeting regulations such as PCI DSS, ISM, SOX, and HIPAA. It is also defined in industry standards such as ISO 17799 and ISO 27001 as important security tests an organisation should regularly undertake.
Key Penetration Testing Technology Focus Areas
Traditional pen testing disciplines include:
- Network penetration testing (infrastructure penetration testing), e.g. router, switch, firewall, etc.
- Server penetration testing, e.g. operating system, application, etc.
Advanced penetration testing service disciplines include, but are not limited to:
- Application penetration testing (including web applications, web services, mobile applications, thick-client applications, etc.)
- Human factor penetration testing (social engineering)
- Red teaming
- Physical security (physical penetration testing)
- SAP Security
- Intrusion detection and prevention systems (IDS/IPS)
- PBX / PABX including VoIP
- Interactive Voice Response (IVR)
- Remote access solutions e.g. Citrix, Terminal Services, IPSEC VPN, SSL VPN, etc.
- BlackBerry Enterprise Server
- Microsoft Office SharePoint Server
- Mobility solutions
- Black box
Vulnerability Management and Protection
Our penetration testing service can be provided as a one-off assessment, or on an ongoing basis. You can leverage our security expertise to provide you with automated, continuous, cost-effective, vulnerability management protection where we work with you to develop a recurring vulnerability assessment program for different segments of your environment. With a recurring program we can highlight current exposures in a timely fashion, and provide you with trending data that allows you to monitor the progress of your IT security initiatives over time.
Our security testing experts are among the best in Australia, and have performed engagements locally and abroad for many of the world’s leading brands. This is backed by our commitment to staff development, certification, IT Security Research, and the publication of regular IT Security Advisories which set us apart from the competition.
Sense of Security also offers penetration testing training courses for those organisations wishing to improve the skills of their internal teams or just wishing to know more about this exciting discipline. Learn from our talented team through instructor led practical exercises at your office or ours.
To discuss how our specialist security services can help your organisation test your security posture please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.