Penetration Testing for your Network: The Basic’s 101 Guide

Vulnerability & Penetration Testing – What to Lookout for?

‘Be Prepared’ isn’t just the motto for the Boy Scouts.

Every organization has some cyber-security measures in place; firewall, encryption, data loss prevention, or a mix of intrusion detection/prevention systems. However, organizations operate under the assumption that it’s not about if an attack will occur but rather when. A PEN test will expose weaknesses before the attackers do.

What is Penetration Testing??

Vulnerability assessments and penetration testing are terms that are used interchangeably but are ultimately different services. In plain terms, a vulnerability assessment is like a thief making a note of all your points of entry and identifying the locks you have in place. Penetration testing, on the other hand, is actually picking the lock and getting inside — but with permission.

Reasons for Penetration Testing

It’s required.

A lot of companies are required to do a penetration test or a vulnerability assessment on a yearly or quarterly basis. We help organizations plan, assess, and implement security programs to meet industry security requirements such as – SSAE 16, HIPPA, PCI, NIST/FISMA, and ISO compliance. Other times is for the client assurance that their data is kept private & secure.

Security tools have gaps.

There are multiple security tools to help identify and prevent attacks but they don’t all work well together or prevent breaches from multiple attack vectors. A penetration test will uncover complex vulnerabilities when a multi-vector attack is employed which can happen at given moment.

Fine tune your response.

Protocols, procedures, key players, roles and responsibilities can all be fine-tuned during remediation to decrease response time. During a real attack, knowing who is responsible for what, and what needs to happen when, will reduce exposure and risk.

Don’t be a soft target.

It’s impossible to 100% secure any network or application. The goal is to be as hard and frustrating as possible so attackers move on to softer, more pliable targets. A penetration test will reveal if you’ve got a soft underbelly or you’re well armoured.

What has to be done? 5 steps to better protect your SMB:

1. Project Brief

Every organization is as different as their stance towards information security. In the initial stages, get a clear understanding of your organization, your critical systems and the rules of the engagement.

2. Intelligence Gathering

Once you know your business context and have set the ground rules, map out all the possible vectors for the actual attack to take place—starting with publicly available information about your network and systems. Working from the outside in, capture data as all possible engagers to your business.

3. Social Engineering

Penetration tests aren’t true tests unless attempts to gain greater access to systems are carried out on people that manage and maintain those systems. Your weaknesses aren’t always a digital device connected to your network – devise a campaign to test your team. Regardless of how fortified the network may be, an errant USB from the sidewalk can cause havoc.

4. The Attack

The attack is set in motion using tools obtained in the public domain, commercially available tools, and bespoke applications crafted to expose weaknesses.

5. Remediation

What sets our penetration test apart from the others are in the details, actions, and remediation tactics presented in the findings report. We’ve got over 100 combined years of security expertise and our industry leading reports reflect that expertise — leaving you with nothing but clear, meaningful recommendations to strengthen your security posture.