Why should you pay over the odds to test the security of your networks?
Frequently asked questions…
Penetration Testing is the process of assessing or testing technology to find any weaknesses that can be exploited by hackers. The goal is to find and fix these weaknesses before a hacker finds them.
There are no set rules on what can be tested. Targets can include web applications, web servers and firewalls. Any computer network is potentially at risk.
Testing should be performed under controlled circumstances. It should be thorough and include locating weaknesses with configuration. How systems have been coded. How they operate.
Testing should be conducted by experienced security engineers. These are often people who have built or designed systems. This core knowledge of how networks and systems are built is invaluable when trying to undermine the controls that have been put in place.
If you go out to market, costs for Penetration Testing vary considerably
As a rule of thumb, a decent penetration test will include manual testing from a qualified, experienced engineer. The amount of manual testing plays an important part in how much the service costs. The testing engineer will be looking to identify and capitalise on configuration and logic weaknesses. Often these can only be spotted by an experienced tester.
Very cheap services will have no engineer involved – relying on automated tools. We would not consider an automated test as a penetration test.
Don’t expect a tester to blindly start hacking away at your networks.
Although testing projects are straight forward to complete, there are some basic steps to make sure that companies get best value from testing and that no serious problems arise.
Organisations that have an objective or goal for testing generally find testing useful. Goals might include understanding whether confidential data is accessible. If an online account management system can be exploited to allow valid users to see accounts they shouldn’t. Meeting compliance regulations such as for the PCI Data Security Standard.
Having a goal helps focus the penetration test into delivering results for what is actually important to you – the customer.
The next stage is agreeing targets for testing. This is very important as the targets will form the basis for testing and define the scope of the job. Targets might include a web application address, or a range of IP addresses.
Once the targets are understood, the testing dates and targets are signed off and the job can begin.
During testing, Ambersail takes great care to minimise disruption to client networks. Let’s not forget that testing is meant to identify weaknesses. Not to bring a computer system to its knees.
As testing progresses, any important findings are fed back to customers straight away. This is to ensure that corrections can be applied immediately. Customers can contact us at any time to discuss progress and request general advice.
Once testing is complete, the results are analysed and recorded in a findings report. Reports have two distinct sections. The first section provides high level, management style advice. The second section contains detailed findings and fix information.
Once the reports have been written and reviewed by our Internal Quality Assurance team, they can be delivered to customers. Report delivery can also be backed up by presentations and workshops. This can be onsite at your offices or using remote meeting facilities.
Some organisations look to perform testing because they want to better understand security and to make their networks and systems more robust.
Other organisations need to perform testing as a ‘tick in the box’. Often to satisfy regulatory or compliance requirements.
All reasons are valid. If it gets companies testing and improving the security of their systems, it can only be a good thing.
We are judged, or at least we should be, on how thorough our testing is and how well you understand the reports that we produce. The exercise is pretty much pointless if you cannot act on findings and recommendations that we make.
The main ‘product’ from testing is a penetration test report. Reports have two distinct sections. The first section provides high level, management style advice. The second section contains detailed findings and fix information.
To help understand the report, we offer a walkthrough of results as standard. This can take place either remotely or at your offices.
Retesting is also encouraged and built into our testing packages. Should testing identify weaknesses that need to be fixed, we can validate any changes made after an agreed period of time..
We would suggest any components or system that poses a risk to your business operations.
We advocate that you first understand why you need to perform a penetration test and then work out which networks or systems support what you are trying to protect.
If ‘assets’ that need to be protected are networks then a good place to start will be the network (IP) addresses. These could be either internal networks, external networks, or both.
If it is a web application – such as an Ecommerce site, then its specific web address.
We also review specific business systems and technologies such as wireless or IP telephony testing.
Social Engineering tests are interesting as we normally target a physical building or group of people. To get best value from these types of test, we always plan carefully to create customised set of tests specific to that customer.
Ambersail can test remotely from our test facilities or onsite with you, depending on where the test system is situated and how we can connect to it.