Pen Testing 2018-06-20T13:09:32+00:00

Penetration Testing

Advanced testing by CREST, NCSC and PCI experts.

Penetration testing, also referred to as pen testing, is a simulated real world attack on a network or application that identifies vulnerabilities and weaknesses. Penetration tests (pen tests) are part of an industry recognized approach to identifying and quantifying risk. They actively attempt to ‘exploit’ vulnerabilities and exposures in a company’s infrastructure, applications, people and processes. Through exploitation, Nettitude is able to provide context around the vulnerability, impact, threat and the likelihood of a breach in an information asset. It is frequently possible for a pen tester to gain remote access to operating systems, application logic and database records. Through active exploitation of direct and interconnected systems, Nettitude can provide strategic guidance on risk and tailored advice on counter measures.

Request a free quote

CREST-STAR-CBEST-ASV - US and Global

WHY NETTITUDE FOR PENETRATION TESTING?

As an independent world-wide provider of penetration testing services, Nettitude carries out cyber security testing, security auditing and PCI services in some of the most high profile organizations across the world. Our depth and breadth of experience enable us to deliver focused engagements that address the vulnerabilities in infrastructure, application, mobile devices and wireless. Our approach blends technical and social assessment to give organizations a true understanding of their cyber risk.

Nettitude is one of the leading penetration testing companies in the US. We specialize in all types of penetration testing, anytime, anywhere and for any organization. Read about our skills and experience below. Arrange a free no-obligation consultation today by contacting one of our offices.

WHAT ACCREDITITATIONS SHOULD I LOOK FOR IN A PENETRATION TESTING PROVIDER?

As a leading penetration testing company, Nettitude holds the most coveted accreditations across the world.

Nettitude is a full CREST member company. The Nettitude security testing team includes CREST certified Infrastructure Testers (CCT Inf), CREST certified Web Application Testers (CCT App) and CREST Registered Testers. Our team of testers includes CHECK Team Leaders within infrastructure and web application, as well CHECK Team Members.

Nettitude is an ISO27001 certified organization and conducts all external testing engagements from within a rigorously controlled environment. Nettitude’s security consultants hold CISSP qualifications, and many also host CISA and CISM accreditations. In addition, our team is comprised of industry recognized consultants and published authors that have been recognised by the media and cyber security community.

Learn more about Nettitude’s penetration testing skills and experience:

  • Industry leading CESG CHECK testers
  • Management and technical reports
  • Proven testing methodology
  • Internal penetration testing
  • External penetration testing
  • Vulnerability assessment services
  • Web application testing / website penetration testing
  • Full security audit services
  • PCI compliance services

BASICS OF PEN TESTING

If you’re new to the world of penetration testing and wish to gain a simple understanding of what it is, be sure to check out our learning resources to help get you started.

WHAT IS PEN TESTING?
BENEFITS OF PEN TESTING
WHEN TO CONDUCT PEN TESTING
TYPES OF PEN TESTING

WHAT ARE THE DIFFERENT TYPES OF PENETRATION TESTS?

There are both internal and external penetration tests, dependent on whether the tester is accessing the physical environment of the internet facing environment.

Penetration tests can traditionally be run internally within an organization or externally from the internet. The appropriate vantage point for the testing should be determined by your organization’s focus on risk. In addition, the two places for testing are not mutually exclusive. Organizations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective.

Internal Penetration Testing

This type of testing assesses security through the eye of an internal user, a temporary worker, or an individual that has physical access to the organisations’ buildings.

Internal penetration tests are conducted from within an organisation, over its Local Area Network (LAN) or through Wi-Fi networks. The tests will observe whether it is possible to gain access to privileged company information from systems that are inside the corporate firewalls.

Testers will assess the environment without credentials, and determine whether a user with physical access to the environment could extract credentials and then escalate privileges to that of an administrator or super user within the environment.

During an internal penetration test, the tester will attempt to gain access to sensitive data including PII, PCI card data, R&D material and financial information. They will also assess whether it is possible to extract data from the corporate environment and bypass any DLP or logging devices so as to assess any countermeasures or controls that have been put in place.

External Pen Testing

This type of testing assesses an organizations infrastructure from outside of the perimeter firewall on the Internet. It assesses the environment from the vantage point of an internet hacker, a competitor or a supplier with limited information about the internet facing environment.

External pen testing will assess the security controls configured on the access routers, firewalls, Intrusion Detection Systems (IDS) and Web Application Firewalls (WAFS), that protect the perimeter.

External tests will also provide the ability to assess security controls for applications that are published through the internet. Nettitude recognizes that there is increasing logic being built into web services to deliver extranet, e-commerce and supply chain management functions to Internet users. As a consequence, Nettitude pays particular attention to these resources, and performs granular assessments on their build and configuration, as well as interaction with other data sources that sit in your protected network segments.

WHAT ARE THE DIFFERENT PENETRATION TESTING STRATEGIES?

Let Nettitude guide you through the differences between black, white and grey box penetration testing services.

Black Box Testing

In a black box test, the client does not provide Nettitude with information about their infrastructure other than a URL or even just the company name. Nettitude is tasked with assessing the environment as if they were an external attacker with no information about the infrastructure or application logic that they are testing. Black box penetration tests provide a simulation of how an attacker without any information, such as an internet hacker, organised crime or a nation a state could present risk to the environment.

Grey Box Testing

A grey box test is a blend of black box testing techniques and white box testing techniques. In grey box testing, clients provide Nettitude with snippets of information to help with the testing procedures. This results in a more focused test than in black box testing as well as a reduced time line for the testing engagement. Grey box penetration tests provide an ideal approach for assessing web applications that allow users to login and access data that is specific to their user role, or their account.

White Box Testing

In a white box test, Nettitude is provided with detailed information about the applications and infrastructure. It is common to provide access to architecture documents and to application source code. It is also usual for Nettitude to be given access to a range of different credentials within the environment. This strategy will deliver stronger assurance of the application and infrastructure logic. It will provide a simulation of how an attacker with information (employee, etc) could present risk to the environment.

PENETRATION TESTING REPORTS & DELIVERABLES

Testing Report & Documentation

Nettitude produces a high level management report and an in-depth technical review document for each engagement. These documents will highlight security vulnerabilities and identify areas for exploitation. In addition, they will provide guidance on remediation, with a focus on preventative countermeasures. To gain access to an anonymous management and technical reported related to your industry vertical, please email us.

Test Debrief

Pen testing is complex, however the reports, presentations and debriefs do not need to be. Nettitude ensures that all tests have a full debrief at the end of the engagement. Where practical, Nettitude delivers this debrief in a face to face manner. During this process we will provide a presentation of critical and high level vulnerabilities along with guidance on remediation and countermeasures.

For environments where face to face debrief is impractical, Nettitude conducts debriefs through video conference and WebEX. Through this approach we are still able to share a comprehensive presentation of vulnerabilities and areas identified as being high risk. We are also able to give live demonstrations of where exploitation was possible, and offer guidance on how to secure the environment moving forward.

Post Test Guidance

Clients that engage with Nettitude for Pen Tests are provided with three months of complimentary access to our Security Support Desk. This provides a level of assurance through the remediation phase, ensuring that you can get all of your vulnerabilities fixed in a time sensitive manner.

REQUEST A FREE SAMPLE REPORT

WHAT IS THE PENETRATION TESTING PROCESS?

Nettitude has a robust testing methodology that extends across infrastructure and application testing engagements. Although every penetration test is tailored to our clients’ individual needs, we follow the same proven methodology so as to maintain a consistent and reproducible set of results.

From a high level perspective, Nettitude’s infrastructure testing methodology is based around seven core phases:

  • Phase 1: Scoping
  • Phase 2: Reconnaissance and Enumeration
  • Phase 3: Mapping and Service Identification
  • Phase 4: Vulnerability Analysis
  • Phase 5: Service Exploitation
  • Phase 6: Pivoting
  • Phase 7: Reporting and Debrief

Nettitude has a dedicated methodology associated to web application and web service assessments. This comprises six additional phases and operates at level 3 to 6 of a conventional penetration test.

.

PEN TESTING BLOGS

READ MORE

Is Penetration Testing fit for purpose?

READ MORE

Red Teaming & Blue Teaming – shaping detection & response

READ MORE

Evolution of penetration testing

READ MORE

5 things your current pen testing provider doesn’t do

VIEW OUR ENTIRE PEN TESTING BLOG ARCHIVE