- Security Audit
- Ethical Hacking
- Security Consulting
- Penetration Testing
- Source Code Review
- Training and Coaching
Penetration Testing Services
What is a Penetration Test?A penetration test, or pentest, is a simulation of a hacker attack on a network, system, application or website and is used to discover existing vulnerabilities and weaknesses before hackers find and exploit them. In other words, a penetration test is an independent security evaluation of your IT infrastructure.
Contrary to popular belief, penetration testing is very different from vulnerability scanning. Instead of simply trying to identify vulnerabilities with fast and automated tools, a pentest is far more realistic and relies on manual ethical hacking. It is also more comprehensive than cheap vulnerability scanning as it addresses several important security aspects, such as the exploitation process and privilege escalation phases, as well as the steps involved in maintaining access to the targeted infrastructure. At High-Tech Bridge, we really think that nowadays only an offensive security approach to pentesting can give you and others in your organisation that you are well protected against hackers.
Types of Penetration Tests
Penetration tests can be divided into three different groups:
Penetration Testing Methodologies
A penetration test can be performed by one of these three methodologies:
- external penetration testing, where auditors remotely assess the network infrastructure without being aware of any internal technologies deployed in the targeted infrastructure. Nowadays, Black Box penetration testing is not restricted to external penetration testing – it also implies that auditors do not have access to any internal information. A DMZ assessment usually falls into this category. The Black Box approach is only advisable for companies wishing to evaluate their IT department's response to and countermeasures against a hack attack, as only the key figures in the company should be notified of the intrusion test.
- internal penetration testing, where auditors were aware of all internal technologies within the targeted infrastructure. This term has evolved and today describes all penetration tests performed by auditors with unrestricted access to internal resources and information. A source code review typically belongs in the White Box security assessment category. The breadth of White Box security testing suits companies where the IT department is fully cooperating with the penetration testing team. As target scoping and information gathering phases are not required, this approach also decreases the overall intrusion test time, and therefore its price.
Although the White Box approach could be considered the most complete method, its conditions remain far from most real-world attacks. On the other hand, the Black Box approach is more complex and less comprehensive as it relies on realistic methods. Being a combination of White Box and Black Box, the Gray box approach may be most attractive. Each company should choose the most appropriate method according to its particular business needs and desired results.
Penetration Testing Standards
High-Tech Bridge’s security experts use globally recognized penetration testing standards, as well as High-Tech Bridge’s proprietary methodologies and know-how based on our information security research:
- LPT (Licensed Penetration Tester methodology from EC-Council)
- OSTTMM (Open Source Security Testing Methodology Manual)
- OWASP (Open Web Application Security Project)
- ISSAF (Information Systems Security Assessment Framework)
- WASC-TC (Web Application Security Consortium Threat Classification)
- PTF (Penetration Testing Framework)
- OISSG (Information Systems Security Assessment Framework)
- NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
- ISO/IEC 27001:2005 (Information Security Management Systems)
- ISO/IEC 27002:2005 (Code of Practice for Information Security Management)
- ISO/IEC 27005:2008 (Information Security Risk Management)
- PCI DSS v2.0 (Payment Card Industry Data Security Standard)
We Deliver Two Penetration Test Reports: One For Management, One For IT
Upon completion of a penetration test, High-Tech Bridge’s security experts will provide you with a detailed penetration test report containing a list of all discovered vulnerabilities and weaknesses, with recommendations on how to fix them. The report is divided into two parts:
Penetration Test Report for Management and Shareholders:
- List of discovered threats and risks, with their direct and indirect impact on company business processes, ordered by priority and gravity.
- Proposed solutions with an estimation of cost and time for installation and integration.
Penetration Test Report for the IT Department:
- Detailed technical description of all vulnerabilities and weaknesses discovered during the test, with CWE-ID and CVSSv2 Base Scores for each vulnerability.
- Recommendations on vulnerability patching and remediation.
Upon delivery of your penetration test report our experts will be pleased to assist you in vulnerability patching.
What Questions Will a Penetration Test Answer?
Penetration tests performed by High-Tech Bridge will tell you if you are effectively protected against hackers and, if not, what the next steps are to minimize any risks to your business. A pentest will provide you with a clear answer to the following questions:
- Are your corporate network and information welfare well protected?
- Can you trust your current security solutions and intrusion prevention systems?
- What are the most relevant IT risks for your business today?
- How could you improve your security and protect your business assets further?
- How can information security be used as an investment for your corporate image?
It is impossible to verify how the airbag in your car will work unless it is tested prior to a real accident in a crash test. Unless it is tested, if the airbag does not work during a real accident it will be too late to do anything. So you need to induce the accident to test that the solution works ahead of a real accident taking place.
There is a similar concern in information technology: if you don’t check the behavior of your security solutions under real hacker attack conditions, you cannot be sure of their effectiveness.