Geneva: +41 (22) 723 2424  |  San Francisco: +1 (415) 659 1861  |  
Request Quote
*
*
*
*
*
*

Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

External and Internal Penetration Testing

Penetration Testing

What is a Penetration Test?

A penetration test, or a pentest, is a simulation of a hacker attack on a network, system, application or website. It is used to discover existing vulnerabilities and weaknesses before hackers find and exploit them. Prevention is better than cure: are you 100% confident that your corporate network and information are safe?

  • Our pentesting service helps you validate, improve and ensure efficiency and effectiveness of your information security systems.
  • We don't just discover vulnerabilities, our penetration test reports include personalized instructions how to fix discovered vulnerabilities and weaknesses.
  • The best quality of service is assured: High-Tech Bridge is an award-winning company trusted by international organizations, banks and FT500 companies since 2007.

Penetration Testing Standards

High-Tech Bridge’s security experts use globally recognized penetration testing standards, as well as High-Tech Bridge’s proprietary methodologies:

  • LPT (Licensed Penetration Tester methodology from EC-Council)
  • OSTTMM (Open Source Security Testing Methodology Manual)
  • OWASP (Open Web Application Security Project)
  • ISSAF (Information Systems Security Assessment Framework)
  • WASC-TC (Web Application Security Consortium Threat Classification)
  • PTF (Penetration Testing Framework)
  • OISSG (Information Systems Security Assessment Framework)
  • NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
High-Tech Bridge's penetration testing approach and risk assessment methodology are compatible with the majority of modern compliance standards and various federal regulations, such as:
  • PCI DSS (Payment Card Industry Data Security Standard)
  • ISO/IEC 27001 (Information Security Management Systems)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOX (Sarbanes-Oxley Act)
  • GLBA (Gramm–Leach–Bliley Act)
  • FISMA (Federal Information Security Management Act)

Penetration Testing Methodologies

A penetration test can be performed by one of these three methodologies:

  • Black Box Penetration Test

    During the Black Box pentest client does not give any internal technical or network information to the auditors. Therefore, the Black Box approach requires auditors to spend some time on network exploration and reconnaissance in order to craft efficient attack plan. This approach simulates the most realistic attack scenario, and is perfectly suited for companies who want to know what a group of external hackers may do within a limited period of time.

  • Gray Box Penetration Test

    Differently from the Black Box, the Grey Box approach usually does not require auditors to spend a lot of time on network exploration. Internal information, such as technical documentation or credentials of privileged users, may be given to the auditors in order to simulate more sophisticated attack when hackers have already obtained some sensitive information. For the Grey Box pentest the client may also specify which attack methodologies on which systems he wants or he doesn't want to use. Grey Box is the most frequent approach that provides comprehensive security testing within a relatively short period of time compared to White Box.

  • White Box Penetration Test

    White Box pentest is the most "collaborative" approach, when client provides auditors with all information about his network architecture, user credentials and even source codes in some cases. White Box is rather an audit than a penetration test. It is the most comprehensive and complete approach to security testing, however it requires a lot of time as well. White Box is advised to companies who want to make sure that every single line of code in their defense perimeter will be scrupulously verified.

There are two main types of penetration tests:

  • External Penetration Test

    • Testing of frontal servers & applications
    • Testing of websites & web applications
    • Firewall/IDS/IPS bypass testing
    • Testing of VOIP infrastructure
  • Internal Penetration Test

    • Malicious employee activity simulation
    • Privilege escalation attack simulation
    • Security testing of wireless networks
    • Social Engineering attack simulation
    • Phishing attack simulation

Penetration Test Deliverables

Upon completion of a penetration test, High-Tech Bridge’s security experts will provide you with a detailed penetration test report containing a list of all discovered vulnerabilities and weaknesses, with customized recommendations on how to fix them. The report is usually divided into two parts:

  • Report for IT Department. The report contains:

    • Executive summary and project review
    • Full methodologies and techniques used during the project
    • Technical description and risk level of vulnerabilities and weaknesses
    • Customized recommendation for each vulnerability and weakness
    • Suggestions on IT infrastructure hardening
  • Report for Management. The report contains:

    • Executive summary and project review
    • Explanation how the discovered risks may impact the business and business continuity
    • Estimation of potential financial loses (and other consequences upon request) in case of successful attacks
    • Suggestion of additional IT budget and investments to reinforce IT security

Upon delivery of your penetration test report our experts will be pleased to assist you in vulnerability patching.


Penetration Test Outcomes

Penetration tests performed by High-Tech Bridge will tell you if you are effectively protected against hackers and, if not, what the next steps are to minimize any risks to your business. A pentest will provide you with a clear answer to the following questions:

  • Are your corporate network and information welfare well protected?
  • Can you trust your current security solutions and intrusion prevention systems?
  • What are the most relevant IT risks for your business today?
  • How could you improve your security and protect your business assets further?
  • How can information security be used as an investment for your corporate image?

It is impossible to verify how the airbag in your car will work unless it is tested prior to a real accident in a crash test. Unless it is tested, if the airbag does not work during a real accident it will be too late to do anything. So you need to induce the accident to test that the solution works ahead of a real accident taking place.

There is a similar concern in information technology: if you don’t check the behavior of your security solutions under real hacker attack conditions, you cannot be sure of their effectiveness.