External and Internal Penetration Testing
What is a Penetration Test?
A penetration test, or a pentest, is a simulation of a hacker attack on a network, system, application or website. It is used to discover existing vulnerabilities and weaknesses before hackers find and exploit them. Prevention is better than cure: are you 100% confident that your corporate network and information are safe?
- Our pentesting service helps you validate, improve and ensure efficiency and effectiveness of your information security systems.
- We don't just discover vulnerabilities, our penetration test reports include personalized instructions how to fix discovered vulnerabilities and weaknesses.
- The best quality of service is assured: High-Tech Bridge is an award-winning company trusted by international organizations, banks and FT500 companies since 2007.
Penetration Testing Standards
High-Tech Bridge’s security experts use globally recognized penetration testing standards, as well as High-Tech Bridge’s proprietary methodologies:
- LPT (Licensed Penetration Tester methodology from EC-Council)
- OSTTMM (Open Source Security Testing Methodology Manual)
- OWASP (Open Web Application Security Project)
- ISSAF (Information Systems Security Assessment Framework)
- WASC-TC (Web Application Security Consortium Threat Classification)
- PTF (Penetration Testing Framework)
- OISSG (Information Systems Security Assessment Framework)
- NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
- PCI DSS (Payment Card Industry Data Security Standard)
- ISO/IEC 27001 (Information Security Management Systems)
- HIPAA (Health Insurance Portability and Accountability Act)
- SOX (Sarbanes-Oxley Act)
- GLBA (Gramm–Leach–Bliley Act)
- FISMA (Federal Information Security Management Act)
Penetration Testing Methodologies
A penetration test can be performed by one of these three methodologies:
There are two main types of penetration tests:
External Penetration Test
- Testing of frontal servers & applications
- Testing of websites & web applications
- Firewall/IDS/IPS bypass testing
- Testing of VOIP infrastructure
Internal Penetration Test
- Malicious employee activity simulation
- Privilege escalation attack simulation
- Security testing of wireless networks
- Social Engineering attack simulation
- Phishing attack simulation
Penetration Test Deliverables
Upon completion of a penetration test, High-Tech Bridge’s security experts will provide you with a detailed penetration test report containing a list of all discovered vulnerabilities and weaknesses, with customized recommendations on how to fix them. The report is usually divided into two parts:
Report for IT Department. The report contains:
- Executive summary and project review
- Full methodologies and techniques used during the project
- Technical description and risk level of vulnerabilities and weaknesses
- Customized recommendation for each vulnerability and weakness
- Suggestions on IT infrastructure hardening
Report for Management. The report contains:
- Executive summary and project review
- Explanation how the discovered risks may impact the business and business continuity
- Estimation of potential financial loses (and other consequences upon request) in case of successful attacks
- Suggestion of additional IT budget and investments to reinforce IT security
Upon delivery of your penetration test report our experts will be pleased to assist you in vulnerability patching.
Penetration Test Outcomes
Penetration tests performed by High-Tech Bridge will tell you if you are effectively protected against hackers and, if not, what the next steps are to minimize any risks to your business. A pentest will provide you with a clear answer to the following questions:
- Are your corporate network and information welfare well protected?
- Can you trust your current security solutions and intrusion prevention systems?
- What are the most relevant IT risks for your business today?
- How could you improve your security and protect your business assets further?
- How can information security be used as an investment for your corporate image?
It is impossible to verify how the airbag in your car will work unless it is tested prior to a real accident in a crash test. Unless it is tested, if the airbag does not work during a real accident it will be too late to do anything. So you need to induce the accident to test that the solution works ahead of a real accident taking place.
There is a similar concern in information technology: if you don’t check the behavior of your security solutions under real hacker attack conditions, you cannot be sure of their effectiveness.