Investors in People
ISO 27001

ISO 9001

Security Audit services

Penetration testing is a very proactive approach used by our security auditors. They try to hack the system to find vulnerabilities. The process involves an active analysis of the system for any potential vulnerability that may result from poor or improper system configuration, known and/or unknown hardware or software flaws or operational weaknesses in process or technical countermeasures.

Any security issues that are found will be presented to the system owner together with an assessment of their impact with a proposal for mitigation or a technical solution. The intent of this penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered.

These penetration tests could be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers:

  • Black box testing: assumes no prior knowledge of the infrastructure to be tested. Our testers must
         first determine the location and extent of the systems before commencing their analysis;
  • White box testing: at the other end of the spectrum, white box testing provides our testers with
         complete knowledge of the infrastructure to be tested, often including network diagrams, source code,
         and IP addressing information;
  • Gray box testing: there are also several variations in between, often known as gray box tests.
         Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on
         the amount of information provided to the testing party.

What we do: depending on the approach (black or grey or white box testing) are differences in the content of working phases, but there are some common points of each type of penetration tests:

  • Agree on scope, type and goals of the penetration test;
  • Document the conditions of the test in a very detailed written agreement;
  • Reconnaissance (passive, active);
  • Scanning;
  • Service enumeration;
  • Vulnerability assessment;
  • Vulnerability exploitation;
  • Penetration & access;
  • Recording (providing objective evidence of the success);
  • Document finding;
  • Form recommendations (corrective and preventive measures).

During the reconnaissance phase - depending on the agreed scope of audit - we use social engineering tools and techniques as well.