Acuity offer advanced testing as your certified experts.
What is pen testing?
Penetration testing, more commonly referred to as ‘pen testing’, is a simulated real-world attack on a network, application or system. Such testing identifies vulnerabilities and weaknesses within and they’ve become come part of an industry recognised approach to identifying risk, as well as quantifying risk.
Pen testing actively attempts to exploit vulnerabilities and expose a company’s infrastructure, people and processes. Through such exploitation, Acuity is able to provide context around the vulnerability, impact and likelihood of a break in an information asset.
It is frequently possible for a pen tester to gain remote access to operating systems, application logic and database records. Through such active exploitation of both direct and interconnected systems, Acuity can provide strategic guidance on risk, giving tailored advice on counter measures.
How can pen testing benefit you?
Managing your risk: a pen test finds vulnerabilities in your environment and allows you to remediate them, before an adversary takes advantage of them.
Protecting clients, partners and third parties: pen testing shows your clients that you take cyber security seriously building trust and a good reputation, showing that you’re doing everything you can to mitigate the risks of a cyber breach.
Allows you to understand the environment: A pen test allows you to understand what is going on in the environment around you helping you to understand the types of cyber-attacks that your organisation may face.
Identifying non-transparent weaknesses: Pen testing looks for the potential backdoors into your network that exist without your knowledge.
What are the types of pen tests?
Pen testing comes in both internal and external forms. It’s wholly dependent on whether the tester is accessing the physical environment or the internet facing environment.
Pen tests can traditionally be run internally within an organisation. Additionally, they can be run externally from the internet. The appropriate vantage point for the testing should be determined by an organisation’s focus on risk. In addition, the two places for testing are not mutually exclusive. Organisations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective.
Internal Pen Testing
Assessing security through the eyes of a temporary user, worker or individual that has physical access to the organisation’s building.
Internal pen tests are conducted from within an organisation, over its LAN (local area network) or through its WiFi networks. The tests observe whether it is possible to gain access to sensitive company data from systems that are inside the corporate firewall.
Pen testers will access the environment without credentials. They’ll determine whether a user with physical access to the environment could extract credentials and then escalate privileges to that of an administrator or super user within the environment.
During an internal penetration test, the tester will attempt to gain access to sensitive data including PII, PCI card data, R&D material and financial information. They will also assess whether it is possible to extract data from the corporate environment and bypass any DLP or logging devices so as to assess any countermeasures or controls that have been put in place.
External Pen Testing
This type of testing assesses an organisation’s infrastructure from outside of the perimeter firewall on the Internet. It assesses the environment from the vantage point of an internet hacker, a competitor or a supplier with limited information about the internet facing environment.
External pen testing will assess the security controls configured on the access routers, firewalls, Intrusion Detection Systems (IDS) and Web Application Firewalls (WAFS) that protect the perimeter.
This type of testing also provides the ability to assess security controls for applications that are published through the internet. Acuity recognises that there is increasing logic being built into web services to deliver extranet, e-commerce and supply chain management functions to Internet users. As a consequence, Acuity pays particular attention to these resources, and performs granular assessments on their build and configuration, as well as interaction with other data sources that sit in your protected network segments.