A penetration test is a skilful and sophisticated “white hat” attempt to evaluate the security of a company’s entire network by safely attempting to exploit system vulnerabilities. Such assessments are useful in validating the efficacy of organisational security measures and adherence to security policies.
Security is a process – not a product that can be bought and configured. It is essential that a company’s security posture is validated using a rigorous process of testing and feedback. This ensures that routine changes to applications and the threat landscape can be accounted for.
Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure.
Penetration Test Strategies
Targeted testing is performed by the organisation’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.
This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.
How it Works
It is helpful to ensure independence between the company providing the security system and the company providing the pen testing. To this end, activereach has a relationship with a certified penetration testing organisation which extends only to introducing penetration testing specialists to companies where activereach has deployed the security system. This eliminates any conflict of interest between the testing and the security system itself, yet allows a customer to engage a single company to both provide and test their network security.
- Pen testing is a vital service for all companies with significant data assets to protect
- Pen tests can be scaled to suit all sizes and types of companies
- activereach uses an independent penetration testing company to provide the service