Security Analysis & Penetration Testing

What is a penetration test?

Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology - one persons’ penetration test is another's vulnerability audit or security analysis!

At its simplest, a penetration test is the process of actively evaluating your information security measures. Note the emphasis on 'active' assessment - the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.

The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.

Why conduct a Penetration Test?

From a business perspective, penetration testing helps safeguard your organisation against failure, through:

  • Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
  • Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing.
  • Protecting your company by avoiding loss of consumer confidence and business reputation.
  • From an operational perspective, penetration testing helps shape information security strategy through identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively. This then enables budgets to be allocated and corrective measures implemented as soon as possible to remove the threats.

What can be tested?

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:

  • Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)
  • Bespoke development (dynamic websites, in-house applications etc.)
  • Telephony (war-dialling, remote access etc.)
  • Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
  • Personnel (screening process, social engineering etc.)
  • Physical (access controls, dumpster diving etc.)

What should be tested?

Ideally, your organisation should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven't conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; websites, email gateways, remote access platforms etc.

What do you get from the testing?

While a great deal of technical effort is applied during the testing and analysis, the real value of a penetration test is in the report and debriefing that you receive at the end.

The Web Design ICE Penetration Report and Debriefing are broken into sections that are specifically targeted at their intended audience. Directors need the business risks and possible solutions clearly described in layman's terms, Managers need a broad overview of the situation without getting lost in detail, and Technical personnel need a list of vulnerabilities to address, with recommended solutions.

If you would like to know find out how Web Design ICE's Penetration Testing and Security Analysis can assist your business, please contact us by either phone on 0800 279 5462 or CLICK HERE to send us an enquiry via email.