What is Penetration Testing?
Penetration testing and vulnerability assessments with companies are becoming increasingly common place as companies become more reliant on IT Systems and the sensitive data they may store. Companies may need to comply with international standards and requirements that require regular testing. This could include standards such as the PCI Data security standard whereby companies are required to conduct testing, such as penetration testing, by capable parties.
The definition of a penetration test is to discover and utilize security vulnerabilities in IT systems or networks in order to assess the company against real world attacks. Usually the elements that can be part of a pentest could be one or more of the following.
- Network - Internal/External, Workstations, Servers, network equipment, etc
- Webservices - All services accessible from an internet position
- Wireless networks - Anything that connects to the internal network
- Physical - Office locations, access control systems
- Social Engineering - Deception to gain access to systems or premises
How does it work?
One must first start by setting the rules of engagement and whether the project is a white- or blackbox assessment. By whitebox it means all relevant data requested is shared with Syndis and by blackbox it means that no information is shared and Syndis attempts to acquire as much information as it can during the engagement.
Any penetration test is about finding vulnerabilities for whatever the defined scope may be in whatever elements are part of the penetration test. After a vulnerability or flaw is discovered, whether it be through manual methods or automated ones, it must be validated or proven before being listed as a finding. Relying solely on automated tooling is not penetration testing.
Why is it relevant?
Penetration testing has become a marginalized service where competing companies battle around price and not the quality of the service. They have lost the sight of the reasons why any company would want to use a penetration testing service other than meeting compliance requirements or audit guidelines. Syndis wants to help companies by providing them with a realistic look at whether a company is at significant risk from attacks and help address the core underlying issues as well as determine whether security investments are providing an adequate ROI.
What to expect
- Different results than from a standard penetration test with more emphasis on real issues and manual coverage by industry professionals
- Compliance with regulatory or compliance requirements such as PCI 11.3, PCI 11.1, and ISO27001
- Gain insight into your companies attack surface and defense posture against cyber attacks
- Assurances of whether your security investments have made any impacts against attackers