What is Penetration Testing?
Penetration testing, or pen testing as it is often referred to, involves an authorised individual adopting the role of a hacker and attempting to compromise or gain access to a network or an application.
The objective is to evaluate and assess an organisation’s security posture and identify, analyse and exploit any vulnerabilities or any misconfigurations that present a security risk. By identifying any risks, these can be treated before they are targeted by malicious hackers.
Why Your Organisation Needs a Pen Test
A pen test enables your organisation to assess the overall security of your IT infrastructure and gain a clear understanding of any high-risk vulnerabilities.
By simulating a real-world scenario and conducting a pen test you are able to:
- Identify any flaws in your infrastructure or applications that could lead to data loss, impact a service or damage your reputation.
- Test existing security controls, discover weak points, optimise and improve burdensome controls
- Ensure compliance with information security standards such as the Payment Card Industry Data Security Standard (PCI DSS)
- Reassure customers and stakeholders that you are regularly testing the robustness of your security infrastructure.
- Understand the risk and impact to your organisation should an incident occur.
Network and External Penetration Testing
URM is able to perform an internal or external penetration test against all IP addresses associated with your organisation, location or service (e.g. remote access via a VPN or web application).
By performing an unauthenticated penetration test, URM is able to determine what information and services are publicly accessible.
The test can include reviewing the web services for OWASP (Open Web Application Security Project) top ten vulnerabilities on any publicly pages available (e.g. login pages) and any additional services running on the public IP addresses (e.g. VPN access for remote administration of infrastructure).
For an internal test, URM can work with you to design something which is both tailored and appropriate to your organisation.
Types of Penetration Tests
Infrastructure And Network Penetration Testing
Web Application Penetration Testing
With this type of service, URM conducts a security review to test the web application from an authenticated perspective.
A web application penetration test is a type of ethical hacking engagement designed to assess the architecture, design and configuration of web applications. This test will review each page within the website to understand if any vulnerabilities exist.
The penetration test, for example, will identify common web vulnerabilities (e.g. OWASP top 10) using a defined methodology, namely the Open Source Security Testing Methodology Manual (OSSTMM).
Where various access levels are available within the application (e.g. administrator vs standard users), URM performs testing to confirm that the access level does not have access to information outside of their level of privilege or tenant.
Mobile Application Penetration Testing
Here, URM conducts a review of the mobile apps that are deployed to either Apple IOS devices or Android devices.
The purpose of the review is to understand what vulnerabilities are possible within the application to determine what a malicious user could do to the application to prevent it operating as intended.
URM, typically, suggests conducting the test against the OWASP Mobile Application Security Verification Standard; this standard provides two-level for verification Medium Risk (Level 1) or High Risk (Level 2).
Each level aims to identify key security issues, such as data storage, privacy, authentication, network communications.
Social Engineering Penetration Testing
There is a wide-scale recognition that your employees represent your greatest information and cyber security risk.
As such, conducting URM is able to simulate a targeted social engineering attack by malicious hackers.
Using advanced reconnaissance and intelligence techniques, URM will aim to establish how susceptible users are to responding to social engineering and phishing attacks, i.e. fraudulent attempts to get users to divulge sensitive information or click on links etc.
Apart from carried out simulated phishing attacks, URM can also extend its social engineering penetration testing to telephone and physical security.
Including a social engineering penetration test within an information and cyber security training programme can be a hugely effective in not just raising awareness but in changing behaviour.
What People Say About Us:
“URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.”
“I was very impressed with how the process went on testing day and I can’t wait to take other clients through the process with URM.”
“Having never gone through the Cyber Essentials Plus process on behalf of a client I was very impressed with how the process went on testing day and I cant wait to take other clients through the process with URM.”
“This was a great exercise for the business to go through as some gaps were found and URM provided valuable information on remediation.”
How URM Can Provide Support Needed to Address your Vulnerabilities?
URM can help you address your security vulnerabilities through its holistic approach and its unique combination of technical, policy/process and training solutions.
All URM’s penetration testers are independently qualified by industry-recognised bodies and each engagement starts with a kick-off meeting where we agree on objectives, how vulnerabilities should be reported, escalation during the testing and conducting a full debrief meeting once testing is complete to outline and discuss any findings.
All of URM’s reports include a business impact description of the vulnerabilities that are suitable for presentation to technical and non-technical senior managers, along with potential root cause analyses and proposed remediation for addressing the findings, including technical, process and people solutions.
Our office is open 08:00 – 17:30 Monday to Friday.