Penetration Testing Services
URM is able to provide penetration testing services against all assets associated with your organisation, location or service (e.g., external and internal networks, cloud environments, web or mobile applications). By emulating real threat actors, URM is able to identify vulnerabilities affecting your IT systems, determine the risks to your organisation and provide a prioritised remediation strategy to protect your organisation.
URM can provide the following cyber security testing services:
Infrastructure and Network Penetration Testing
URM is able to perform an internal or external infrastructure penetration test against all IP addresses associated with your organisation, location or service (e.g., remote access via a VPN or web application).
By performing unauthenticated external penetration testing services, URM is able to determine what information and services are publicly accessible. The first step in this assessment is for URM to determine the public services and look to fingerprint the application to determine if the running application is vulnerable. This includes services running on the public IP addresses e.g., remote access solutions such as Citrix, FTP servers, VPN access for remote administration of infrastructure. The test can include reviewing the web services for OWASP (Open Web Application Security Project) top ten vulnerabilities on any publicly available pages (e.g., login pages)..
For an internal test, URM can simulate threat actors within your internal network and determine the impact and the risk to your organisation. URM can perform authenticated or unauthenticated testing on your internal network, perform build reviews, review firewall rulesets, test your wireless networks, perform segmentation testing and work with you to design something which is both tailored and appropriate to your organisation.
Web Application Penetration Testing
With its web app pen testing service, URM conducts a security review to test the web application from an authenticated perspective. A web application penetration test is a type of ethical hacking engagement designed to assess the architecture, design and configuration of web applications. This test will review each page within the website to understand if any vulnerabilities exist. The penetration test, for example, will identify common web vulnerabilities (e.g., OWASP top 10) using industry standard methodologies, such as the OWASP Web Security Testing Guide (WSTG) and the OWASP Application Security Verification Standard (ASVS).
Where required, the web application penetration test can be performed under the CREST OWASP Verification Standard (OVS) framework.
Where various access levels are available within the application (e.g., administrator vs standard users), URM performs testing to confirm that each access level does not have access to information outside of their level of privilege or tenant.
Cloud Penetration Testing
In addition to our on-premise penetration testing services, URM also delivers cloud penetration testing covering all types of deployments including:
- AWS penetration testing along with other Cloud platforms such as Microsoft Azure, Google Cloud Platform (GCP)
- Cloud deployment models such as individually managed virtual machines (e.g., AWS EC2), automated deployments and configuration (e.g., puppet, chef or terraform), cloud services (e.g., Azure App Service, AWS Lambda) or container solutions (Kubernetes and Docker).
URM can perform a range of testing including external unauthenticated penetration testing through to security configuration reviews. For example, a test may involve reviewing the externally accessible public IP addresses of a service, the configuration of key web and database components by conducting a CIS benchmark against them and conducting a high-level review of the whole cloud platform account. If the cloud infrastructure is also integrated into existing on-premise infrastructure, then URM can combine this with internal penetration testing.
Mobile Application Penetration Testing
Here, URM conducts mobile app penetration testing services on mobile apps that are deployed to either Apple IOS devices or Android devices. The purpose of the review is to understand what vulnerabilities are present within the application to determine what a malicious user could do to the application to prevent it operating as intended. URM, typically, suggests conducting the test against the OWASP Mobile Application Security Verification Standard (MASVS); this Standard defines two strict security verification levels, i.e., Medium Risk (Level 1) and High Risk (Level 2). Each level aims to identify key security issues, such as data storage, privacy, authentication, network communications. Where required, URM can perform the mobile application penetration test under the CREST OVS framework.
Business-led Penetration Testing
In addition to the more traditional/compliance-based penetration tests, URM offers specialised business-led penetration testing services. These tests are designed to address the specific issues and risks of your organisation, tailoring our approach to your unique requirements. Below are some examples of the issues URM investigates:
- Assessing Unauthorised Access: A key objective is to determine if external attackers can gain access to sensitive client or financial records. This is crucial in evaluating the vulnerability of your organisation's most critical information assets.
- Phishing Vulnerability: This is where URM focuses on assessing the potential fallout if your organisation were to fall victim to a phishing attack, e.g., what capabilities an attacker would gain, and the potential risks and data breaches that could result from such an incident.
- Administrative Access Control: Another vital aspect of our business-led tests is scrutinising your IT administration privileges. We aim to assess whether your IT administrators possess more access than necessary and if your admin accounts are adequately secured and segmented from ‘normal’ accounts..
When conducting these business-led tests, URM integrates advanced technology-based methodologies to align with your specific objectives. By doing so, we provide you with assurance and invaluable insights into your real-world security posture. Our approach isn't just about generic assessments; it's about addressing the precise security challenges and risks that matter most to your organisation.
As a CREST-accredited organisation, URM is able to provide reassurances that all the policies, processes and procedures which underpin its cyber security penetration testing have been independently assessed and deemed to be fit for purpose. Furthermore, accreditation to the CREST OVS programme reflects URM’s commitment to employing highly skilled individuals who are able to deliver Level 1 and Level 2 ASVS and MASVS assessments for web and mobile applications. With its CREST penetration testing URM is able to support you through the whole penetration testing process, providing support during all the phases of the project. URM’s expert team will assist you during the scoping phase, provide regular updates during the assessment, provide a debrief meeting at the end of the assessment and help you through the remediation process.
URM fully understands that the objective of penetration testing is to reduce the risk affecting your organisation’s assets. That is why URM includes a free retest of any high or critical vulnerabilities identified during an assessment in the first 30 days after the assessment, to ensure the highest risks are mitigated as quickly as possible.
One of the major differentiators between URM and other penetration testing organisations is its holistic approach. Not only can URM provide cutting edge pen testing services, but with its governance, risk and compliance background can also provide a whole plethora of policy, process and training solutions to address your security weaknesses. Furthermore as a Payment Card Industry Qualified Security Assessor Company (PCI QSAC) URM has teams which can provide assessment (RoC) consultancy and PCI penetration testing services.
The consequences of unauthorised access are varied. Apart from financial losses, there is a loss of customer confidence. Can penetration testing prevent this?