Active Audit Agency

т: +38(044) 228-15-88

e-mail: info@auditagency.com.ua

penetration testing

SYSTEM AND NETWORK PENETRATION TEST
(pentest)

What is it?

System and network penetration test (pentest) for for breaking sustainability is a method to evaluate computer systems or networks protection by simulating directed attack. The main goal of this test is system vulnerabilites identification, which may appear due to improper configuration, hardware and software errors, and operational deficienciesin the processes and technical means of control.

Pentest approach guess and performed from the potential hacker's position and implies an active exploite of security vulnerabilities. At the same time pentest is performed by highly qualified specialists, which abide to the ethics principles while conducting the test.

Any data about security found during pentest are passed to system's owner together with potential impact assessment. Besidesthere are concrete recommendations provided to remove identified vulnerabilities.

Penetration test is a component of information security audit or can be conducted separetely.

Why do you need this?

sandcastle

In a modern business conditions information security incidents, for example, customers base disclosure to competitors or internet-shop down, may lead to significant financial losses for the business and to the confidence loss from partners and customers side.

Every day there are thousands of new system vulnerabilities identified at the same time the attacking techniques become more improved and available.  To keep confidence in your information asset protection you need to close up security breaches in advance.

Test for breaking sustainability (pentest) will allow you to evaluate real protection level of your systems and avoid incidents, which may lead to financial and reputational losses.

How is penetration test conducted?

Active audit agency performs protection assessment by external or internal (from customer's network) scanning .

As an object of exploration may be chosen one of the following:

  • External perimeter from the standpoint of hacker;
  • Internal perimeter from the standpoint of insider;
  • Physical penetration into the premises with restricted access in order to obtain documents\data or set a bug;
  • Single WEB application (portal\service\interface\site), including "Internet Banking" system;
  • Wireless networks and access points;
  • Testing by methods of social engineering - phone calls to staff;
  • Testing by methods of social engineering - fake phishing distribution (eg fake letter on behalf of the IT Department Chief sent  to internal employees containing orders to enter usernames\passwords on fake corporate email sites);
  • Checking the reaction of relevant rdepartments and IPS systems for information security incidents related to the conduct of hacker attacks;
  • Checking coherency of vulnerability management processes, critical updates and patches installation, response to incidents, access control, change management, configuration management, password policies, etc. in practice;
  • Analysis of network architecture security;
  • Analysis of security configuration of network equipment and servers;

Active audit agency uses internetionally recognized methodologies of penetration testing, such as:

  • Information Systems Security Assessment Framework (OISSG);
  • The Open Source Security Methodology Manual (OSSTMM);
  • NIST Guideline on Network Security Testing;
  • ISACA Switzerland – Testing IT Systems Security With Tiger Teams;
  • Cybersecurity Vulnerability Assessment Methodologies (Cybersecurity VAMs).
  • OWASP Testing Guide v4.

Protection assessment is conducted gradually by our own (ukrainian hosted) specialists and includes:

pentest

When all necessary counter measures are applied we may perform pentest once again.

As a result you will get a report, which contains all performed actions with theirs description, all vulnerabilities identified during pentest and theirs ways of exploitation. Also the report contains concrete recommendations to remove vulnerabilities.

 

See also:

Требования к тесту на проникновение (Penetration Test Requirements)