management to technical
External testing perspectives
What We Do
Infrastructure penetration testing is practical assessment that is used to demonstrate how potential attackers can exploit weaknesses in your IT systems mimicking the techniques that real attackers are using. It goes further than vulnerability scanning through the use of exploitation.
Penetration tests can be performed from the internet and from within your organisation. The type of penetration testing required should be decided by the criticality of your information and your appetite for risk. Testing from both perspectives would be very effective.
This type of testing is used for assessing the security of your systems that are separated from the internet. You may want to know if your customers’ records or your employees’ payroll information is being stored and transmitted in a secure manner. The Security Bureau will connect to the LAN and attempt to gain access to the data that you’re concerned about without any information and provide you with the steps that we took to gain unauthorised access.
This testing perspective will highlight any security weaknesses that you have in your internet facing IT systems. Email servers, web servers that host your e-commerce websites, routers, and any other systems that are exposed to the internet will be security tested. We may also find services that you didn’t know you had exposed.
Internet perspective penetration testing is a good start to your security journey. It is also good practice to complete a review at least annually or when you’ve changed the system enough that vulnerabilities could have been introduced.
How We Do It
In order for The Security Bureau to fully understand your security objectives and technical environment, we would typically conduct a project kick-off meeting either face to face or on a conference call. We aim to gain an understanding of your organisation, the project we would be working on, and the technical details that will enable us to accurately scope and estimate testing time and costs.
The Security Bureau uses a range of security tools, both manual and automated methods, and a proprietary methodology to identify, validate, and exploit security vulnerabilities. All testing activities are closely co-ordinated to help minimise negative impact to your systems. Throughout testing, we will share results with you so that testing is efficient. Where we identify critical or high risk vulnerabilities, your designated project point-of-contact will be notified immediately. The main phases of the penetration test are:
– Information Discovery
– Target Mapping
– Vulnerability Identification
– Penetration & Exploitation
– Privilege Escalation
What You Get
We will send you a detailed technical report on the detected issues along with guidance on how to resolve these. The report will also contain a high level management summary to ensure that the detected issues can be understood by non-technical staff.
The management summary section will restate your main security concerns and your drivers for security testing and the outcomes of these. We will also suggest short, mid and long term security strategies to meet your security goals.
The Security Bureau can present the findings by presentation over in a face to face meeting or a conference call if required.
Our services are provided by CREST accredited consultants and our penetration testing services are performed to a high standard. As part of our ongoing professional training we are constantly learning about new threats. As we familiarise ourselves with your systems and infrastructure we will be able to keep track of any security developments that are particularly relevant to you, and inform you of these.