Often companies are unaware of existing vulnerabilities within applications or infrastructure that a potential attacker could successfully exploit, breaching a companies confidential data and damaging brand integrity. Penetration testing discovers and confirms vulnerabilities exist and provides clear instructions allowing your company to fix the discovered security issues.
Cyber security testing performed by OSCP & CREST certified penetration testing consultants
Typically a vulnerability assessment is an automated scan that identifies vulnerabilities but does not exploit them, because of this limitation a vulnerability assessment report often contains false positives. As the attack (exploitation) phase of testing is missing from vulnerability assessment, privilege escalation, advancement (pivoting) and chaining vulnerabilities together are also absent from a vulnerability assessment.
Penetration testing verifies the existence of a vulnerability by safely performing exploitation, a vulnerability assessment detects the vulnerability but does not confirm if the vulnerability is exploitable. During a manual vulnerability assessment the consultant will gather as much evidence as possible to support the vulnerability discovery, but no attempt to exploit the vulnerability will be made.
As no targets are exploited it’s not possible to perform pivoting, data exfiltration or privilege escalation on a vulnerability assessment. Due to this limitation assessing the impact of a breach and what data a potential attackers may gain access to are also not part of a vulnerability assessment.
Vulnerability Assessment and Penetration Testing (VAPT) combines both Vulnerability Assessment and Penetration Testing to provide the benefits from both types of vulnerability testing.
A penetration test requires careful scoping in order to provide an accurate cost, however we list our service costs for smaller more common pen tests, for pricing information see our costs page. Our penetration testing services are performed using manual industry-approved pen testing methodologies by experienced consultants who are both CREST and OSCP accredited.
Testing should be performed on a regular basis to ensure newly discovered threats and vulnerabilities are discovered and remediated before any potential attacker detects and exploits them in the wild. In addition to regular security assessments demanded by regulatory and compliance standards, network security audits should also be completed when:
|Web Application Testing||A deep dive manual security assessment of a web application identifying security issues and vulnerabilities.|
|Mobile Application Testing||A deep dive manual assessment of a mobile app, testing is typically dynamic (conducted while the application is running) however apps are typically de-compiled and tested for reverse engineering.|
|Infrastructure (Network) Testing||A network penetration test performed against an organisations infrastructure, identifying security issues and vulnerabilities within servers, firewalls, network hardware and desktops.|
|External Penetration Testing||A network penetration test conducted from outside of the organisations network infrastructure, the most realistic simulation of a real-world attack exposing security issues that could lead to a compromise or a breach.|
|Internal Penetration Testing||An internal assessment of an organisations network infrastructure, simulating inside attack.|
There are two main types, application penetration testing and infrastructure (network) penetration testing, these are defined below.
Application penetration testing, typically performed against mobile or web applications, a deep dive against an application identifying security issues and vulnerabilities. For more information see web application penetration testing and mobile application penetration testing.Types of Application Penetration Testing:
Aptive’s services definitions are below that should help your company identify what security assessment service you require.
A network security audit against your organisation simulating a real-world attack, testing is conducted internally from within the network testing your companies external defences against attack or internally to simulate insider threats.
A network penetration test allows an organisation to test it’s network against attack in a controlled environment carried out by a professional cyber security consultant. Helping ensure data integrity and assisting your internal teams understand the identified security issues.
Web application penetration testing is a point-in-time security assessment of a web application and web server. The web application assessment is a consultant lead in depth, deep dive manual test that focuses on web application security issues within your web applications and provides clear fix instructions, allowing your team to resolve discovered security issues.
Web App Penetration Testing Overview:
A mobile app penetration test is a point-in-time security assessment of a mobile app and web server. The mobile application assessment is a consultant lead manual test that exposes security issues within your mobile applications and provides clear fix instructions, allowing your team to resolve discovered security issues.
Mobile App Penetration Testing Overview:
External penetration testing, a network penetration test conducted from outside of the organisations network infrastructure. The network is assessed with the same set of conditions a real-world hacker would have, making it the most realistic simulation of a real-world attack exposing security issues that could lead to a compromise or a breach.
Identify security issues that are exposed to external attackers from the Internet, helping ensure data integrity and preventing unauthorised access.
Internal penetration testing, an internal assessment of an organisations network infrastructure. Exposing security issues and vulnerabilities that are exposed from within the network.
Trustwave’s 2015 Global Security Report.
BIS 2015 Information Security Breaches Survey
CYREN’s 2015 Cyberthreat Yearbook Report.
Trustwave’s 2015 Global Security Report.
Black box testing is conducted with no prior knowledge of the target network / system or application. It’s useful for assessing what is possible with the same set of conditions a real-world attacker would have. Making it the most realistic simulation of a real-world attack, the trade off being the consultant running the assessment typically needs to spend longer at the information gathering and enumeration stage gathering data.Black Box Testing Summary:
White box testing is conducted with prior knowledge of the target and potentially client side access to the network, system or application. It’s useful for assessing and verifying attack vectors quickly using source code and or backend access to the target. It’s the least realistic simulation of a real-world attack, as the consultant typically has more information than a normal attacker would have allowing for faster discovery and verification. The trade off being some issues raised may not be exploitable in the wild, due to the consultant having more knowledge, however often black box tests are limited by the time the consultant has to conduct the assessment, making a white box or grey box (see below) a more attractive option.White Box Testing Summary:
Grey box testing is conducted with “some” prior knowledge of the target, a middle ground between white and black box testing. You can give the consultant some knowledge to save him time, but not as much access as a white box test would provide to help the assessment remain realistic. A web app penetration test is a good example of a grey box assessment, accounts and some knowledge of the backend database might be provided but access to the applications source code typically is not. It’s a fairly realistic simulation of a real-world attack, as the information provided to the consultant could “generally” be obtained an attacker with more time.Grey Box Testing Summary:
The table below provides a summary of all the testing types:
|Black box||Assessed with no prior knowledge||Most realistic attack simulation||May take more testing time|
|White box||Assessed with prior knowledge||Saves time, more issues may be discovered||Least realistic attack simulation|
|Grey box||Assessed with "some" prior knowledge||Maximise testing time while remaining fairly realistic||Info provided could still make the test unrealistic|
Below is an overview of Aptive’s approach when performing a pen test, you can contact us for our detailed methodology document.
Discovery takes place before any testing is conducted, the process involves collecting as much information about the company or application as possible. The information gathered at the discovery stage of testing is used to help identify weaknesses directly or provide information that can help with later stages of testing. Typically all publicly available information is enumerated such as:
In scope addresses are manually enumerated for useful information such as services and versions.
As much information as possible is gathered / enumerated from each exposed service.
After enumeration of the server(s) / network a Vulnerability assessment is completed, helping identify known public vulnerabilities. This process helps identify information that can be manually assessed in the next step.
Depending on client requirements, discovered forms or password hashes are tested using the latest password recovery techniques, helping identify if current password policies are sufficient.
Services revealed at the enumeration and vulnerability assessment stage are researched for public exploits and or known exploit methods.
Discovered services are manually and safely tested or exploited to confirm if they are vulnerable.
Successfully compromised machines are locally enumerated for valuable data, if possible (scope permitting) user privileges are escalated to admin root. Screenshots of account privilege level or discovered data are taken for evidence.
Compromised machines are used to route traffic, allowing the pen testing consultant to access the internal network or other machines / network subnet. This demonstrates the risk of a potential breach and how far an attacker may get within the target companies network.
All discovered security findings are documented in severity ordered report with clear concise remediation instructions and their associated risk and impact.
All our security testing services come with free retesting on reported findings.
Working with you to identify all systems / applications that need testing.
Security testing is completed by our CREST accredited team, following our internal testing methodology.
Delivering a clear easy to understand severity ordered report, detailing identified issues and providing clear and concise remediation steps.
Further explanation and demonstrations of vulnerabilities / exploits.
Security issues identified within the report are retested for free.