This service aims at performing an evaluation of the security level of the organisation’s information systems and the network infrastructure, by performing penetration tests against all its network infrastructure that comprises systems, applications, network equipment, web applications and databases. Any vulnerabilities concerning the organisation’s information systems are detected and the potential damage they can inflict, if exploited, is also estimated.
The methodology according to which this service is applied, ensures the organisation’s uninterrupted operation, as well as the confidentiality and discretion of the results.
Penetration testing includes:
- Composition of a complete inventory about the organisation’s resources and information systems.
- Evaluation of the network’s security level.
- Conduct of penetration tests and risk assessment of the organisation’s information systems and infrastructure.
- Training specialised personnel on the methodology of conducting penetration tests and on the use of appropriate tools.
- Forensics readiness.
Building blocks of this service
- Risk analysis – Risk assessment.
- Black box external penetration testing.
- Black box internal penetration testing.
- White box external penetration testing.
- White box internal penetration testing.
The methodology for conducting penetration tests is based on security scanners. Initially, a risk assessment is performed, so as to identify the resources that are of critical importance to the organisation, followed by a customised attack pattern tailored to the organisation’s infrastructure set-up, in order to evaluate the effectiveness of already-known types of attacks.
The methodology includes the following stages:
- Identification of critical systems and applications.
- Information gathering for the target systems.
- Scanning of target systems for running services and open communication ports.
- Discovery of vulnerabilities.
- Exploitation of discovered vulnerabilities.
Depends on the range of the network services/infrastructure and the number of its services that will be tested.