Home
Penetration
Testing

Penetration Testing allows you to identify where
the weak-points in your security are.


Penetration Testing

Penetration Testing allows you to identify where the weak-points in your security are. It is considered best practice by numerous ISO standards and as a requirement of business by PCI-DSS, FCA and other regulatory bodies to have a Penetration Test carried out at least annually by a competent, and independent external third party.

Conducting Penetration Testing against your people, processes and technology will gain you an insight into how well security operates throughout your business and how well they are able to withstand an attack.

We use our global reach and research insights to collect, process and analyse how threats are evolving. This allows you to stay informed with general threats, industry specific threats and targeted threats to your organisation.

What sets up apart from others

Our Penetration Testing service is different from many of the other penetration testing services available today. Our key difference in the market place is our team, their mixed skill sets and diverse experience.

We know every client is different, so is every Penetration Test. We tailor every test to your requirements and needs. We will take time to understand your business, why you need testing and how best to deliver the perfect test for you. Every step of the way through your penetration test you will have direct access to your tester and, where we are working on a team based engagement, you will have direct access all the time to the team leaders.

We have an extensive repository of custom developed tools and exploits at our disposal that can be used to bring to life the advanced attack techniques of the chaotic actors that may target your business. These, coupled with our unique reporting style, means you are ensured the very best testing results and experience.

The Process

Scoping

At a high level, there are four stages to our general penetration tests. These are Pre-Test, Testing, Reporting and Review. This can be seen on the right in our typical penetration test process flow.

The most important part when considering your penetration test is the scope. The scope is what defines which objects or assets require testing.

Defining a scope can be relatively simple. The whole scope may be a single system or application where the boundaries are clearly defined. In other cases the scope will be more complex. For example, when conducting a PCI-DSS penetration test the scope must meet the requirements of section 11.3 of the PCI-DSS. In this example it will need us to verify the scope for testing to ensure that the scope adaquately covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed.

 

Testing

The testing phase is where all our skill and experiance come into play. Communication is key to the delivery of a good security testing engagement. You will receive communication from your tester at intervals defined during the Pre-Test discussions. Typically this will be towards the end of each day.

 

Reporting

Arguably the most complicated part of the engagement, this can sometimes be one of the most time consuming phases. Reporting takes all of the raw technical output from the test and turns it into a readable document. Depending on the type of test booked, there may additionally be csv files of vulnerabilities, screencasts of exploitations in action and access to a private file repository to download files.

 

Review

Our review process is tough for our testers. Every report will be reviewed by either our senior team leader or our CEO. During the review they will look at each vulnerability identified and exploit performed to ensure that the penetration test acheived the best results within the timeframe of the scope.

Penetration Testing Process

Reporting

Reporting is vitally important to every penetration test. We often get asked by clients why one third of the time assigned to a test is dedicated to creating the report, and the answer is simple. The report is the single tangible piece you receive at the culmination of your penetration test.

We approach reporting in a different way to many of our peers. Your main report is split into three sections.

  • Executive Report
  • Technical Report
  • Vulnerability Report

While these three sections constitute the Penetration Test Report, we also provide you with a CSV file containing all the verified vulnerabilities to aid your technical teams in the remediation of the vulnerabilites.

Wherever possible, we also include links to downloadable video files for particular exploits so you can watch the penetration tester performing the exploitation and understand how the exploitation works.

All of this combined provides you with the most comprehensive penetration test report available to date.

Our Three Test Types

Base Level Penetration Testing

The Base Level Penetration Test is the foundation level test designed for iteration releases within the Dev Ops world as well as for smaller clients looking to understand the basics of their cyber risk exposure on a smaller budget.

Base Level testing includes:

  • Testing performed by qualified staff
  • Performed inline with PTES.
  • Direct access to the tester via phone and email
  • Peer review by a senior penetration tester
  • Basic Test Report

 

Standard Level Penetration Testing

Our Standard Level Penetration Test is ideal for those businesses wishing to understand the cyber risk exposure of their infrastructure, applications and devices.

The Standard Level Penetration Test meets the requirements of a number of regulatory standards which require annual penetration testing, such as PCI-DSS.

This level of testing includes everything from Base Level Penetration Testing plus:

  • Testing performed by a CREST Registered Tester
  • Deeper dive into the scope using manual testing techniques
  • Detailed Test Report

Advanced Level Penetration Testing

Our Advanced Level Penetration Test service is the flagship of penetration testing. Formulated for businesses where security and safety is mission critical, our Advanced Penetration Testing service is used by businesses with advanced security requirements where failure of protection mechanisms in not an option.

An Advanced Penetration Test will be performed over a greater number of days and will always be led by our CEO, Peter Bassill and two further highly qualified penetration testers.

This level of testing includes everything from the Base and Standard Level Tests plus:

  • Led by one of our senior Researchers
  • Testing performed by two independent teams
  • Each team is made up of Crest Registered Testers
  • Testing is based on active threat modelling of your environment
  • Double Testing lock. Essentially the scoped environment would be tested twice by different testers with collaboration on exploitation.
  • Advanced testing practice with custom developed zero day attacks where needed
  • Highly detailed report plus:
    • CSV file containing all the vulnerabilities identified with suggested remediation
    • Screencasts of exploitations to help demonstrate and enhance the understanding of what is being performed
    • Details of all the false positives identified

Example reports:

 Example CSV file

Our Methodology

Our methodology is based on the Penetration Testing Execution Standard.

Defining scope is arguably one of the most important components of a Penetration Test, yet it is also one of the hardest. While defining your scope, we will require a technical scoping call between one of penetration testers (usually the tester who will be doing the work) and your technical team. This is so we can understand what you want testing, what you need testing, the boundaries of the testing and what is within scope. It is very important to us to also discover if there is anything that could be adversely affected by the testing.

We will also look to understand what you want out of the test. Is it a test to satisfy your clients or regulators etc. This way we can produce a set of reports following the test that are best suited to your circumstances.

This section defines the Intelligence Gathering activities of a Penetration Test which is usually carried out as the first activity following the placement of an order. The purpose of this is to provide the tester with a working methodology designed specifically for performing the test. This part of the engagement produces a document that most clients never see, detailing the thought process and goals of the penetration test.

The Intelligence Gathering process can be broken down into the below areas:

Compliance Driven Engagement: This is mainly a click-button information gathering process using a series of automated tools and is done to support tests being undertaken for PCI-DSS / FCA / HIPAA etc.

Best Practice Engagement: A good understanding of the business, including information such as physical location, business relationships, organisation charts etc. are gained and added to the test notes. For physical security testing this would involve reconnaissance on opening hours, the comings and goings of staff and possible methods of entry. This is really valuable when conducting a test against a harder target or a business that is looking to take security and defence to the next level.

Continual Cyber Assurance: These Penetration Tests require greater levels of information and build on the previous two with a lot of manual analysis. Detailed information on social networks, heavy analysis of open source intelligence data sets, deeper understanding of business relationships are undertaken over a large number of hours to accomplish the gathering and correlation.

Vulnerability Analysis is the process of discovering flaws in systems and applications which can be leveraged by an attacker or your Penetration Tester. These flaws can range anywhere from host and service misconfiguration through to insecure application design. Although the process used to look for flaws varies and is highly dependent on the particular component being tested, some key principals apply to the process.

When conducting vulnerability analysis the tester will properly scope the testing for applicable depth and breadth to meet the goals and/or requirements documented in the Pre-Engagement scope section of work. Depth values can include such things as the location of an assessment tool, authentication requirements, etc. For example, in some cases it maybe the goal of the test to validate mitigation steps are in place, working and the vulnerability is not accessible. In other instances the goal maybe to test every variable with authenticated access in an effort to discover all applicable vulnerabilities.

Whatever the scope, the testing is tailored to meet the depth requirements to reach your specified goal. Depth of testing is always validated to ensure the results of the assessment meet the expectation (i.e. did all the machines authenticate, etc.). In addition to depth, breadth must also be taken into consideration when conducting vulnerability testing. Breadth values can include things such as target networks, segments, hosts, applications, inventories, etc. The breadth of testing is always validated to ensure we have met your testing scope (i.e. was every machine in the inventory alive at the time of scanning? If not, why).

The exploitation phase of a Penetration Test focuses solely on establishing access to a system or resource by bypassing security restrictions. As a considerable amount of vulnerability analysis will have been performed prior, this phase is well planned and precise. The main focus is to identify the main entry point into the organisation and to identify high value target assets.

During this phase we may take on the persona of the main chaotic actors that could affect your business. This may be an external attacker that has gained access and wishes to proceed quietly and un-noticed or it may be an internal attacker who is not too particular about the amount of noise created. We may even take the persona of malware, simulating a malware attack that was successful in the initial stages following a phishing attack.

The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.

This is the most important area for you. This is where we bring together all the information we have gathered into a document. A report is typically split into three parts:

Executive Report: This is a high level non-technical report and delivers the main messages of the test results. This section is heavy on management level terminology, charts and graphs.
Penetration Test Report: This is the critical information around your Penetration Test. Here we document what we did, how we did it and whether or not it was successful.
Technical Report: This is the technical detail on each of the issues found and an overview of how to fix the issue.

Completing the reporting phase can take up to a week as we have a highly robust 3 stage Quality Assurance process.

Frequently Asked Questions

  • Penetration Test or Vulnerability Assessment, I'm confused. What do I need?

    Great question. The vulnerability assessment is akin to looking at a house and writing down the make of the locks, the location of the doors and windows. All the time checking to make sure they are closed and see if they are locked or not. A penetration test will attempt to pick those locks, open the doors, see what is behind them. The good penetration test will also try to build tunnels from the house to their house, create an inventory of all your possessions and many other things besides. We get a lot of questions asked of us regarding Penetration Testing. We have tried to gather as many of the frequently asked questions together here.

  • I have a mate who can test, what makes you better?

    Almost everyone has a friend, peer, colleague who understands a little about security. We test 7 days a week, 365 days a year and each tester spends a third of their time at conferences, on course and doing research to stay at the top of their skill set. It is like comparing a race car engineer (the penetration tester) to a car garage engineer (the IT generalist with some tools) to the home garage hobbyist (the friend). Occasionally, the friend will have excellent levels of skills, but is this the exception, not the norm.

  • What tools do you use for a penetration test?

    Our primary "tool" is the Mk1 Human. In our testers arsenal are over 200 opensource tools bolstered by more than 50 internally developed tools. On an average penetration test, 20% of the testers time will be spend working with tools. These are important for covering a lot of digital ground in a small amount of time.

  • How often should we have a Penetration Test?

    The best practice guideline is at least annually but it really depends on what it is you are testing. If your environment is static and does not change, and you perform monthly vulnerability scans then you are reasonably safe in having a penetration test every three years. If you are including applications within your test scope, that change often, then you should be testing those applications separately after development and before UAT.

  • I want a Penetration Test, how much will it cost?

    In order to determine the cost, we need to have a discussion about the scope. While some firms will give you a quote blind, it is like asking a painter to paint a building in London without knowing which building and what type of paint. There are a lot of variables and these can only be fleshed out via a scoping conversation with one of our test team leaders.

  • How do we know you are any good?

    For the first engagement this is always a worry for clients. We are a CREST member company with a number of OSCP and OSCE qualified staff. Our engineers have a wide variety of experience covering multiple disciplines. Have a look at our testimonials to see what our clients think. But the main thing is we actually care about our clients and their security.

  • When do you issue the certificate?

    We typically issue the certificate after we perform the re-test, if included. This allows you to fix any issues we identify in the initial penetration test.