The process involves an active analysis of the company’s systems for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, operational weaknesses in processes or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of the penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered.
In addition to the scope of our Vulnerability Scanning service, our Penetration Testing includes:
- Exploiting the vulnerabilities identified in Vulnerability Scanning
- Real attacks and intrusion attempts when appropriate
- Identifying the real impact of attack vectors
- Eliminating false positives that can be reported by the vulnerability scanning process
We are also able to provide several variations which include:
- On-site tests on servers in internal networks or DMZ servers, e.g. DNS, mail, ftp, web servers, database servers and proxy servers
- Remote testing on specific IP addresses over the Internet via the external firewall
- Tests on network components, e.g. firewalls, routers, load-balance devices, etc.
Denial-of-Service (DoS) Testing
Denial-of-Service checks may be included in your Penetration Testing. However, since some DoS checks may bring down the target hosts, certain destructive DoS checks on main network components (e.g. routers) will only be conducted in a controlled environment with special arrangements.