What Is a Penetration Test? Penetration test is a method of evaluating computer system security by simulating an attack of a malicious user (hacker). The process involves an active and detailed analysis of computer systems in search of possible oversights in design, implementation and maintenance. All detected oversights are cited in the Report at the end of the testing together with a probability and possible consequences assessment as well as with risk reduction suggestions. Upon presentation of the Report we will provide answers to your questions, and together with your IT experts develop a strategy for security improvement.
Why Take a Penetration Test? From the business point of view, penetration testing with its proactive and prevention measures helps you ensure your company of the following risks:
Financial losses due to embezzlement (hackers, extortionists or dissatisfied employees) or unreliable business systems and processes
Demonstrate great attention to computer security, in accordance with industrial regulations, and the demands of your clients, business partners and shareholders. Negligence can cause serious damages manifested in the form of a sudden break of collaboration, paying of hefty fines, damaged reputation or utter ruin. At a personal level consequences can be the loss of employment, a law suit and sometimes even a prison sentence.
Protection of personal reputation by avoiding losing any of the clients’ trust and business reputation.
From the operational point of view, penetration testing helps in a formation of a strategy for your computer security by:
Realizing security liabilities and quantifying their influence and probability, enabling proactive management and providing the necessary resources on time in order to ensure the appropriate security measures
What to Test? Security tests can involve every segment of your company that receives processes or stores digital data. The most commonly tested areas are:
Network servers (open to the Internet plus internal servers)
Work stations (PCs or laptops) used by your employees
Customised computer systems (dynamic stations, internal applications…)
Computer networks and network equipment (including wireless networks)
Security measures (or the lack thereof) which should be applied by your employees
Physical security measures (access control, possibility of unauthorised access...)
Ideally, you have already performed a risk evaluation and are already aware of the possible most damaging areas (e.g. communication breaks, computer system shutdowns, loss of confidential information, unauthorised data modification…), so now you can by penetration testing identify those security oversights which could allow for damage to actually occur. If you have not performed a risk evaluation, it is standard to start with the most exposed areas (servers open to the Internet, web sites, email servers, remote access servers...). Prior to admission of penetration tests we perform a liability check on the basis of which we can recommend
How to Test? In compliance with your requests, made upon advice of our experts, several tests types are available:
'Black box' test – security test without prior knowledge of your computer infrastructure or business operation
'White box' test – we carry out a detailed test on the basis of documentation about your system that you have delivered beforehand
'Gray box' test – in order to save time and/or achieve more detailed results, the test is performed with a limited amount of information
What Do You Get In Return? Although while testing and during the analysis of the results we invest a considerable amount of effort and technical skill, true worth of a penetration test lays in the Report which we deliver at the end. For if the Report is not clear or comprehensible enough, all the invested effort is of little value.
The Report and its presentation need to be custom-made to fit the respective clients. The Board needs the business risks and prevention possibilities to be clearly described in “everyday” language. Mangers will need a wide overview of the situation, without much technical details. Your computer experts will be mostly interested in technical details related to detected liabilities, as well as in recommendations linked to possible countermeasures and prevention.
What’s Next? Even after successfully completing the penetration testing, you can still relay on our help in the time to come:
Creating your security policy
Periodical liability checks
Implementation of PKI infrastructure
Consultations during implementation of the new components to your computer system
Implementation of a complete security system
Education (of computer engineers and other employees)
Emergency interventions while and after the security incident
