Penetration testing, also referred to as pen testing, is a simulated real world attack on a network, application, or system that identifies vulnerabilities and weaknesses. Agoa’s approach to risk assessments and penetration testing is outlined below.
We start by selecting the appropriate type of testing. The 3 approaches are referred to as Black box, Grey box and White box testing.
- Blackbox testing is the closest one gets to that of a real life attack. Here the pen tester is given as little information as possible and asked to see how far they can get trying to compromise a system.
- Grey Box assessment assume the tester has partial knowledge of the environment to be tested. Its saves time over Black Box testing as the tester doesn’t have to run tests that will never work as they have knowledge of the environment.
- White box is is the opposite of Blackbox testing here the Pen tester is given a lot of background information to help target the testing. This knowledge removes the need for the Pen tester to test what is never going to work thus allowing for a better value for money test.
Penetration testing methodology
Penetration tests are typically performed using manual or automated technologies, to systematically compromise endpoints. Our methodology starts by performing reconnaissance gathering. Here information is gathered about the system to be tested. We then analyses all the information we have gathered looking for points of interest. The next step is to attack these points of interest, looking for exploits that work. The testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically, by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information, via privilege escalation.
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. This is done via a comprehensive report.
The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations. The picture below outlines Agoa’s methodology.
Benefits of our pen testing
- A comprehensive & economical pen test
- A prioritised risk identification matrix
- Real highlighted security issues and advice on how to mitigate them
- Compliance with standard requirements such as ISO 27001, NIST and PCI DSS
- Added protection to your company reputation