Penetration testing is a practical demonstration of possible attack scenarios where a malicious actor may attempt to bypass security controls in the corporate network to obtain high privileges in important systems. Penetration Testing provides a greater understanding of security flaws in the infrastructure, revealing vulnerabilities, analyzing the possible consequences of different forms of attacks, evaluating the effectiveness of the current security measures, and suggesting remedial actions and improvements.
Penetration testing, or pen testing, is a series of tests carried out by specialized testers trying to penetrate an identified system and find vulnerabilities that could be exploited internally or externally by intruders, exploiters, or bad actors. In a world of continuously evolving threats, penetration testing is an essential information security practice and should be included in any company’s governance framework.
Penetration Testing helps to:
- Identify the weakest points in the network, such that, businesses can make fully informed decisions about where best to focus the attention and budget to mitigate future risks
- Avoid financial, operational, and reputational losses caused by cyber-attacks by preventing these attacks from ever happening through proactively detecting and fixing vulnerabilities
- Comply with the government, industry or internal corporate standards that require this form of security assessment
Penetration testing can be performed externally or internally.
External Penetration Testing
External penetration testing is a practice that assesses the externally facing assets of any company. During an external penetration test, the assessor attempts to gain entry into the internal network by leveraging vulnerabilities discovered on the external assets. Alternatively, the tester may attempt to gain access to privileged data through external facing assets such as email, websites, and file shares.
During the test, the tester performs reconnaissance on the in-scope assets and gathers intelligence on such assets. This intelligence includes open ports, vulnerabilities, and general information about the company’s users for password attacks.
Internal Penetration Testing
An internal pen test is performed to help gauge what an attacker could achieve with initial access to a network. An internal pen test can mirror insider threats, such as employees intentionally or unintentionally performing malicious actions. During an internal penetration test, internal reconnaissance and attacks are launched from the initial foothold. While a poorly secured domain control may lead to total control of the network, most tests require multiple attack paths to achieve their testing objectives. This method often includes exploiting less-important systems, and then leveraging information found on these systems to attack more important systems in the network.
Our team performs both tool based and manual – intrusive and non-intrusive penetration testing as per business criticality, scope document and with the client’s consent. Our services include penetration testing of:
- Web Applications (Developed on any platform)
- Desktop Applications
- Mobile Applications (Android, IOS, Windows)
- Network Infrastructure (Routers, Firewalls, Switches etc.)
- Servers (Linux/Windows)
- API Services
Vulnerability assessment and Penetration testing are performed by keeping OWASP top 10 security vulnerabilities into consideration which covers the following areas: