Penetration Testing Services – Overview
Network Penetration Testing also known as Penetration Testing is a method of assessing the security posture of a network infrastructure. It involves identifying and classifying the targets, Fingerprinting, Identifying Vulnerabilities and Exploitation of Vulnerabilities. Through this exercise, we can measure the strengths of controls put in place to defend the network and its systems and also ensure adherence to compliance requirements and security policies.
The primary goal of Pen-Test is to identify potential vulnerabilities and to report them to the management, along with recommended remediation methods. SecuritySkool Penetration Testing services assess your network security defenses and ensure compliance over appropriate Government and industry regulations.
SecuritySkool – Penetration Test Methodology
Our Penetration Testing Methodology is refined and evolved to handle the latest emerging threats. The methodology is established using standard frameworks, which includes OWASP, NIST Special Publication 800 Series guidelines, OSSTMM, ISSAF & WASC. We adopt the most up-to-date penetration testing tools and Manual testing methodologies. In most scenarios we would employ combination of both automated scanners. Automated Scanners are used to categorize the asset and fingerprint them and to identify known and common vulnerabilities. This will cover only a small scope of the overall Security Scan. The major part of Penetration testing and Vulnerability testing is executed using custom-made manual testing methodologies.
SecuritySkool – Penetration Testing Types
Basic Penetration Test
Covers the basic essentials from compliance and due care perspective. This includes Network testing, Configuration review, Patch management and detailed reporting on remedial plans and on how to improve overall security posture of the company.
Advanced Penetration Test
Here we go a level more beyond the basic Penetration testing and involve few methodologies from Forensics and provide more insight into the stategies used by hackers over your network. This includes defences over more complicated attack methodologies used in Advanced Persistent Threats or APT.
IT Threat Evolution in Q1 2015
Why does your organization need Penetration Testing?
- Find and Fix the Vulnerabilities before they are identified and exploited by attackers
- Continuous assessment of security posture of Critical systems
- Unbiased Security-Posture evaluation and Risk-reporting to management
- Continuous Identification and Prioritization of risks
- Security Evaluation, Awareness and Training for employees
- Compliance requirements
- Discovering vulnerabilities in new Technologies or Applications
OWASP Top 10 – Compared
The OWASP or Open Web Application Security Project is an international organization dedicated to enhancing the security of web applications. One of the most popular OWASP sponsored security projects is the OWASP Top 10 Project. This is a ranking of the top 10 web application security risks worldwide. OWASP top 10 list not only ranks and defines the Vulnerabilities but also provides examples and also suggests methodology and best practices in handling the Vulnerability.
The latest OWASP Top 10 – 2013 was published in June 2013 and it precedes the list published in 2010. OWASP prioritizes the Top 10 list based on their prevalence and on other factors like Exploitability, Detectability and Impact. The OWASP 2013 Top 10 list is based on data from seven application security firms, spanning over 500000 vulnerabilities across hundreds of organizations.
OWASP Top 10–2010 (Previous)
Broken Authentication and Session Management
Cross- site Scripting (XSS)
Insecure Direct Objects References
Insecure Cryptographic Storage – Merge with A9
Failure to Restrict URL Access – Broadened into
Cross-Site Request Forgery (CSRF)
buried in A6: Security Misconfiguration
Unvalidated Redirected and Forwards
Insufficient Transport Layer Protection
OWASP Top 10–2013 (New)