During penetration testing (known as pentesting), auditors act like external attackers would: they try to bypass protection measures and break into a company’s network. They detect hidden system flaws and evaluate the potential impact on operations if those flaws were exploited by real attackers. In addition to a thorough technical analysis of the customer’s security tools, the assessment may also evaluate the level of IT security awareness among company staff.
The experts at Positive Technologies have conducted hundreds of penetration tests on a wide range of systems for clients ranging from banks and telecom companies to utilities and government agencies. Typical penetration testing activities carried out by our team include:
Penetration testing can be conducted with or without the knowledge of key information security personnel, such as system and network administrators. Performing a simulated attack without warning these employees will give senior management a true picture of the effectiveness of their existing security measures. However, if server and network equipment has been poorly configured or security teams respond badly to the simulated attack, this kind of "unannounced" testing could cause disruption to normal network operations.
For this reason, penetration tests are often subdivided into external and internal stages. First, our experts try to hack the perimeter, for example, by installing malware on workstations. If this external stage is successful, then they will coordinate with system administrators before beginning an assessment of measures to counteract an internal attack.
A technical penetration test identifies existing vulnerabilities in your IT infrastructure and provides practical evidence of whether they can be exploited. The following are typical steps performed by Positive Technologies experts during this testing:
In many networks, ordinary users are the weakest link. Attackers who can manipulate your employees may be able to gain control of workstations from which they might access confidential documents, data, or customer accounts; post malicious content on your websites; conduct spam or phishing activities using your customer contacts; use your network resources to launch attacks on other companies’ systems or restrict your ability to do everyday business.
Positive Technologies can use social engineering techniques to identify your staff’s level of security awareness and gauge their reactions to hacking techniques such as phishing and pharming. As well as identifying areas of security that need immediate attention at your organization, this service can be especially useful for testing the effectiveness of recent awareness training. Our testing is typically targeted at selected user groups, with different test scenarios applied to different groups. These may include:
To truly act like external attackers, our testers combine the information gathered in both technical and sociotechnical penetration tests to demonstrate how hackers can piece together weaknesses to circumvent your existing security mechanisms, escalate network privileges, gain access to confidential information, modify your DBMS, or persuade users to sidestep compliance with existing security policies.
The key deliverable from our penetration testing services is a report detailing: