Network Penetration Testing
What could a skilled and motivated attacker accomplish if given network-level access to your external and/or internal network and no additional information? What practical controls can you implement to reduce the risk of such real-world compromises? These are the questions that we can answer for you when performing a network penetration test, and the answers can often be quite surprising.
Penetration testing is the process of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. Performing regular penetration tests enables your company to comply with industry standards such as the PCI DSS and to identify and remediate high-risk security vulnerabilities before they are exploited by malicious attackers.
A network penetration test should not be confused with a simple network vulnerability scan. Although scanning is part of the testing process, it’s the manual testing and exploitation that is the hallmark of a good penetration test. Our skilled testers often chain exploits together to achieve specific goals, such as obtaining Domain Administrator access, accessing credit card information, or targeting other “crown jewels”. Most importantly, we document how we achieved such compromises and provide targeted, practical advice on how to tighten up the security of your network.
The AppSec Consulting Difference
- You're guaranteed to receive a high-quality, thorough test due to our proprietary testing methodology, which involves the use of leading commercial and open source testing tools and a large amount of manual testing and analysis.
- Our reporting differentiates us from the competition - you'll receive an actionable, custom-written report containing expert advice tailored to your business, not just automated scan results.
- We're with you every step of the way throughout the remediation phase beginning with a thorough debriefing of all findings.
- Our security professionals have real-world offensive and defensive information security experience in a wide variety of environments and keep up-to-date on the latest attack techniques.
- Preparation - AppSec Consulting arranges a conference call to review your network diagrams, determine which IP ranges are in-scope for the penetration test, provide an overview of our testing process, and discuss any special testing requirements.
- Discovery - Defined IP addresses, address ranges or Internet domains are scanned using automated tools at the Internet-layer (IP and ICMP,) and within the IP-layer on all TCP and privileged UDP ports. Responses from any given IP address, service or port are recorded. During this phase, we often discover devices and services on your network that were previously unknown to you.
- Enumeration - Responses captured during the discovery phase are compared to databases of known response types (fingerprinting). Known ports and services are mapped, providing an initial target profile for subsequent test steps.
- Vulnerability Identification – All targets on your network are probed for vulnerabilities using a variety of vulnerability scanning tools as well as targeted manual testing. If critical vulnerabilities are identified during the course of testing, we notify you immediately so that remediation can begin right away.
- Exploitation - Significant issues identified during the testing process are exploited in order to both demonstrate the vulnerabilities and better determine the level of risk posed by the issues. A wide variety of tools and techniques are used in this phase, depending on the nature of each vulnerability being exploited. Our testers attempt to chain exploits together to gain a higher level of access to the network.
- Report Preparation – AppSec Consulting takes the results of both the automated and manual penetration testing and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.
- Debriefing –AppSec Consulting presents all findings to executives and key stakeholders, answers all questions, and provides remediation advice.
What You Get
- An actionable, custom-written Penetration Testing Report, which describes the application's security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
- Expert consultation throughout the remediation phase.
- Two rounds of remediation testing within 6 months of the initial penetration test to ensure that all issues are effectively remediated.