Download PDF

What is it?

Penetration testing can be defined as the use of techniques and tools to identify the exploits and vulnerabilities that exist within an organisation's IT infrastructure. The way in which this is carried out varies hugely amongst testers, at MWR InfoSecurity we work with a mix of automated testing, to provide consistency, supported by manual testing and tools to discover vulnerabilities. It is important to differentiate between a vulnerability assessment which checks for potential vulnerabilities and penetration testing, which seeks to exploit the findings.

Why do it?

Penetration testing is an ideal way to justify spending on security controls, as it physically demonstrates the flaws that exist in operational systems. Regular penetration testing should be undertaken as an integral part of an organisation's overall security framework. By conducting testing, you will discover vulnerabilities within your infrastructure and ways in which your systems could be compromised. With this knowledge you can then take the necessary steps to strengthen your defences against possible attack.

What it means to my organisation?

Most organisations use penetration testing as a part of their overall security assurance activities as it can provide a snapshot of the level of vulnerability that exists in an organisation. Testing can simulate various types of threats, giving an organisation a view of the severity of a particular threat and the impact this could have on the business.

Testing enables you to meet many of the legislative requirements relating to Information Security, such as e-government directives, BS7799, ISO 17799, Sarbanes Oxley and Basel II.

Why work with MWR InfoSecurity?

Testers need to be able to think like the enemy, by using an external organisation to conduct testing you are more likely to discover vulnerabilities which may be overlooked by automated systems or internal staff.

Testing is carried out solely by highly skilled and experienced testers using a combination of automated and manual approaches to avoid false positives. To ensure best practice we adhere to industry guidelines, including OSSTMM, OWASP and CHECK. Our Testing ensures that network components and infrastructure are configured for best performance.

Within five days of the test being completed, you will receive a report including an executive summary and detailed technical findings. Our reports support remedial action, post testing support, fixes and workarounds. After issuing the report, the testing team is available by email and phone to discuss the findings and recommended remedies.

Every result, from port status to specific exploits and vulnerabilities is presented with best practice advice on how to reduce and remove them. Risk ratings are supplied for every vulnerability and exploit so that you can prioritise your remedial work.