Penetration Testing

What is Penetration Testing?

Penetration testing is a planned attack on an organization's network or system, web application, facilities or staff.

Unlike a real attack, a penetration test is performed by ethical hackers, not criminals, in order to assess the security system and find hidden vulnerabilities.

Why Penetration Testing is Important

Automated vulnerability assessment tools are an essential part of your security strategy, but they only go so far. They focus on breadth of coverage– every IP address, every port, every URL– and look for well known technical flaws.

Penetration testing however is all about, using human cunning, and the latest strategies of real threat actors. This tactic allows organizations to assess their real-world risk and locate security vulnerabilities before they can be exploited by criminals. 

That typically includes highly skilled specialists using both tech-based tools and also social engineering to manipulate individuals into divulging information that can be used to access your system.

penetration-testing-truvantis-security

Unlike automated tools, penetration testing can account for: 

  • Unlocked workstations 
  • A lack of physical security
  • Security protocols being bypassed for convincing strangers
  • Publicly-available information that may be leveraged to access your system 
  • Passwords that can be guessed using social media 
  • Technical flaws beyond the reach of vulnerability assessment tools
  • Zero day vulnerabilities where unpatchable defects can be exploited

A manual penetration test performed by an experienced team is the best way to get confident answers when you have concerns or questions about your security, including:

  • Are your security controls working how you think they are?
  • Can hackers break in?
  • How much risk are you exposed to?
  • How can you convince people that your product/service is safe and secure?
  • Are you protected against the most up-to-date methods being employed by cyber criminals?
  • How would your security team detect and respond to a cybercrime in progress?
  • Does your security posture make assumptions about users and adversaries that are not necessarily true?
truvantis-penetration-testing-categories

Ethical Hackers to Strengthen Your Defenses

All information security compliance standards, including PCI DSS, SOC2, ISO27001 and HIPAA, require penetration testing.

Why? Not only can a penetration test give you a more accurate snapshot of your security risks and systems, the findings are manually identified by real whitehat hackers using the same approaches as the bad actors. 

With results that include verified data and strategic suggestions to confidently remediate risks, you can better target resources and harden your security system where it matters. 

Beyond security strengthening and compliance, penetration testing can also support the sales of a product or service as an independent, third party verification of security claims. 

How Penetration Testing Fits into Your Security Strategy

Penetration testing doesn’t replace the need for frequent automated vulnerability assessments. Instead, this hands-on testing should be used to supplement your ongoing security - normally once per year or after a major change to your environment or product. 

The cost of true penetration testing is significant for good reason. Essentially, you’re hiring whitehat (ethical) hackers for hands-on testing that requires both time and experience. 

Continuous or weekly penetration testing isn’t just unnecessary, it is often just a mislabeled vulnerability assessment with no human cunning included. Be wary of any companies recommending penetration testing so frequently. The cost of real, ongoing penetration testing would be too high to make it a sustainable security option. Just having a human validate the results of a vulnerability scan does not make it a penetration test.

Our Background

Nothing affects the quality of your penetration test as much as the testers themselves. 

The Truvantis penetration team is carefully chosen for both their technological expertise and extensive real-world experience with banks, large enterprises and government clients. They’ve created the unique approach we use to serve our clients better. And they’re the engineers behind each of our valuable solutions, tailored specifically to the client’s needs and industry.

What We Do

The Truvantis penetration testing team uses a hands-on approach with custom tools and only senior security engineers. Our experts will guide you through the entire process, ensuring that you feel comfortable and confident throughout the test. 

With our help, your organization will not only be able to remediate the issues that discover, but also:

  • Identify and close compliance gaps
  • Develop improved policies and procedures
  • Structure a comprehensive security program you can rely on

We’ll begin by helping you develop a penetration testing plan for your specific needs, goals and system.

truvantis-what-we-do-penetration-testing

The Types of Penetration Testing We Perform

  • Network testing: Testing both the external perimeter, and the internal LAN to simulate access by an employee, infiltrator or malware incident  -especially ransomware.
  • Wireless testing: Assessing the defenses of your wireless network.
  • Physical access: Testing the security of your physical location and any opportunities for intruders to access your facility and the network within. This may include connecting rogue devices, installing keystroke loggers, recovering sensitive information that was improperly disposed of, etc. 
  • Social engineering: Security assessment using publicly-available information to support human manipulation or deceit in an attempt to access your system and data. Includes sending phishing emails to your staff.
  • Segmentation testing: A series of penetration tests designed to test the security of the controls separating systems with different security needs.
  • Red Team or Tiger Team testing: A team of professional hackers orchestrating a simulated attack to assess the performance of your security team in a real-life scenario. 
  • IoT & SCADA testing: Exploiting your IoT or SCADA systems directly, or as a weak point to gain access into your regular network.

For each of these tests, we can launch an attack using different levels of prior knowledge.

  • White Box: Penetration testing in which the tester is provided in-depth background knowledge of the computer systems and their specifications.
  • Black Box: A penetration test in which the tester possesses no knowledge of the systems or their specifications.
  • Gray Box: Penetration testing with the tester possessing some limited amount of information about the systems and their specifications.

Scheduling Your Test

We’ll help you schedule testing for a time that won’t disrupt the flow of your business. The invasive nature of penetration testing is a common concern. However, testing can be performed with such minimal disruption to your business that your team may not even realize it’s happening. 

Keeping Your Data Secure

Whitehat hackers, the ethical security engineers that perform penetration testing, pose no threat to your data. Our team, tools and methodology all maintain your current level of security throughout testing. 

Immediate threats are communicated to your team as they’re discovered. Then, upon completion, we provide clear, actionable recommendations for all other noted vulnerabilities so that you can allocate resources and take action to harden your system, fast.

Our Process

1

Planning

Each penetration test begins with a kick-off call to thoroughly explain the testing process, decide on the rules of engagement and determine what a successful test looks like in terms of the client’s goals.

truvantis-penetration-testing-planning
truvantis-penetration-testing-discovery
2

Discovery

Next, the testing team uses every agreed upon means to gather information on the system and look for potential vulnerabilities. This first part of the discovery phase can cover everything from network assessment to gathering useful data via social media and public information or the dark web. 

In this phase, we’ll gather helpful information, this may include:

  • IP address and host name
  • Employee personal and contact information
  • Facility addresses and security systems
  • Potential password information such as pet and child names or birthdays, or vendor default passwords that were never changed
  • Application versions and service information
  • System names and shares
  • Missing patches
  • Trust relationships between machines, domains and security realms

In the next stage of the discovery step, the gathered information is leveraged to help us find potential points of attack.

3

Attack

During the attack phase, the tester attempts to exploit the systems to gain advantage. Steps of the attack include:

  • Gain access
  • Escalate privileges
  • Browse and explore
  • Install additional tools
  • Achieve persistence
  • Cover tracks

The attack phase usually leads to additional discovery and suggests new lines of attack, often involving a ‘pivot’ from one system or area into another even more sensitive one.

The ultimate goal of the tester is typically to gain access to a specific data set, system, or similar achievement determined by the testing team and client before testing begins.

If any urgent vulnerabilities are discovered during the testing phase, our team uses established protocols to alert your security team of the issue for immediate remediation.

truvantis-penetration-testing-attack
truvantis-penetration-testing-reporting
4

Reporting

Once all avenues of discovery and attack are exhausted, our team provides you with a full report of the findings and any vulnerabilities uncovered with details, including:

  • What we did
  • What we found and where
  • Proof of the issue or vulnerability
  • Severity of the issue (often using CVSS)
  • Explanation of why it is important, in language you can easily share with your C-suite
  • Recommendation and strategies for remediation and hardening of your security

Trust Truvantis with Your Cybersecurity

Truvantis is dedicated to providing more value in your penetration testing.

With the technical excellence of a larger firm and the hands-on care of a small one, we’ve designed each of our tools and unique testing methodologies to serve you better. That includes an entire team of only the highest caliber security experts and solutions that are always custom to the needs of our clients. 

When you need a penetration testing partner, trust Truvantis.