Internal and External Penetration Testing
Penetration testing, also commonly referred to as pen testing, is a vital component to every effective cybersecurity program. It is used to test the efficacy of an organization’s security controls and to help answer the question; “How hackable are we?” Organizations can trust the security consultants at Partners in Regulatory Compliance to assist in answering this question. Penetration testing isn’t just a “one and done” service. According to the InfoSec Institute, it should be performed whenever:
- Security system discovers new threats by attackers.
- You add a new network infrastructure.
- You update your system or install new software.
- You relocate
- You set up a new end-user program/policy.
Many regulations such as PCI, HIPAA, DFARS, 23 NYCRR 500 (DFS), etc. require penetration testing. So, whether you engage us in penetration testing to rest easier at night, or whether you’re required to by mandates or regulation(s), we’re here to help.
We follow the globally-recognized NIST SP800-115 for all penetration testing engagements, ensuring your project is done in a structured and efficient manner.
Our penetration testing process includes:
Rules of Engagement – Defining when and how the penetration testing will proceed, along with a communication plan, definition of in-scope assets, and any other need-to-know information. This sets the stage for an error-free pen test engagement.
Reconnaissance – In this phase of the pen test, we seek out weaknesses and vulnerabilities within your environment. These are often in the form of unpatched systems, open ports, weak encryption, and vulnerable services. We’ll also scrape your website for data such as names and email addresses that will be used as input in the next phase of testing.
Planning & Execution – This is where the active work begins. Here, we marry vulnerabilities and weaknesses to exploit tools, techniques, and attack methods. We’re effectively putting on our ethical hacker hat and putting your organization’s best-laid defenses to the test. If we’re able to get in, gain a foothold, access sensitive data, or elevate privileges, we’ll show you how we did it in detail through screenshots and detailed explanations.
All findings will be scored and prioritized for remediation based on the DREAD scoring model:
- Damage – how bad would an attack be?
- Reproducibility – how easy is it to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy is it to discover the threat?
At the end of a penetration testing engagement, your team will receive an executive-level summary, detailed remediation recommendations, and the knowledge transfer needed to make the findings actionable so that you can work towards reducing risk by focusing on the items of highest importance first.