What & Why?
Penetration Testing (Pen Testing) actively attempts to 'exploit' the vulnerabilities and exposures that may exist in an organization's network. Through exploiting the security weakness, a Penetration Test will attempt to gain read/write access to system resources, gain shell access to operating systems and obtain comprehensive access to application and database resources. Once a device has been compromised, a Penetration Tester will look to branch out and gain further access to system resources that reside on DMZ and internal networks.
intiGrow's highly skilled Ethical Hacker's perform Penetration Tests with an approach to simulate the tasks and efforts that a real world attacker might look to exploit, but without damaging or disrupting any of an organization's production services.
By taking this service an organization can baseline its current security posture, identify threats and weaknesses, and start implementing remediation strategies.
intiGrow's systematic approach od performing a Penetration Test is described below:
- Scoping: Agree the target and scope of the assignment.
- Approval: Obtain approval and sign-off for the test.
- Scheduling: Agree on the start date and duration of the testing.
- Discovery: Gather information about the target and associated infrastructure.
- Vulnerability Scanning: Assess target systems and services for known vulnerabilities.
- Target Penetration: Compromise security (if within scope) and assess access to other systems.
- Analysis: Investigate results of the testing and penetration phases and their likely impact.
- Reporting: Report findings of the testing. The report will include an executive summary, vulnerabilities discovered and remediation advice.
The different types of Penetration Tests that can be performed:
White Box Testing
In a White Box test, clients provide us with information about the applications and infrastructure prior to the commencement of the test. Usernames and passwords would be provided to our testing team. In certain cases the client may even provide us with access to source code. In this type of testing engagement, intiGrow works closely with the client to perform the assessment. These types of tests tend to gain deeper understanding of the application and infrastructure logic, and may generate more comprehensive test results than other penetration testing approaches.
Black Box Testing
In a Black Box test, the client provides intiGrow with no information about their infrastructure other than a URL or even just the company name. We will do the necessary probes and research before attempting to penetrate the environment, much like a real hacker with no information about the infrastructure or application logic that they are testing. Black Box tests tend to take longer to commission than White Box tests and may identify less exposures and vulnerabilities than those of White Box tests but simulate the real life scenario much more closely than the other types.
Grey Box Testing
A Grey Box test is a blend of Black Box testing techniques and White Box testing techniques. In Grey Box testing, clients provide intiGrow with snippets of information that will aid the test. This results in a more focused test than in Black Box testing as well as a reduced time line for the testing engagement.