A Penetration Test is an intrusive type of assessment which simulates an attack by a malicious hacker. The process involves a Vulnerability Assessment (VA) followed by active attempts to try and exploit the vulnerabilities found to both validate the vulnerability and evaluate the impact that any such exploitation could mean for the target organization. While the Vulnerability Assessment might identify the absence of anti-virus software on the system or unpatched software as a vulnerabilities, the Penetration Test will determine the level to which existing vulnerabilities can be exploited and the damage that can be inflicted to the organization due to this. Silensec Penetration Testing Methodology includes a number of Security Assessment Modules catering for specific needs. Each module includes a number of security tests aimed at assessing specific security aspects of an organization and the way information security is managed. Penetration tests can be either internal or external.
External Security Assessment – An External Security Assessment identifies security weaknesses and strengths of an organization's systems and networks as they appear from outside the organization's security perimeter, usually from the Internet. The goal of an External Security Assessment is to demonstrate the existence or absence of known vulnerabilities that could be exploited by an external attacker.
Internal Security Assessment – An Internal Security Assessment identifies security weaknesses and strengths of an organization's systems and networks as they appear to internal users operating within the organization's security perimeter. Through the Internal Security Assessment it is possible to assess the risks associated to attacks originating from compromised internal host or by disgruntled employees.
Wireless and Mobile
The aim of this Assessment Module is to demonstrate the existence or absence of vulnerabilities that are visible and exploitable through wireless networks and mobile devices both from the outside and inside the organization's facilities. This Assessment Module addresses both desktop and laptop computers as well as modern mobile devices such as smart phones, iPad and any other device which has wireless connectivity. This Module is both technical and process oriented in nature assessing both the technical vulnerabilities and the overall process for managing mobile security risks.
The aim of this Assessment Module is to demonstrate the existence or absence of vulnerabilities in a given Web application providing internal or client facing services. This module employs specific testing techniques to find security flaws and weaknesses in Web applications. Silensec Web Application Security Assessment Methodology is designed as a superset of the Open Web Application Security Project (OWASP) guidelines for application security assessment.
Source Code Review
The aim of the Source Code Review module is identify the existence of any coding vulnerability that affect the normal execution of software which may have been missed by the standard software development process and software assessment. This Assessment Module begins with a review of the software design documentation and it consists of a review of the individual software modules and module inter-communications down to the review of source code with the aim of finding any logical, programmatical and accidental inconsistencies.
The aim of this assessment module it to demonstrate the existence or absence of vulnerabilities related to the physical controls adopted by an organization to protect access to secure areas and to organizational information assets. The assessment includes a review of the access control design and fire and environmental monitoring and controls.
Network & Systems Architecture
The objective of this Assessment Module is to assess the security posture of the organization's network and systems infrastructure by reviewing the current network design and deployment of security devices (network and Web application firewalls, IDS/IPS, HIDS and HIPS) against security best practice and the stated organization's business objectives, risk evaluation criteria and acceptable risk levels.
Upon completion of a security assessment, Silensec will analyze the findings and prepare a written report. This report is provided for three levels of audience:
- Technical Management
- System Administrators
The final report contains a practical overview of the security posture of the organization, associated threats and pragmatic advice on how best to mitigate any identified risks. Full technical information is also presented within the report, including step-by-step instructions for remediation of security issues.
Fees and Costs
Silensec follows a risk-based approach when calculating the amount of time and effort required and hence the cost of a security assessment. Silensec understand that each organization has a different risk appetite and it is therefore willing to accept different risk levels. By understanding the level of effort required by an attacker to compromise the organization and ensuring that such effort is above a certain level, the organization can consciously decide on the risks the organization is willing to accept.