Penetration Testing provides a comprehensive review of your organisation's information security. It's a deep dive into your network's security, designed to discover areas of concern and highlight where improvements could be made in infrastructure, procedures and policies. By ethically exploiting your organisation Chess can help find, prioritise and remediate vulnerabilities in your network.
Our specialist penetration testers use a combination of automated and advanced real-world techniques that are closely aligned with the Open Source Security Testing Methodology (OSSTM) to scan your network to ensure it is as secure as possible.
Entrusting your IT systems and sensitive data to a stranger for PEN testing can be a risky business. Chess is certified by The Council for Registered Ethical Security Testers (CREST), a non-profit organisation which aims to bring high quality and constancy to the global technical cyber security sector. CREST provide internationally recognised accreditations for organisations and individuals providing penetration testing services, ensuring you’re in safe hands, and that you can expect the very best from your penetration tester.
Carrying out a penetration test helps you:
- Think like the enemy — identifying vulnerabilities from the perspective of a ‘black hat’ attacker or malicious user
- Improve your business security stance, meet regulatory compliance such as PCI DSS, ISO 27001 and reduce risk of attack and data loss
- Assist with GDPR compliance
- Ensure that due care is demonstrated by your organisation and its directors
- Helps preserve your brand and reputation
- Provides reassurance that your people are working to best practices
- Highlights areas that can be improved using your existing security product licenses and technology to achieve return on investment
1. Scoping and Planning
Determining the reasons you need a penetration test, and documenting the process you are going to use. Understand your drivers and motivations for requiring a penetration test. Is it regulatory compliance? Or the fact that your business holds commercially sensitive intellectual property? Your motivations will influence the scope of your pen test.
Researching the network and establishing what details and data can be found. Your pen tester will review and gather information on the system or systems where entry points might exist and how they could be accessed. These will include elements such as employees, IP addresses, email addresses, websites, social media and other network-based systems.
3. Threat Assessment
Using various tools and techniques to identify potential vulnerabilities, gateways and vectors into the network. Commonly, pen testers use a mix of automated and manual tools to examine attack avenues and find network vulnerabilities.
4. Exploitation of Vulnerabilities
Attempts to penetrate the network defences and (if in scope) gain of control over a target system. The aim, having first gained access to the network, is to see how far the attack can go, establishing administrative privileges where possible and then using them to effect lateral movement to other systems.
Having completed the exploitation phase, the pen tester will create a penetration test report which includes findings on the vulnerabilities discovered, the full extent of access that was gained, detail of systems that were breached, changes (if any) that could be made and a set of recommended remediation actions.
If required, your penetration tester may provide consultancy services to reduce or fix any vulnerabilities found and improve overall security. It’s also worth saying that your pen testing provider will ideally offer a social engineering test, such as a phishing exercise. The human security interface is always a difficult area because internal employees may unwittingly be duped into giving hackers security information or may click on bogus links.
Our UK-based engineers are certified to the highest standards and have proven experience in the field, including:
- CREST Approved
- Highly trained Penetration Testers (OSCP, CREST, SANS)
- Field engineers who are experienced and talk your language
- 2 levels of penetration test services to work within your budgets
- Penetration tests follow an established methodology
- Vulnerability Assessments and IT Health Checks.
Penetration Testing Knowledge
Home Working - Can You Collaborate?
#3 Connectivity and Support at Home
Working from home is now an everyday reality for many of our customers and network issues can be a challenge
As schools have now closed and other businesses have also sent people home, many home workers are struggling with ensuring they can run their real-time work apps such as Voice and Video conferencing without interference from other people, who are also working from home or using other online content
A Hackers Guide to Remote Working
Remote working for a hacker is brilliant, and not in the sense that they can work from home in a dark room wearing a hoodie. But because remote working means that a business is intentionally giving a path into the internal network that could potentially be accessed by anyone on the internet. This blog post covers some of the things that we have encountered across the team over the years.
#2 Your Cyber Security
If you are allowing devices to connect from people’s houses – it's possible that these networks have already been compromised by hackers or will be in the future. Implementing two-factor authentication, where another device like a mobile phone is used for extra security is the most important security measure that can be applied to systems.
#1 Your Telephony
As the Covid-19 situation looks set to escalate, there's a lot to think about to keep your business running. Last week we shared the Top 10 areas we've focused on to ensure our own business continuity.
From today, we'll be going into these in more detail, setting out what we've learnt and offering specific guidance and support. Let's start with telephony.
About six months ago, with the slow death rattles of the exquisite Empire C2 drawing near, not going to lie I'm still in mourning – that and python2, I was on the hunt for a new platform to sink my teeth into. While playing around with various frameworks on offer such as SilentTrinity, Faction, Merlin (all of which have their positives), I started looking at Cobbr's Covenant framework....