Penetration Testing provides a comprehensive review of your organisation's information security. It's a deep dive into your network's security, designed to discover areas of concern and highlight where improvements could be made in infrastructure, procedures and policies. By ethically exploiting your organisation Chess can help find, prioritise and remediate vulnerabilities in your network.
Our specialist penetration testers use a combination of automated and advanced real-world techniques that are closely aligned with the Open Source Security Testing Methodology (OSSTM) to scan your network to ensure it is as secure as possible.
Entrusting your IT systems and sensitive data to a stranger for PEN testing can be a risky business. Chess is certified by The Council for Registered Ethical Security Testers (CREST), a non-profit organisation which aims to bring high quality and constancy to the global technical cyber security sector. CREST provide internationally recognised accreditations for organisations and individuals providing penetration testing services, ensuring you’re in safe hands, and that you can expect the very best from your penetration tester.
Carrying out a penetration test helps you:
- Think like the enemy — identifying vulnerabilities from the perspective of a ‘black hat’ attacker or malicious user
- Improve your business security stance, meet regulatory compliance such as PCI DSS, ISO 27001 and reduce risk of attack and data loss
- Assist with GDPR compliance
- Ensure that due care is demonstrated by your organisation and its directors
- Helps preserve your brand and reputation
- Provides reassurance that your people are working to best practices
- Highlights areas that can be improved using your existing security product licenses and technology to achieve return on investment
1. Scoping and Planning
Determining the reasons you need a penetration test, and documenting the process you are going to use. Understand your drivers and motivations for requiring a penetration test. Is it regulatory compliance? Or the fact that your business holds commercially sensitive intellectual property? Your motivations will influence the scope of your pen test.
Researching the network and establishing what details and data can be found. Your pen tester will review and gather information on the system or systems where entry points might exist and how they could be accessed. These will include elements such as employees, IP addresses, email addresses, websites, social media and other network-based systems.
3. Threat Assessment
Using various tools and techniques to identify potential vulnerabilities, gateways and vectors into the network. Commonly, pen testers use a mix of automated and manual tools to examine attack avenues and find network vulnerabilities.
4. Exploitation of Vulnerabilities
Attempts to penetrate the network defences and (if in scope) gain of control over a target system. The aim, having first gained access to the network, is to see how far the attack can go, establishing administrative privileges where possible and then using them to effect lateral movement to other systems.
Having completed the exploitation phase, the pen tester will create a penetration test report which includes findings on the vulnerabilities discovered, the full extent of access that was gained, detail of systems that were breached, changes (if any) that could be made and a set of recommended remediation actions.
If required, your penetration tester may provide consultancy services to reduce or fix any vulnerabilities found and improve overall security. It’s also worth saying that your pen testing provider will ideally offer a social engineering test, such as a phishing exercise. The human security interface is always a difficult area because internal employees may unwittingly be duped into giving hackers security information or may click on bogus links.
Our UK-based engineers are certified to the highest standards and have proven experience in the field, including:
- CREST Approved
- Highly trained Penetration Testers (OSCP, CREST, SANS)
- Field engineers who are experienced and talk your language
- 2 levels of penetration test services to work within your budgets
- Penetration tests follow an established methodology
- Vulnerability Assessments and IT Health Checks.
Penetration Testing Knowledge
CREST Certified Penetration Test Sample Report
Not all Penetration Test Reports are created equal. Methodology can vary from supplier to supplier, but the essential element common to all Penetration Tests is the written report, key to guaranteeing the maximum value from the overall process. What should you look for in a Penetration Test Report?
Pen Testing Explained
What Is Pen Testing – and Why Does It Matter?
The aim of a penetration test is not only to provide an organisation with a view of their security position but also to assess the would-be impact of a compromise.
In this insightful webinar, Chess Pen Tester Ben Pymner explores the key elements of this essential tool in the battle against cybercrime.