Penetration testing is a valuable first step in identifying current vulnerabilities while demonstrating how attackers can significantly impact the client’s business.
Obrela Security Industries penetration testing services mimic an attacker’s intent on initiating unauthorized business transactions, accessing critical corporate client information, financial records and other sensitive information. By simulating logical attacks to systems, networks and applications our engineers provide an in-depth understanding of the security threats and methods of compromise.
The result is a detailed roadmap that helps our clients prioritize areas of weakness in their network perimeter or web applications. Penetration testing can be conducted in several ways.
Penetration Testing is designed to:
- Combine the use of the sophisticated, up-to-date techniques used by ‘hackers’ and best-of-breed, proven, technical products with experienced professional staff to undertake a thoroughly planned and managed process of investigation.
- Examine weaknesses that may be present, which could be exploited by an attacker aiming to compromise the confidentiality, integrity or availability of electronic systems and data.
- Examine weaknesses in the installation of the systems, and advise the nominated technical representative/contact in procedures to correct and secure the service throughout the assessment process.
- Propose solutions to monitor and audit the security of the application and critical infrastructure.
Testing may be performed with no prior knowledge of the site -“black-box”- or with full disclosure of the topology and environment – “white-box”. Testing typically involves a comprehensive analysis of publicly available information about the target, a network enumeration phase where target hosts, and security devices such as screening routers and firewalls are identified and analyzed. Vulnerabilities of the target hosts within scope are then identified, verified, exploited and the implications are assessed.
A zero-knowledge test, performed by testers who have no real information about the target environment, is designed to provide the most realistic penetration test possible. It usually includes gathering a significant amount of information about the target system before launching the attack. A full-knowledge test, on the other hand, is performed with the tester having as much information about the target environment as possible. It is designed to simulate an attacker who has intimate knowledge of the target organization’s systems-such as a real employee.
|Target Knowledge||Zero||Limited||Full access|
|Social Engineering||Yes (optional)||Yes (optional)||No|