Penetration testing (also called pen testing, ethical hacking or blue teaming) is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.
A true penetration test does not rely on just tools or vulnerability scanning. The next stage involves taking these scans and adding human intelligence-led testing to build a reliable and thorough picture of an organisation’s security and exploitable vulnerabilities.
An internal penetration test assumes that through some means the hacker has gained access to your network, perhaps through malware in an email, social engineering or through a vulnerability on your externally facing systems.
Web application penetration testing is the practice of using a methodical process of searching for and detecting vulnerabilities in your web applications. It’s crucial for all businesses, with web applications at the heart of 73% of breaches, according to Kaspersky.
Similar to an infrastructure penetration test, this aims to break into a web application using any penetration attacks or threats. Elements of a test can include, but are not limited to:
Our Web Application Testing includes:
We can help protect your wireless networks by helping you remove vulnerabilities and misconfigurations.
Whilst wireless hacking is less common than remote hacking, as the hacker would need to be within physical reach of the signal, there has been an increase in the number of breaches initiated through wireless networks.
Wi-Fi testing is the most common of wireless testing, which is covered in a full penetration test or an IT Health Check, and our network testing includes testing for:
Our wireless testing also covers technologies including GPRS/GSM/EDGE, LTE, Bluetooth, Wi-Fi, RFID and NFC.
With a laptop stolen every 53 seconds, your devices can find their way into the hands of hackers or rogue users. With stolen device testing, we emulate what a hacker would do if they found or stole the device. This includes a simulated attempt at breaching your security and gaining unauthorised access using the device, and what data they could gain access to. As a result, you can fully understand and evaluate the risks and potential consequences.
Stolen device tests can be conducted onsite at your organisation or at our secure testing laboratory in West Yorkshire, UK.
An IT Health Check, which is part of the Public Services Network (PSN) Code of Conduct compliance, aims to provide a level of assurance that networks containing PSN devices are secure.
Unlike fixed price IT Health Checks which can cause issues when audited, we visit and scope the work required followed by a Lead CREST tester approving the scope of work before a proposal is sent.
This is one of the most important aspects in ensuring that it’s a worthwhile exercise that provides you with the correct level of assurance.
Our IT Health Checks undertake an analysis of your chosen scope, with guidance from our testing team leader to identify vulnerabilities which may compromise the Confidentiality, Integrity or Availability.
Do you know how effective your organisation’s level of cyber security is? Is your strategy as watertight as you think? Many directors and chief executives often receive mixed messages from heads of department about their own levels of cyber security, with little integration, awareness or understanding about how each individual strategy is working as a whole.
Our audit reviews your entire cyber security position with a prioritised approach to reduce risks.
The outcomes of employing us to carry out a Cyber Security Audit are:
ISO 27001 is the international information security standard that’s accepted as best practice worldwide. Achieving this certification enables your company to show your customers, stakeholders or suppliers your commitment to managing information safely and securely.
But one of the common mistakes companies make is to assume this accreditation only needs work from the IT team alone. In reality this is rarely the case, as the standard works across most, if not all departments; some which may be out of scope of the certification.
We can help you meet this accreditation through our consultancy service.
ISO 27001 services offered:
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle branded credit and debit cards from the major card schemes.
Validation of compliance is performed at regular intervals either by an external Qualified Security Assessor (QSA), a firm specific Internal Security Assessor (ISA), or by Self-Assessment Questionnaire (SAQ). Finding a QSA with experience of both service providers and merchants can be hard but this experience is essential to ensure they can not only give advice on your compliance but guidance on the options available to you and how they work in real life scenarios.
Our remote support service allows you to pay for support in advance and spend as much time as you need asking questions to your QSA when needed. The service is designed to support your ongoing projects when you need specialist advice. We provide support from ad-hoc remote support and to end-to-end management of your PCI project, through to ROC (Report on Compliance).
Social engineering is an increasing and dangerous type of attack that involves tricking someone into divulging confidential or personal information, usually through technology. This data can then be used by or sold on to criminals to commit fraudulent activity. It’s become so commonplace, that it’s actually overtaking the amount of technical hacks.
Criminals use social engineering to take advantage of the victim’s natural tendencies and emotional reactions; assuming you have a strong password, it would be much easier to fool someone to give you this rather than hacking the passwords.
Some elements of social engineering are now an essential part of a full penetration test, adding in elements to test the human weaknesses often referred to as the “Human Network”.
We have designed 3 testing elements which can be run as stand-alone tests or added to your next penetration test: