Always on the lookout for threats

Penetration tests typically fall under one of two categories from a credential perspective.

• Full credentials: The tester is provided with information such as the range of IP addresses, make and model of firewalls, details around the operating systems used, etc. Additionally, it’s common that the tester will be provided with credentials such as usernames and passwords ahead of the test.
• No credentials: The tester is provided with no information around the target other than the name of the company. Due to the unknown factor involved, a test with no credentials is typically sandboxed and delivered within a definitive timeframe (i.e., we’ll attack the network for three days and report on what we find within that time).

Once the issue of credentials has been clarified, there are a number of different types of penetration tests that can be carried out. Some of the most common tests are:

• External infrastructure test: Test of the external infrastructure and usually takes the form of external IP testing.
• Internal infrastructure test: Test of the internal infrastructure within a network and typically involves a sample of desktops, servers, switches, and routers.
• Web application test: Test of web applications and typically involves attempts to escalate privileges and use cross site scripting (XSS).
• Firewall configuration review: Review of current firewall configuration to ensure there are no conflicting rules in place.
• Social engineering: Testers will physically breach a building in order to bypass internet security protocols and expose breaches in physical security.

Whilst there are many drivers for choosing a penetration test, the most common ones are:

• Best practice: It’s best practice to regularly carry out a penetration test. Networks are continuously changing, and a penetration test is the best way to establish where new vulnerabilities lie.
• Compliance: Certain industry or cyber security compliance standards require a penetration test. For example, any organisation who receives card payments must comply with Payment Card Industry (PCI) standards, which mandate an annual penetration test.
• A major update or network refresh: If your organisation has recently gone through a major update or network refresh, a penetration test can ensure that your network is as secure following the update as it was prior to it.

Secon has over two decades of experience in the cyber security industry and we know what our clients need.

We work with a broad network of trusted partners and match our clients with the right penetration testing organisation that can carry out both CHECK and CREST certifications.

By working with Secon, our customers can:

• Utilise existing procurement routes in order to schedule penetration tests with vetted providers
• Review the final report’s remediation advice with our in-house security experts
• Consult our team on how to prioritise and implement the advice