Penetration Testing

Web Penetration Services

A hacker’s goal is to penetrate your system and wreak havoc. A hacker will try every way possible to breach your network. It is a best practice in IT Security to conduct a penetration test once a year, at a minimum. It is recommended to conduct a couple of tests a year, because the threat landscape is constantly changing. Knowing your network weaknesses, and fixing the issues found, are part of a successful audit, as required by all regulatory compliance audits. Not passing the audits can incur very expensive fines, which can add up to be more than the solution to the issues. It is important to note that a penetration test is an aggressive type of testing, and can interrupt a client’s services.

EthicalHat has experts who conduct penetration tests every single day. Should you decide to have a penetration test conducted by EthialHat, the following process will happen:
1. EthicalHat will require written permission to assess your network. This is required by law, and the penetration test will be tailored to your specific needs.
2. Depending on the type of penetration test (see below for the types), EthicalHat will ask for IP and network information.
3. Upon completion of the penetration test, you will receive a report detailing issues found, with proof of the findings.
4. Recommendations will be made for protection of your network.

A penetration test has a number of goals:
• Determining attack vectors
• Identification of high profile assets, and low profile assets that are at risk
• Identification of vulnerabilities that are not easily detected by automated systems
• Assessment of potential business and operational impacts of successful attacks
• Testing your existing protection systems to see if and how they respond to attacks
• Providing proof and recommendations to protect your network with the most cost effective solutions

Get a Free Proposal Right Now
Complete the form to connect with our Cyber Security Specialist.

Your Name (required)

Your Email (required)

Subject

Your Message


Types of Penetration Tests

Black Box Testing
In Black Box testing, the penetration tester has no prior knowledge of the client network. He or she has to determine the client’s IP addresses, map the network, and attempt to reach “trophy targets” without any assistance from the client. A “trophy” is a snapshot of items in a client’s database, for example. It may be a file list from an employee’s computer, or it can be something physical like the tester actually walking into a company’s front door to see what physical security exists. In Black Box testing, the client doesn’t know when the testing will occur, and will not know where it is coming from. This is to be able to determine what the regular response would be to an intrusion. Are there alerts? Is the penetration tester blocked? Can the penetration retrieve anything that he or she desires?
A Black Box test is expensive, because it takes considerable time to conduct, but it will tell you where your security has holes. It is thorough, and it is effective. The Black Box test is worth the expenditure, because it will give a true scenario of what a hacker can find with regard to your security posture. It is excellent as a preventative measure, so that the remediation costs can be lowered in the long run. It can help a company determine its Incident Response measures and where the company stands. A pound of prevention is far more effective than a pound of cure.
• A “Blind” Black Box test is when the attacker has no knowledge of the client’s network, but the client is prepared for the attack.
• A “Double Blind” Black Box test is when very a small number of the client’s employees are aware that a test will be taking place. This type of Black Box testing will provide the truest response to an attack.

White Box Testing
White Box Testing is when a client has provided the tester with pertinent information regarding the network.
• Infrastructure information
• Network type
• IP addresses (internal, external, subnets, and masks
• Implentated Firewall rules
• IDS/IPS details
• Alerting systems in place
• Current security implementations
• Company policies
Announced testing is when the IT staff is made fully aware of the testing taking place. The tester is allowed to check the infrastructure in place.
Unannounced testing is when only the upper management is aware of the testing taking place. The tester is able to determine the response rate and type of response from the IT staff to attacks.

Grey Box Testing
In Grey Box Testing, the penetration tester has limited information regarding the client network. Grey Box testing may take place when an auditor needs additional information regarding the client’s network in order to complete Black Box testing. Typically, in Grey Box testing, the client will know when the penetration test is going to take place ahead of time.

Talk to EthicalHat about conducting a penetration test on your network today.


Penetration Testing Team Types

There are different penetration team types that are utilized by the military and large government institutions. Additionally, the National Collegiate Cyber Defense Competition uses the same testing scenarios and puts upcoming students in security through the same paces. A good resource to understand the team types, and scenarios that they run through, can be found here. We explain, in brief the team types below. An additional resource is
Red Team Versus Blue Team: How to Run an Effective Simulation

Red
Red Teams have been in existence the longest for penetration testing team types. Although in truth, a Red Team consists of White Hat hackers, the Red Team takes on the role of true hackers and do everything possible to infiltrate a client’s network. Red Teams will disrupt client services in the same manner that a hacker will. The activities of a Red Team will provide a true assessment of the condition and security of a network, because the client will not know when and how they attacks will happen. These attacks are silent, and you will most likely have no awareness that they are infiltrating your system.
A Red Team can come at you from any direction, and most often, the testing will come from multiple directions with layered attacks. This is how the hackers and attackers work against networks, and a Red Team is trained to think like hackers do. In fact, they use the same tools and scripts that hackers use, in addition to their own. Having come out of the military and large governmental organizations, a Red Team member has been trained to the highest levels. They understand the threat landscape, and keep up with the persistent changes.
Ask EthicalHat about engaging a Red Team today.

Blue
A Blue Team is the other side of the Red/Blue Team testing group. The Blue Team is the defender in an attack scenario. It is the Blue Team’s job to use every tool at their disposal in order to protect the network and assets for the client.
Ask EthicalHat about engaging a Blue Team today.

Purple
Purple testing is when both the Red Team and the Blue Team work together at the same time. The advantage of having both teams at the same time is that while the Red Team is attempting to infiltrate a network and test the security, the Blue Team is defending it. The combination of both teams gives a real scenario of the issues, what defenses are in place for a network, and what needs to be implemented. The point of the purple team is to determine the best remediation strategies.
Ask EthicalHat about engaging a Purple Team today.


Want to See us in Action?

Team EthicalHatPenetration Testing