Penetration Testing & Ethical Hacking
Sekiur's penetration testing (ethical hacking) service tests the security of your IT systems, by identifying and exploiting weaknesses. We profile your organisation from the perspective of its most likely threats, looking at your business processes, information flows and the technology that supports your operations. This allows us to determine the resilience of your environment to malicious attempts to penetrate your systems.
Penetration Testing Methodology and Tools
Sekiur has a documented, and tried and tested, penetration testing methodology based on industry best practices such as the OSSTMM (Open Source Security Testing Methodology Manual). This ensures that you receive quality and repeatable results, and minimises the risk to your systems under test.
Our team uses an arsenal of penetration testing tools similar to those used by attackers on the internet - in conjunction with in-house developed, commercial, and the best of breed open source penetration tools. Indeed, keeping up to date with the latest security vulnerabilities, trends and hacking techniques is our business.
We produce a comprehensive report covering the approach taken, the techniques applied, and the vulnerabilities identified and make procedural and strategic recommendations to ensure that your systems are secure against future attack.
Vulnerability Assessment vs Penetration Testing (Ethical Hacking)
Vulnerability assessments use testing tools (vulnerability scanners) to identify security vulnerabilities in a system or environment. While they highlight the technical threat, they do not qualify the business threat nor do they assess common attack methods. Thus, the major distinction between a vulnerability assessment and a penetration test (sometimes referred to as Ethical Hacking) is that the vulnerability assessment does not actively exploit the identified problems to determine the full exposure or validate its existence which can lead to inaccuracies in the report (false positives).
Unfortunately, many organisations claiming to perform penetration tests actually "oversell" their services and just provide vulnerability assessments using scanning tools. Although the initial cost may be less, attack scenarios can be overlooked which can lead to a later security breach. Sekiur does not engage in these practices, and all identified security issues are reported with step by step instructions and screenshots on how to replicate the exploitable condition. Demonstrating the real risk visually provides value to management who may be unable to grasp some of the complex technical concepts involved in this line of work and highlights the urgency in fixing some issues.
Types of Pen Tests
Our pen testers can perform a range of assessments that simulate attack testing scenarios from individuals with varying degrees of knowledge and access to your systems.
- External - casual or focused intruders on the Internet with limited knowledge
- Internal - disgruntled or careless employees or contractors with legitimate access to the corporate network
- Extranet - business partners who are part of the corporate Extranet
- Remote access - casual or focused intruders from known and unknown remote access entry points
Sekiur penetration testing specialists are also experienced with performing tests which address the PCI DSS quarterly vulnerability scan (ASV) and annual penetration test requirements.
Penetration Testing as Part of Corporate Governance
Penetration tests are a requirement for meeting regulations such as PCI DSS, SOX, and HIPAA. It is also defined in industry standards such as ISO 17799 and ISO 27001 as important security tests an organisation should regularly undertake.