4 Dec '08 - SOS consultant presented at AISA annual seminar day on virtualisation security...                 16 July '08 - SOS consultant interviewed by ZDNet Australia on BlackBerry PDF flaw...                 15 July '08 - SOS consultant interviewed by Australian IT on PCI standards...                 14 April '08 - SOS consultant interviewed on Channel 10 and SBS news on data leakage...                 11-14 Feb '08 - SOS consultant presented at SecurityPoint 2008... Click here for more information.                30 Nov '07 - SOS consultant presented on PCI DSS at the AISA annual seminar day... Click here for more information.                23 Oct '07 - SOS consultant interviewed on SPAM... Click here to read the article or here to listen to the podcast.                5 Sep '07 - SOS consultant presents at AISA VoIP seminar.
 
  Overview
  Assessment
  Risk Assessment
  Standards Compliance
  Architecture & Design Review
  Penetration Testing
  Application Security
  PCI Compliance
  SCADA Assessment
  Wireless Security
  Host Security Assessment
  Database Security
  Telecom Security
  Incident Response
  Architecture
  Implementation

 

 
 
Home > Services > Assessment

Penetration Testing

If there is a weakness in your IT security system, wouldn’t you prefer to find it before someone else does?

Sense of Security’s penetration testing service tests the security of your IT systems, by identifying and exploiting weaknesses. We profile your organisation from the perspective of its most likely threats, looking at your business processes, information flows and the technology that supports your operations. This allows us to determine the resilience of your environment to malicious attempts to penetrate your systems.

Our Penetration Testing Methodology & Tools

Sense of Security has a documented, and tried and tested, penetration testing methodology based on industry best practices such as the OSSTMM (Open Source Security Testing Methodology Manual). This ensures that you receive quality and repeatable results, and minimises the risk to your systems under test.

Our team uses an arsenal of penetration testing tools similar to those used by attackers on the internet - in conjunction with in-house developed, commercial, and the best of breed open source penetration tools. Indeed, keeping up to date with the latest security vulnerabilities, trends and hacking techniques is our business.

We produce a comprehensive report covering the approach taken, the techniques applied, and the vulnerabilities identified and make procedural and strategic recommendations to ensure that your systems are secure against future attack.

Vulnerability Assessment vs Penetration Testing (Ethical Hacking)

Vulnerability assessments use testing tools (vulnerability scanners) to identify security vulnerabilities in a system or environment. While they highlight the technical threat, they do not qualify the business threat nor do they assess common attack methods. Thus, the major distinction between a vulnerability assessment and penetration testing (sometimes referred to as Ethical Hacking) is that the vulnerability assessment does not actively exploit the identified problems to determine the full exposure or validate its existence which can lead to inaccuracies in the report (false positives).

Unfortunately, many organisations claiming to perform penetration tests actually “oversell” their services and just provide vulnerability assessments using scanning tools. Although the initial cost may be less, attack scenarios can be overlooked which can lead to a later security breach. Sense of Security does not engage in these practices, and all identified security issues are reported with step by step instructions and screenshots on how to replicate the exploitable condition. Demonstrating the real risk visually provides value to management who may be unable to grasp some of the complex technical concepts involved in this line of work – and highlights the urgency in fixing some issues.

Types of Pen Tests

We can perform a range of assessments that simulate attack testing scenarios from individuals with varying degrees of knowledge and access to your systems.

  • External - casual or focused intruders on the Internet with limited knowledge
  • Internal - disgruntled or careless employees or contractors with legitimate access to the corporate network
  • Extranet - business partners who are part of the corporate Extranet
  • Remote access - casual or focused intruders from known and unknown remote access entry points

Sense of Security penetration testing specialists are also experienced with performing tests which address the PCI DSS quarterly vulnerability scan (ASV) and annual penetration test requirements.

Penetration Testing as Part of Corporate Governance

Penetration tests are a requirement for meeting regulations such as PCI DSS, SOX, and HIPAA. It is also defined in industry standards such as ISO 17799 and ISO 27001 as important security tests an organisation should regularly undertake.

Key Penetration Testing Technology Focus Areas

Traditional penetration testing disciplines:
  • Network penetration testing (infrastructure penetration testing), e.g. router, switch, firewall, etc.
  • Server penetration testing, e.g. operating system, application, etc.
Advanced penetration testing technology disciplines include, but are not limited to:

Vulnerability Management & Protection

Our penetration testing service can be provided as a one-off assessment, or you can leverage our security expertise to provide you with continuous, cost-effective, managed vulnerability protection where we work with you to develop a recurring vulnerability assessment program for different segments of your environment. With a recurring program we can highlight current exposures in a timely fashion, and provide you with trending data that allows you to monitor the progress of your IT security initiatives over time.

Penetration Testing Articles & Information

Does your penetration testing only scratch the surface? - Sense of Security Article

Open Source Security Testing Methodology Manual

Next Steps

Contact us if you require any additional information on the services that we offer, or for a free no obligation systems security consultation.

Name:

 *

Position:

Company:
   

Email:

 *

Phone:

 *
   

Enquiry:

 *
  * Denotes required field.

 

Do you want to get started right away? Click here for a Free Trial Vulnerability Scan using QualysGuard.

QualysGuard is the leading commercial vulnerability scanner and is an integral part of the suite of tools we use for vulnerability identification on our penetration testing engagements.