A penetration test, often referred to as a ‘Pen test’, is an authorised simulated attack on a client’s network, servers or applications, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorised parties to gain access to critical data, as well as strengths, enabling a full risk assessment to be completed.
At Quorum Cyber, we have proven, certified ethical hackers to perform Pen testing for our clients. In order to finalise the price for the engagement, we agree in adva nce the risks you are exposed to, attack stories, assets in scope and attach techniques.
The deliverables of this service are –
1. Project kick-off workshop
2. Project plan with regular customer updates
3. Information gathering stage
4. Penetration Testing of the customer assets in scope
5. A Technical Report containing the following sections:
- Executive Summary
- Technical Summary and Key Observations
- Detailed Findings Tables including information such as:
- Target (Device / Application / URL)
- Risk Rating
- Effort to Fix
- Evidence of exploitability
- Remediation Recommendations
- Engagement Methodology
- Risk Rating Methodology
- Customer stakeholder feedback (one session)
- Business risk considerations
6. (OPTIONAL) A management presentation of the report to customer stakeholders
7. A project closure meeting with the customer stakeholders
The service can be purchased as a one-off engagement or as an annual service with a choice quarterly or bi-annual tests.
Our management methodology for Pen Testing is shown in the graphic below –
Each customer engagement is planned within our customer portal and key stakeholders from the customer will be given access to track the project, tasks, milestones and actions.
Our consultants use automated software tools, proprietary scripts and manual techniques to test the targets for exploitable vulnerabilities that would allow unauthorised access to system components, applications and data.
All our discoveries will be recorded and validated with our customer stakeholders. Actual exploitability of discovered vulnerabilities will be tested in accordance with the defined rules of engagement for the project, and any risks associated with exploitation of a vulnerability and its mitigation process will be made clear.
To provide an assessment that is focused on critical risk areas, we will work closely with your designated point of contact to make sure that we concentrate on:
- Targets that are of importance
- Areas that could lead to significant compromise or escalation of access to system components, applications and data
Quorum Cyber consultants who are concentrating on different assessments may collaborate and share information and resources to increase the assessment’s efficiency and effectiveness. This collaboration will occur within the constraints of the project scope, statements of work and as agreed with the customer.
Our consultants will provide updates to your point of contact on a regular basis to ensure activities are tracked and progress reviewed against plans. This will also enable us to adapt our techniques and approach to better suit the environment and its particularities.