The aim of penetration tests is to evaluate the actual security level of devices, networks or particular systems. Conducting penetration tests, we most often use the black box approach (which provides minimum information on the environment examined), but we also offer grey-box or white-box testing, along with configuration analysis or source code analysis. By doing penetration tests, we use the recognised methods and threat configurations (e.g. published by OWASP), but we also avail ourselves of the recommendations of software producers, ISO/IEC 27000, and the experience of our specialists, who are familiar with various system structures and vulnerabilities. In order to carry out such a test, we use, inter alia, Kali Linux – a specialised Linux distribution that includes dozens of audit tools, supplemented by our own modifications or extensions.
The scope of service is always adjusted to a particular customer. For instance, this may include:
- Social engineering tests aimed at obtaining key information from employees of an Organisation,
- Conducting a reconnaissance and background survey – obtaining information on publicly available sources,
- Penetration tests regarding on-line services, in particular web applications and websites (including performance tests),
- Network traffic security analysis,
- Local area network tests, network device testing, including configuration audit,
- WLAN security tests,
- VPN security tests,
- Evaluation of the security of servers that provide services (software versions and services, discovered vulnerabilities),
- Tests of the cryptographic quality of applied security measures,
- Workstations security assessment,
- Examination of the efficiency of the applied firewall,
- Examination of the efficiency of the applied IDS/IPS, SIEM, and assessment of administrator reactions to access attempts through activities undertaken as part of the tests.
- Objective and complete information on revealed threats in the IT environment,
- Information on the potential impact of revealed threats on the functioning of IT systems,
- Verification of the appropriateness of applied IT security measures,
- Verification of employee awareness in terms of IT security,
- Identification and solution of problems related to IT security,
- A list of recommendations that ensure an appropriate security level.