Penetration Testing

Expert assessment and advice from the professionals. Reporting in plain English.

Penetration TestingPenetration Testing identifies threats, weaknesses and risks exposed within an information system so that stakeholders can make informed decisions on risk management. The term Penetration Testing often refers to a wide range of service types from light touch vulnerability assessments using provided credentials to minimise the risk of disruption through to full blown simulated attacks using the latest in attack technologies. There are many variables that affect the size and shape of a Penetration Test. To make things easier, we’ve bundled the most common forms of Penetration Testing into the following groups. If you require specialist assurances that are not described here, our Tailored Assessment Service may be better suited to your requirements.

External Penetration Test: Following our standard methodology our consultants conduct simulated attacks against hosts within the agreed scope with the express goal of obtaining access to internal networks. Our team uses cutting edge tools, techniques and exploits to test against the most up to date network layer threats. In the event of successful compromise the client is notified and is provided with the information needed to address the vulnerability in question.

Internal Penetration Test: Our consultants follow a branch of the same methodology with special considerations for internal networks. Our consultants use highly advanced tools, techniques and bespoke code to identify and exploit vulnerabilities affecting hosts and networks within the agreed scope. If you’re unsure whether VLAN segregation is sufficient for your networks, our consultants can provide the assurances you need.

Internal Vulnerability Assessment: Vulnerability Assessment relies heavily on tools and avoids active exploitation to minimise the risk of instability on target hosts. Relying on the tools alone usually leads to false positives. Where Mandalorian are particularly able to add value over raw scanners alone is in the interpretation of findings identified and the distillation of these findings into real-world issues by consultants that use the same tools on average for 1250 hours a year.

There are many reasons why penetration testing is conducted; including, but not limited to:

  • ◈ Part of a regulatory compliance management process (for example, Sarbanes-Oxley, FSA, or PCI)
  • ◈ Accreditation and certification (such as GCSX or PCI certification)
  • ◈ As part of a best-practice approach to information security management
  • ◈ To establish a view of overall security during mergers and acquisitions
  • ◈ To qualify business cases for security expenditure and;
  • ◈ To independently verify that outsourced security requirements are being met.

Regular penetration testing can help focus resources where they are needed the most and provide a moving picture of the ability to protect against infrastructure-based attacks.

Knowing what not to test is just as important as knowing what to include, that’s why Mandalorian’s approach to Penetration Testing involves experienced consultants from the initial scoping stage. Our consultants have decades of experience and are often able to spot potential security issues during initial discussions, ensuring a tightly focused scope and better value for you. Our methodology is tightly aligned with open standards such as the Open Source Security Testing Methodology Manual and our team includes consultants from the CESG Listed Adviser Scheme (CLAS). At Mandalorian we pride ourselves on our openness and freely provide copies of our testing methodology to clients upon request.

Call us now on 01256 830 146 or e-mail us at sales@mandalorian.com to discuss your requirement and how we can help.