Penetration Testing

The objective of a penetration test is to identify security vulnerabilities and weaknesses in the target applications, establish the business impact and ease of exploitation associated with each issue identified, and provide appropriate remedial recommendations that should be implemented in order to mitigate the impact of the issues identified.

What is Penetration Testing?
DeFacto employs penetration testers that are qualified and trusted IT security specialists authorised by you to attempt penetration of your IT systems, web site and applications. They can also tell you how security aware your staff are. They use the same methods and tools as a malicious hacker (and a few more besides) and require little to no information from you in advance.

There are two approaches to testing the IT security. Here we outline these approaches;

Black Box Testing
A black box test is a test conducted from the perspective of an attacker with little or no information about the target system other than its IP address or URL. The objective of conducting a black box test is to establish the extent to which it is possible for such an attacker to compromise the security of the target system, given the limited amount of information available. The advantages of this are:
This test mirrors the actions of a malicious hacker who has no access to the systems, and no knowledge of them. A test of this nature will accurately reveal the 'threat surface' of the applications as seen from the internet.

White Box Testing
White box testing is conducted from a prior knowledge perspective. This describes a scenario where the penetration tester is provided with comprehensive details of the target. This could include, but would not necessarily be limited to the following:
Technical specifications/documentation for the target Target design diagramsUser/functionality matricesAuthentication credentials for each user role

Although many may consider the provision of such information as defeating the purpose of the test, this very much depends on the objectives of the test. Where the objective of the test is to identify security weaknesses in the target, or establish the level of risk associated with these weaknesses and provide a series of recommendations to mitigate or eliminate the risk, then white box testing is a far more effective means of achieving the objective than a black box test.

And then?
We produce a report that is easy to read, contains an executive summary, technical overview and full technical details of any vulnerability. This report explains the risk and, if appropriate, tells you how to fix it, or we can work with you and your IT department to fix it.

Why do you need our Penetration Testers?
Because you will almost certainly have security vulnerabilities, especially in your web site and amongst your staff.
Knowing a security problem exists means that something can be done about it, greatly reducing your exposure to risk and a very costly recovery exercise (if recovery is possible). Prevention is invariably better that the cure.