Penetration Testing

Penetration testing / Pen Testing is an often confused term. Through this guide ISPIN MEA provides a broad overview of what it means, why you would want it, and how to get the most out of the process.

WHAT IS A PENETRATION TEST?
Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology (one man’s penetration test is another’s vulnerability audit or technical risk assessment).

At its simplest penetration testing is the process of actively evaluating your information security measures. Note the emphasis on ‘active’ assessment; the information systems will be tested to find any security issues. The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.

WHY CONDUCT PENETRATION TESTING?
From a business perspective, penetration testing helps safeguard your organisation against failure by: Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or lost revenue due to unreliable business systems and processes. Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing.

At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment. Protecting your brand by avoiding loss of consumer confidence and business reputation. From an operational perspective, penetration testing helps shape information security strategy by identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

HOW TO PENETRATION TESTING?
Technical analysis of the security level of IT systems and networks. Complete investigation of the hardware / software systems for security vulnerabilities. Simulation of potential attacks from internal and external perpetrators (intranet, Internet). Detection of security vulnerabilities of IT through our holistic analysis process that includes a complete and conclusive investigation path and in particular includes the following sub processes:

Information Gathering
• Foot-/Fingerprinting: Obtaining information on the entire Hardware-/Software-System (black box, white box)
• Network Analysis

Vulnerability Detection and Verification
• Vulnerability scanning: review of the entire Hardware-/Software-Configuration for Security vulnerabilities and covert, security bugs (security configuration), and verification of vulnerabilities
• Analysis of firewall rules
• Review of encryption in networks (WLAN, LAN, WAN) and servers
• Exploiting known security holes

Reporting
• Development and review of safety policies: password policies, e-mail policies, firewall, server policies, security mechanisms, security policy etc.
• Determine the level of Security
• Presentation: Treatment of the obtained (fully documented) results, final report of all examinations with recommendation for action to increase the safety level
• Conclusive documentation with recommendations to increase the Security level
• Supporting the development of preventive security measures to attack and defence for the prevention of abuse cases and in the development of a cyclical audit process to increase the resistance value of your IT continuously and sustainably

Ask one of our ISPIN PenTesters to conduct it for you.

Our Location

Dubai Silicon Oasis Authority,
Headquarters Building
B Wing, Office No. 204
P.O. Box 341061 Dubai, U.A.E.
Tel:  +971 4 501 5457
Fax: +971 4 501 5456
Email: info@ispin.ae

Newsletter