Successful cyber-attacks are becoming increasingly common, causing substantial reputational damage, data compromise or loss, ransom demands and the loss of access to core organisational systems.
Penetration and vulnerability testing is a preventative measure to ensure hackers are not able to easily target your systems. It is essentially a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisations networks or applications which could be exploited. Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. Regular penetration testing, sometimes known as ethical hacking, is a mainstay of security evaluation programmes with the goal of mitigating cyber risk.
To raise the cybersecurity bar of digital health apps and products, the National Health Service’s Digital Technology Assessment Criteria (DTAC) was developed. Penetration testing is a required component of the DTAC and serves as a strategic defence mechanism, simulating cyber-attacks to identify and fix vulnerabilities.
Identifying your organisation’s vulnerabilities by using techniques employed by real-world cyber criminals will set you on the right course to accurately evaluating risk and, where necessary, choosing the right remedial solutions.
Types of testing available:
Internal Penetration Test
This assesses the threat of both deliberate and accidental breaches from hackers and also malicious or negligent users/staff members with access to your systems. Often deemed low-risk, internal attacks can pose a substantial threat to an organisation.
External Network Penetration Test
External network penetration testing is a type of penetration test that focuses on evaluating the security of a network infrastructure. This test identifies the vulnerabilities of your computer systems through their exposure to the Internet.
Why use GP IT Services for your annual penetration test?
- CREST Certified – Penetration test and reports are carried out to industry recognised certification bodies levels (CREST).
- Competitive Penetration Test Pricing – As an organisation who work solely with NHS organisations, we know budgets are tight therefore we offer a highly competitive pricing model without sacrificing quality, keeping you and your organisation protected.
How does Internal Penetration Testing work?
The scope of internal penetration testing typically includes various components within the network, such as:
– Servers
– Workstations
– Network devices (routers, switches, firewalls)
– Internal applications
– Databases
Our methods include a combination of automated tools and manual techniques to perform this assessment. All testing is non-destructive.
How does an External Penetration Test work?
Shared Knowledge (Grey Box) Assessment:
In this approach, you give the tester a list of hosts. These can be public IP addresses or domains. They will only test the specific assets you approve. This is the approach we generally recommend, as we believe a Grey Box assessment gives you the best balance of time and results.
Zero Knowledge (Black Box) Assessment:
Here, the tester performs their own reconnaissance to discover all your Internet-facing assets. Once they’ve compiled a list of what they’ve found, you’ll need to approve those hosts before the test begins. While thorough, this method can take a bit longer since you’ll need to confirm that all the identified hosts belong to your organisation.
Although you ultimately decide which hosts to include in your test, we strongly recommend not limiting the scope. A broader test gives you a better view of your security.
A limited test might miss some potential weaknesses. Also, if you are doing this for compliance, narrowing the scope might require a second test later.
What’s the process?
1) Pre-engagement: This is when you and the testing team meet to define the test goals and what you want to achieve.
2) Scoping: You’ll decide which assets you want to include in the test — basically, what systems and services you want them to target.
3) Exploitation: Here the team will dive in, looking for any security weaknesses they can exploit. This is then followed by maintaining that access to determine whether the vulnerability can lead to persistent network compromise.
4) Reporting: After the test is complete, you will get a selection of reports, ranging from high level management overview reports through to detailed findings and evidence on what we found, how we found it, the methods used and how to rectify the issue. If you require assistance with remediating your issues, this can be discussed.
5) Re-test: After the necessary issues have been remediated, we will run the test again, usually 6 months after the initial test to allow time for remediation. This will ensure everything is secure and that the previous issues are resolved.
To find out more, or to request a quote, please complete the below form or contact us on 01223 827 410.