Ethical Security Testing

commissum as a CREST company delivers penetration testing services that include thorough assessment of network vulnerabilities and their potential exploitation; the resulting reports include executive level summaries as well as technical recommendations for the improvement of the security of your networks.

• How vulnerable are you to a dedicated, well-resourced attack by a determined hacker?
• You may have unknown and undocumented points of access to the Internet.
• A professional hacker will target specific valuable corporate assets or attempt to effect maximum public embarrassment.
• The service simulates the dedicated attacker, testing the defences at the Internet gateway and within the network.
• The service provides a report on vulnerabilities, the risk they pose, and their impact on your business.

Penetration testing issues

This service simulates the action of dedicated hackers, testing the defences at the Internet gateway and within the network. The principle is that determined attackers will devote significant effort, and use sophisticated tools and techniques to penetrate the network.

Most commercial penetration testing services scan and test your Internet point of presence, which is your public gateway to the world wide web. These tests are useful in that they provide a "snapshot" of your current vulnerability to basic hacker attacks. What they do not do is tell you whether you have unknown and undocumented points of access to the Internet, or how vulnerable you are to a dedicated and well-resourced hack by a determined hacker.

It is also important to check your vulnerability to a determined attack by an insider, considering that sixty to seventy percent of organisations reporting incidents have suffered internal attacks, according to reputable security surveys.

The potential impact of these security breaches is high. A professional hacker will have a specific aim, such as valuable corporate information, or attempting to effect maximum public embarrassment through defacing websites, data theft, confidential information exposure, etc.

Penetration testing approach

The approach builds on the basic point of presence penetration test, with the addition of more time spent on areas such as research, more analysis of the web server and applications, and vulnerability scanning within the network (behind the firewall). The internal network can also be analysed for vulnerabilities.

The phases are as follows:

• Research: Check publicly-available information about network addresses and IT deployment that could be of use to a potential attacker.
• Enumeration: Scan by appointment with the organisation, stopping short of causing damage or disruption to systems.
• Exploitation: Identify the systems and architectural features, and analyse the potential for successful attacks on the firewall.
• Analysis and reporting: Correlate with known vulnerabilities, examine findings, inform client and reach conclusions on business impacts.

Customer benefits for penetration testing

commissum will produce a report indicating the vulnerabilities discovered and the potential impact on your business. The report will highlight the following:

• An executive summary for a non-technical audience.
• Recommendations for fixes of the vulnerabilities discovered.
• Cost-effective high-value improvements.
• Areas of risk to your business, with highlighting of their relative priority.

To supplement the report, commissum is also able to provide a follow-up presentation and interactive workshop. The aim is to work with the organisation to assist in development of a realistic, focused and prioritised plan of action to address the recommendations.

You can download details of this service as a PDF here:

commissum penetration testing (41.5 KB)

• Penetration Testing
• CREST Testing
• Application Testing
• Enterprise Application Assurance
• Network Vulnerability Assessment
• PCI DSS Testing
• Code Review
• Mobile Device Security
• Wireless Security