A penetration test simulates an attack on your organization's network infrastructure or applications. The focus of penetration testing is to determine what attackers can access and what trouble they can cause.
During these controlled tests, a trained, experienced consultant reviews the security of your network infrastructure and applications using the same tools and techniques that an attacker would use. Testing can even be performed covertly, without the knowledge of the people who manage and operate your systems.
By emulating a real-world attacker, we demonstrate where holes exist and procedures fail, how much access an attacker could gain and how to properly secure your systems.
Penetration testing can be classified as either external or internal testing.
An external penetration test simulates your organization being targeted over the Internet from anywhere by anyone in the world. An external attacker may target your organization by choice or because your organization runs a particular technology or has a specific configuration.
An internal penetration test replicates an attack from within your organization's network. The attacker might be a rogue employee or vendor who is authorized to access to your network, or an attacker that breaches your external security to gain access to your internal network. This attacker has access behind your firewall with either no, or limited, credentials.
Penetration testing is one of the most effective forms of security testing because it targets the controls responsible for protecting your network. It will help your organization:
A penetration test checks various aspects of your organization's security program that involve both your staff and technology. It evaluates if your firewalls, intrusion prevention systems and other technical controls are effective and configured correctly to prevent unauthorized access to your systems. The testing determines if all of the necessary security patches have been applied, as well as if your IT staff can detect and respond appropriately to an attack.
The value of a penetration test is its ability to demonstrate the impact of any security vulnerabilities. Senior management and other decision makers can sometimes overlook reports from IT auditors (and internal staff) indicating the potential for a malicious attack. The results of a penetration test, however, capture their attention by exposing how attackers got into your systems and what they were able to do, such as taking control of a financial server or gaining access to sensitive information. It takes security from a theoretical level to a practical one.
“This was the most thorough and in-depth penetration test we've ever been through.”
– Chris Lake-Smith, Director of IT, MOA Entertainment Company
Our penetration tests are scaled to meet the needs of your business. Sikich offers an array of critical testing components that can be included as part of a comprehensive penetration test or conducted as stand-alone services.
The proven and flexible methodology used by Sikich provides high-value testing without sacrificing the performance or availability of your systems. Testing is split into the following phases:
We know that, first and foremost, you have a business to run. We test your systems in a manner that poses minimal risk to your normal business operations, while still discovering the weaknesses that an attacker could use to disrupt those operations.
The Mall of America's more than 520 stores play host to over 40 million visitors each year. MOA recognized the importance of protecting the integrity of its network infrastructure and applications. In 2005, MOA sought out Sikich for expert help in securing their networks through in-depth penetration testing. Our teams have been working together ever since.
The experienced consultants at Sikich worked with MOA's team to formulate a structured plan, including extensive penetration testing and vulnerability scanning, to support the Mall of America's PCI compliance initiatives. Through the rigorous testing, Sikich helped MOA determine the effectiveness of their existing security controls.
The detailed and actionable reporting created by the Sikich testing team provides great value to MOA and its security team year after year. Sikich scales the testing to MOA's specific needs and assists in clearly defining their scope. The highly-targeted nature of the testing yields more pertinent results and better direction for any necessary corrective actions.
Part of the value of a penetration test depends on your ability to understand and act upon the results. We write our reports to meet the needs of your IT department, internal and external auditors and examiners. Our reports clearly define the scope of the testing, describe the methodology used, detail the results of the testing and provide recommendations for addressing any findings.
Historically, nearly 20 new vulnerabilities are discovered every day. A network infrastructure test focuses on how well your network is configured to prevent intrusion.
In addition to our proprietary vulnerability scanning solution, we also perform manual testing to uncover potential holes in your network. We test your network devices, segmentation, servers and workstations. This testing goes above and beyond vulnerability scanning. Once attack areas are identified, a trained consultant attempts to exploit the vulnerabilities to gain access to your systems.
Physical controls are countermeasures such as locks, cages, video surveillance and security guards. These controls are usually visible, but their effectiveness is often overlooked by security reviews.
Sikich simulates the steps a real attacker might take when trying to breach your environment. We'll use multiple methods, including impersonation, shoulder surfing and even dumpster diving. Leverage the results of this testing to shore up your defenses.
Applications present some of the most significant risks to your organization's data, and web applications are critical to your online presence. This makes attacks on applications some of the most complex, and successful, types of attacks.
Securing and testing applications is complex and requires specialized knowledge. In addition to commercial and custom-developed tools, Sikich uses manual inspection methods to discover application vulnerabilities.
Through web application testing, Sikich helps you uncover weaknesses, including those in the Open Web Application Security Project's Top 10 Web Application Security Risks, that target your organization's data and systems as well as those that target your customers and their web browsers.
Social engineering is a fancy name given to the technique attackers use to manipulate your staff to gain sensitive or confidential information about your organization or a particular individual. It's been proven to be one of the most effective attack methods, rendering many technical and administrative controls ineffective.
Our security consultants attempt to gain sensitive information through multiple methods, including "pretext" telephone calls and "phishing" email campaigns. Our testing is designed to uncover threats to your organization due to information disclosure, employee misuse and ineffective user credential management.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.