Network Penetration Testing is a hands-on analysis of network/systems security, performed by an experienced analyst, usually using a combination of open-source and commercial utilities, with the objective being to determine the probability that vulnerabilities can be exploited, and if so the associated business impact.
Key activities include:
- Leveraging Vulnerability Assessment data to focus Penetration Activities on areas of greatest vulnerability;
- Hands-on testing by an experienced security analyst with the objective of determining if application vulnerabilities (generally discovered via Vulnerability Assessments) can be exploited to malicious end;
- Alignment of testing with prevailing good practices (e.g., OSTTMM, ISACA) to maximize the level of assurance that the testing provides;
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries
The predominant benefits realized by a Network Penetration Test are:
- Provides a measure of the probability that a vulnerability can be exploited and the impact that it may have to the organization;
- Can identify flaws in configuration management that Vulnerability Assessments are usually incapable of finding; and
- Can identify where multiple minor vulnerabilities can be sequentially leveraged to malicious means.
Network Penetration Tests are best used:
- As the least expensive means to provide attestation to the net security posture of an environment;
- As part of a broader "certification and accreditation" exercise to provide a higher level of assurance for critical applications; and
- As an information-gathering mechanism to focus more in-depth network security assessment activities.
(If your interest extends beyond Network VAPT, please click here to view our full suite of Network Security Services.)