The objective of penetration testing is to discover whether there are weaknesses visible in deployed systems, and in some cases to go one step further and actually exploit the vulnerabilities to compromise the systems.
This could mean gaining administrative access, data, passwords, or a foothold for further attack.
The term “penetration testing” is often used interchangeably to describe either of these two disciplines described above.
At CNS, for clarity; we make the distinction between the two as follows.
“Vulnerability Assessment” = reconnaissance to discover and report upon weaknesses found.
This is usually the initial step in any real-life attack/hacking incident and can be the point at which a malicious actor is thwarted and moves on to an easier target. We often find that this aspect is what our clients are most interested in and that they prefer to spend their further resources on raising defenses against or eliminating any weaknesses found.
Pros:
Faster, less intrusive (less likely to cause adverse effects e.g. system failures), cheaper, easier to schedule, typically taking one day or less
Cons:
No evidence will be supplied to prove that the systems can be exploited/compromised e.g. by collecting real hashed or cracked passwords, etc.
“Full Penetration Testing” = discover and exploit weaknesses
Pros:
We will prove whether your systems can be exploited or compromised by trying to actually exploit or compromise them, collecting evidence such as hashed or cracked passwords or data.
Cons:
More time-consuming and intrusive (more likely to cause adverse effects such as system failures), typically taking 5 days or more depending on the system under test. It may take longer to schedule dependant on the requisite specialists required by the nature of the system under test (e.g. web application testing may require a specialist in the particular system to be deployed from CNS’ trusted and vetted partner portfolio).
Some More Common Terms
Red Team = those tasked with the attack.
Blue Team = those tasked with defense.
CNS is rare in having considerable skills and experience in the more sought-after discipline of raising defenses across myriad vendor systems for our clients, which consist of organizations from SMEs to global enterprises of over 50,000 employees.
We often find that this aspect of raising defenses or eliminating vulnerability exposure is the main focus of our clients on discovering, through the “red team” testing; system weaknesses.
Black Box = no details other than external IP addresses are supplied by yourselves.
Grey Box = some details e.g. a partial system map or an account with low privileges are supplied by yourselves, so the red team is able to spend more time on exploitation and less on reconnaissance.
White Box = full details including maps and credentials are supplied by yourselves (e.g. admin credentials necessary for a “credentialed patch audit” of internal systems aimed at discovering whether requisite operating system patches have been applied, which is often required for Cyber Essentials+ certification).
N.B. In all cases, CNS will require proof of ownership of systems, as will document permission and legal disclaimers where appropriate.
All CNS penetration testing services are led by appropriately qualified and experienced personnel certified under an appropriate scheme e.g. Tigerscheme Check Team Member, Check Team Leader, CESG ATM, Certified Ethical Hacker, or similar.
On Conclusion of Testing – What Next?
CNS Penetration Tests are concluded with the issue of a full report supplied via secure means.
This can be followed up with CNS’ remediation, patching consultancy, or secure design services, supplied by appropriately qualified CNS systems architects, where required; at the client’s request.
**Since CNS can talk “IT” & “Cyber”**:
We can work with your IT teams to ensure that pragmatic effective steps are taken to eliminate any issues found rather than reporting “you have failed” and then walking away leaving your IT team trying to decipher an ambiguous system-generated description of issues.
A final test is recommended following the deployment of any remediation plan to ensure that vulnerabilities are no longer present.
Learn More about Creative Networks
Reach out to Creative Networks today and embark on your journey to operational excellence and market leadership. Let’s make your business future-ready, together.
Take the first step towards a revolutionised approach by subscribing to our newsletter. Dive deep into a world of exclusive insights, timely updates, and expert advice that can reshape how you navigate the business landscape.
Schedule an appointment with our experts dedicated to understanding your unique needs.
