How does a Pen test work?
If you have not commissioned a penetration test (pen test), you might not know what is involved. Read on to learn about the key steps that form our approach to penetration testing.
JUMPSEC has a world class, CREST certified team of offensive security consultants, providing a professional testing service. They are key to the success of a penetration test.
What is penetration testing?
A penetration test, also known as a pen test, pentest or ethical hacking, is an authorised simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. Designed to identify security vulnerabilities in infrastructure, networks, and applications, as well as supply remediation advice to address them.
No pen tests are the same. Every organisation has its own testing requirements and penetration testing steps vary according to the type of test being performed and its objectives.
JUMPSEC is a CREST accredited organisation. We work with you to identify the penetration test that is right for your organisation that delivers the outcomes you need to help meet your security goals. To achieve this, we divide our engagements into three testing stages.
Penetration testing steps
Our testing approach can clearly determine the following:
- How well a system tolerates real world-style attack patterns.
- The likely level of sophistication an attacker needs to successfully compromise the system.
- Additional countermeasures that will mitigate threats against the system.
- Defenders’ ability to detect attacks and respond appropriately.
- The target organization’s ability to maintain a proactive computer network defence.
- How effectively the assessed target meets the specific stated security objectives.
Organizations taking a systematic approach to penetration testing as part of an ongoing process or risk assessment program, will gain a true understanding of their current security posture which will help the organization in the effective management of risk. JUMPSEC security assessments follow robust methodologies to deliver thorough and consistent results. The JUMPSEC assessment services testing methodology uses the following structure:
1. Planning scope – This phase involves gathering the necessary requirements with communication between JUMPSEC and the tested organisation to ensure that the scope is well defined and that the project will be delivered in the agreed time constraints.
We work with you to define the full remit and goals of the pen test, including listing the systems and applications to be assessed. We also identify the most appropriate test methodology to use – either greybox, whitebox or blackbox.
The objective is to maximise the value your organisation achieves from its investment, allowing you to balance your security requirements and budget. We establish clear parameters, we will not test anything you do not want us to and ensure that we conduct assessments in line with the highest technical, legal and compliance standards. This includes pen testing that is aligned to the requirements of ISO 27001, PCI DSS, GDPR.
2. Information Gathering and Reconnaissance – Initial steps are performing information gathering and reconnaissance include using techniques to gather information about the assets in scope. Various scanning techniques are used to gather intelligence and fully understand the application and/or infrastructure. Enumeration and information gathering of the relevant scoping whether that be application, infrastructure, or another service type.
3. Vulnerability Analysis – A vulnerability assessment is performed where vulnerabilities of services will be identified, outlined, and fully understood. Vulnerabilities are categorised by severity rating: Critical, High, Medium, Low, Informational. JUMPSEC will analyse and review all vulnerabilities found to be present within the application and/or infrastructure, these can then be used during the exploitation and review stage. Reviewing any analysing said vulnerabilities and their presence within a system or application to review and ascertain the current security posture of the application, infrastructure, or service. JUMPSEC will rotate between the information gathering and vulnerability analysis stage subjective to what is found to determine a greater attack surface.
4. Exploitation and Review– Select target vulnerabilities and services will be exploited to demonstrate impact and gain a foothold into the network, system, or application. The exploitation phase of a penetration test focuses on establishing access to a system or resource by bypassing security restrictions. Ultimately, the attack vector should take into consideration the success probability and impact on the organisation, JUMPSEC will then be able to quantify and evaluate the risk. JUMPSEC will attempt to add value by demonstrating business impact and a controlled and safe manner.
5. Reporting and Delivery – Upon completion of the testing phases, all results are collected, and a report is written to demonstrate the findings of the assessment. The report includes multiple sections written at both an executive and technical level and provides detailed information on the impact, likelihood, and risk of the identified issues. Depending on client requirements JUMPSEC can provide a range of different reporting styles ranging delivery directly into a modern ticketing system, through to a board level executive or client facing report. The report will then be delivered in a safe and secure manner using JUMPSEC’s report delivery portal. The above methodology is followed for all types of assessment services, JUMPSEC then use a specific methodology for the test of testing that is to be provided and undertaken for the client.
Achieve results with penetration testing
To learn more about penetration testing steps and how JUMPSEC services can support your security needs, feel free to schedule a quick no-obligation call with our experts. We can tell you more about what is involved and the techniques we use, as well as advise about the best type of test for your organisation.