Regular conduction of internal and external penetration tests is one of the key activities that a company can take in order to protect itself against malicious activities. Besides being a best practice, regular conduction of penetration tests is also mandated by various regulatory requirements, such as PCI DSS.
High quality of Griffinix’s penetration tests is supported through years of experience and continuing development and research in various areas of information security. Griffinix’s researchers through years identified a number of 0-day vulnerabilities in various products.
Two types of penetration tests are available:
- External penetration test and
- Internal penetration test
Additionally, depending on a particular test, different scenarios or attack perspectives can be simulated:
- Anonymous penetration test, with no extra access to any of the exposed servers or services,
- Authenticated penetration test, where the penetration tester is given certain access to the target environment (i.e. when performing an internal penetration test, usually non-privileged, user access to the target Windows domain is given).
Finally, depending on the information given to the penetration test, the following tests are applicable:
- Black box penetration test, where the penetration tester is given no information about the target environment except potentially an IP address range or scope. This test is usually applicable to external penetration tests, where an attack from the Internet is simulated,
- Grey or white box penetration test, where the penetration tester is given certain information about the target environment.
The result of a penetration test is a detailed report containing information about all identified vulnerabilities, examples and demonstrations on how to reproduce, confirm and exploit the identified vulnerabilities as well as with details on how to mitigate them.
The report also contains executive summary with high level descriptions of findings.
Once the identified vulnerabilities have been mitigated, a follow up test is conducted to confirm that the previously identified vulnerabilities do not exist anymore, or cannot be exploited due to newly implemented security controls.