We put your security to the test before the bad guys do.
What is a penetration test?
A penetration test is the process of identifying security gaps in your IT infrastructure by conducting simulated real-world attacks on physically connected infrastructure and network access to computer systems. This simulated attack can happen on the Internet-facing external perimeter or internal systems and networks. Applications can also be included and specifically tested for vulnerabilities and exploitable services.
Why do you need a penetration test?
A “Pen Test” is an effective way to gain comfort that your systems and applications are not vulnerable. It may be necessary for your organization to have a Penetration Test performed due to regulatory or contractual obligations. Pen Testing, in its many forms, is an essential part of your overall information security program. The Guernsey team will work with you to understand your environment and risk profile, to design a test that best fits your needs.
What kind of testing does your company need?
Our goal is to help you make the most of your cybersecurity budget by designing a test that mimics the likely threats to your organization. These factors vary based on factors such as your industry, the type of information you maintain, the types of Internet-facing applications your organization has, and other factors. Our approach includes:
- External Network Pen Test: The goal of an external network penetration test is to simulate an attack on your Internet-facing resources. An external network penetration test will attempt to exploit what a bad actor can see from the Internet.
- Internal Network Pen Test: An internal network penetration test is like an external attack but is more of a simulated attack from the inside. Assuming a bad actor has gained internal access to the network, penetration testing helps to identify configurations and security weaknesses on your internal network.
- Red-Team Exercise: Is a simulated test that includes all or some of the types of penetration tests combined to create a more “real-world” scenario. For example, an individual may use phishing to gain access to an external service, then using credentials gained pivot access to the internal network resources or Internet-facing web application resources. Another example would be gaining physical access to a building to plant a network device to send data back to the bad actor that provides intel for a more focused attack.
- Physical Penetration Test: Is a simulated test where a tester attempts to breach physical access to a secure facility. Our testers will use various techniques such as tailgating or impersonating an employee or vendor to gain physical access to the building.
What techniques are used during a penetration test?
Our team will work with you to design a test that meets your goals and addresses your organization’s risks using different techniques that are often employed by bad actors. Some of the methods our experts have used include:
- Open Source Intelligence (OISINT): All attacks require investigation of an organization using open-source intelligence (OSINT) sources on the Internet. OSINT identifies publicly available information that can be found in sources such as databases of credentials found in past data breaches, social media sites, public records, job postings, company web page Internet, and financial records. The types of data collected include IDs and passwords, email addresses, IP addresses, and the technology used by your organization; this information helps testers target an organization by identifying targets and creating legitimacy.
- Social Engineering: Social engineering test uses the art of deception and manipulation to get a person to perform a task compromises security, such as granting access, opening files, and surrendering logon credentials.
- Phishing: Bad actors use phishing to send forged or spoofed emails that appear from a legitimate source. The phishing email uses high-pressure techniques to coerce a user to act in a way that could compromise the network.
- Vishing: Vishing is very similar to phishing, except this is done by making phone calls to individuals in the organization to perform a task such as reset a password.
You need a team of good guys who are trained to think like the bad guys. That’s where our cybersecurity professionals come in.
Timothy Fawcett, CISSP, CISA, CSSA
Director of Cyber Security Consulting
Tim Fawcett is the Director of Cyber Security Consulting with Guernsey. He has extensive experience in performing risk assessments for IT environments and communicating best practices related to a range of systems and technologies. Tim started his career in information assurance and auditing in 2001. In his career, he has performed IT audits, risk assessments, and cyber threat and vulnerability analyses. Specific project topics include the areas of NERC-CIP compliance, PCI Data Security Standard compliance, ERP system security, application, and operating system security configurations, business continuity planning and disaster recovery, physical security, telecommunications, and security architecture and design.
Cyber Security Consultant
Isaac is an experienced pentester with experience from dozens of penetration tests. Working with companies of all fields and all sizes, he can communicate effectively and promptly with all parties involved. Other than pen testing, he has experience in physical security assessments and forensic work.
GSA Schedule 70
Engage Guernsey through Schedule 70.
Organizations that are eligible to purchase through GSA schedules can engage Guernsey through Schedule 70 - Contractor Awarded Unique Entity ID (DUNS): 062275144