Penetration Testing

We put your security to the test before the bad guys do.

What is a penetration test?
A penetration test is the process of identifying security gaps in your IT infrastructure by conducting simulated real-world attacks on physically connected infrastructure and network access to computer systems. This simulated attack can happen on the Internet-facing external perimeter or internal systems and networks. Applications can also be included and specifically tested for vulnerabilities and exploitable services.

Why do you need a penetration test?
A “Pen Test” is an effective way to gain comfort that your systems and applications are not vulnerable. It may be necessary for your organization to have a Penetration Test performed due to regulatory or contractual obligations. Pen Testing, in its many forms, is an essential part of your overall information security program. The Guernsey team will work with you to understand your environment and risk profile, to design a test that best fits your needs.

What kind of testing does your company need?
Our goal is to help you make the most of your cybersecurity budget by designing a test that mimics the likely threats to your organization. These factors vary based on factors such as your industry, the type of information you maintain, the types of Internet-facing applications your organization has, and other factors. Our approach includes:

  • External Network Pen Test: The goal of an external network penetration test is to simulate an attack on your Internet-facing resources. An external network penetration test will attempt to exploit what a bad actor can see from the Internet.
  • Internal Network Pen Test: An internal network penetration test is like an external attack but is more of a simulated attack from the inside. Assuming a bad actor has gained internal access to the network, penetration testing helps to identify configurations and security weaknesses on your internal network.
  • Red-Team Exercise: Is a simulated test that includes all or some of the types of penetration tests combined to create a more “real-world” scenario. For example, an individual may use phishing to gain access to an external service, then using credentials gained pivot access to the internal network resources or Internet-facing web application resources. Another example would be gaining physical access to a building to plant a network device to send data back to the bad actor that provides intel for a more focused attack.
  • Physical Penetration Test: Is a simulated test where a tester attempts to breach physical access to a secure facility. Our testers will use various techniques such as tailgating or impersonating an employee or vendor to gain physical access to the building.

What techniques are used during a penetration test?
Our team will work with you to design a test that meets your goals and addresses your organization’s risks using different techniques that are often employed by bad actors. Some of the methods our experts have used include:

  • Open Source Intelligence (OISINT): All attacks require investigation of an organization using open-source intelligence (OSINT) sources on the Internet. OSINT identifies publicly available information that can be found in sources such as databases of credentials found in past data breaches, social media sites, public records, job postings, company web page Internet, and financial records. The types of data collected include IDs and passwords, email addresses, IP addresses, and the technology used by your organization; this information helps testers target an organization by identifying targets and creating legitimacy.
  • Social Engineering: Social engineering test uses the art of deception and manipulation to get a person to perform a task compromises security, such as granting access, opening files, and surrendering logon credentials.
  • Phishing: Bad actors use phishing to send forged or spoofed emails that appear from a legitimate source. The phishing email uses high-pressure techniques to coerce a user to act in a way that could compromise the network.
  • Vishing: Vishing is very similar to phishing, except this is done by making phone calls to individuals in the organization to perform a task such as reset a password.