What is it?
A network-based penetration test is an objective-based security assessment of your internet-facing services or your internal network’s security posture.
A typical example of an objective could be:
- Identify and exploit vulnerability in an internet-facing service, use it to gain access into an internal network, such as an office or a data centre, and access Personally Identifiable Information (PII) of customers or staff members
- From a network connection in an office, identify and exploit any vulnerabilities in an internal network that could be used to compromise an internal system of importance, such as a finance or HR system
What is the output from this assessment?
A full technical report will include the following:
- Executive Summary – explanation of the vulnerabilities encountered, the risk they pose to your organization, whether the objective was completed and recommendations of any remedial action that should be taken
- Summary of Findings – a table of all vulnerabilities noted during the assessment, the vulnerability title, its risk rating, and the vulnerability’s current state
- Detailed Findings:
- The vulnerability’s risk rating
- The system, URL or process that contains the vulnerability
- How the vulnerability was exploited
- The risk posed to the organization
- Full technical details of how to replicate the vulnerability
- Remediation advice
- Appendices – vulnerability output that was noted in the engagement
When evaluating the overall risk rating for each vulnerability, the following factors will be considered:
- Impact – the impact that exploitation of this vulnerability will have on the business or organization
- Risk – the risk posed to the organization if this vulnerability is exploited
- Likelihood – the likelihood that this vulnerability could be exploited
Each vulnerability will have a remediation recommendation, which will include either:
- Official fix, such as a firmware upgrade for hardware, or a patch for a publicly disclosed vulnerability
- When there is no official fix a workaround can be used
- Process improvement for when exploitation of vulnerability is caused by a business process