|
Below we have tried to answer many of the questions we find we are most commonly asked when we receive enquiries about
penetration testing. However, if the answer you are looking for is not there, then do please feel free to
contact us!
|
- What is "blind" testing?:
If you would like us to test your firewall as if we were "real" hackers, then you should tell us nothing
at all about your installation. This means we have to perform a good deal of under-cover work in approaching the
hack in the same way a criminal would, using social engineering and even physical break-ins.
- What is "informed" testing?
We sign a non-disclosure agreement with your organisation and you give us details of your firewall
solution - the overall design, the IP addresses, and so on. We are then able to run a variety of tests
against your firewall defence, using exploits appropriate to the devices and products actually in use. This gives a
thorough and cost-effective result.
- What is vulnerability analysis?
Vulnerability scanners provide a good deal of information about poor configuration, design flaws,
operating system patches, etc. that are invaluable in securing against attack. This type of information will not be
revealed in a conventional penetration test, the sole purpose of which is to break in to your system.
- Who conducts the testing?
Every test is carried out by a highy trained professional. Our quality control procedure is rigorous: findings are reviewed by a senior technical member of
staff and the final report is inspected by a Partner before being sent to you.
- Do you employ ex-criminal hackers?
There is a short answer to that - no!
- How do your tests relate to ISO/IEC 27000 and other standards?
We use a combination of industry standards, our own best practices and ISO/IEC 27000.
- What sort of report will I get?
Our reports, which can be tailored to your requirements, give you a concise, plain-English summary of any vulnerabilities we have found, together
with a measure of their severity and the potential impact on your organisation. The technical section of the report gives details of the vulnerability,
what it means to your security should a hacker exploit it, and where to get a fix to resolve the problem. All reports are subject to both an internal
technical review and quality assurance. Once you have received the report, we provide an in-depth discussion of our findings to ensure that the
vulnerabilities and solutions are relevant and properly understood.
- Do you operate a quality control procedure?
Of course! Our quality control for testing is outlined in the previous point. You can also find additional information on
this page.
- Is there any conflict of interest?
No, because we only provide testing services, so you can be sure that the vulnerabilities are real, unbiased results from the experts.
- What about continued assurance?
Many clients ask us to provide regular tests, both via the Internet and on-site. Our pricing policy
offers discounts to clients ordering quarterly or monthly tests. Some clients also take advantage of skills transfer from
our staff, to conduct their own regular tests between our periodic independent reviews.
- Why is it a good idea to also have on-site DMZ testing?
We can reveal considerably more weaknesses and configuration errors in your firewall configuration if
we can address it from inside your organisation as well as from across the Internet. We can also review your firewall
management procedures, change control and firewall policy. If your firewall is managed by a third party or hosted at a
remote site, we will also give you valuable information about the service provided by that third party.
- What tools do you use?
Unless you specifically instruct us otherwise, we use a combination of professional, commercial tools and those that are used
by the hacking community to conduct the tests. This ensures that we expose as many vulnerabilities as possible whilst also helping to
identify possible false positives - as well as false negatives.
or phone Andy on +44 (0)1273 45 45 25
|
|
