Identify issues and address the root causes
Penetration testing is defined as a practice of testing a computer system, network or application in order to exploit inherent vulnerabilities. The ultimate goal is to determine if an attacker could leverage a vulnerability to gain access to data contained therein.
Whether it’s a black box test that simulates a real-world attack scenario, or a white box examination with design and target information supplied to the tester, our penetration services provide decision makers with a baseline from which to build a comprehensive information security program required to be secure and compliant.
Network enumeration, vulnerability analysis, and exploit testing occurs such that proper risk mitigation strategies can be put into place and executed. MainNerve will help you identify and classify risks so that you can mitigate them with technology and/or administrative improvements.
Some of the major areas of assessment are:
- Network Enumeration
- Vulnerability Analysis
- Web Application Penetration Testing
- Custom Security Risk Rating
- Vulnerability Mitigation and Support
A penetration test is the first step towards improving your corporate security risk profile. MainNerve believes in Four Pillars of risk identification: Usability, Performance Functionality, and Security. Security, namely, is the overarching pillar with which to operate a company with integrity. Our comprehensive security assessments consider of all your infrastructure including, desktops, laptops, servers, and software
Frequently Asked Questions
What is a penetration test?
What are different types of penetration tests?
There are three approaches to penetration testing: black-, grey-, and white-box testing.
In a black box penetration test, the penetration tester has no prior knowledge of the design, architecture, systems, and software of the entity being tested. The engineers must spend more time and energy discovering, analyzing and determining ways to exploit each system. This is performed by emulating a real-world (or nation-state) attacker.
In a white box examination, the penetration tester has a clear idea of how the system is designed and architected and will often even have the code that particularly interesting systems might run such that it can be tested for vulnerabilities and weaknesses. Full disclosure by the customer give the tester complete insight into the details of each system to be tested. As a result, a white box test often takes less time because less reconnaissance is required.
A grey box test is combination of black and white box tests. A tester is given the range of systems to be tested and their respective roles. Limited discovery and analysis occurs as the penetration tester matches actual findings versus what has been disclosed by the customer.
What is a Vulnerability Scan?
A Vulnerability Scan is a rigorous scanning of a company’s internal and external facing IP addresses and systems to determine the level of security by identifying known vulnerabilities in operating systems, applications and security devices. Regulations and Executive concern often mandate that Vulnerability Scans take place in support of a good information security or assurance plan. Using state of the art software and tools, Our experienced technicians can scan tens of thousands of IP addresses, multiple data storage facilities, multiple locations and public and private cloud to provide an accurate depiction of a Enterprise’s current security status. Vulnerability Scans not only outline security concerns, but, when done on a periodic basis, serve to test updates and patches ensuring that the corporate data security plan is being followed.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is designed to evaluate a network, system and/or applications for weaknesses. Vulnerability scanners are purpose-designed to identify known vulnerabilities, but are not very good at identifying logical faults and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is also intended to evaluate a range of systems and services. Due to the lower cost in time and effort, larger ranges of systems can be efficiently scanned in a shorter amount of time. Nevertheless, a vulnerability scan is designed to only find vulnerabilities and automatically identify solutions.
A penetration test is goal oriented. That is, the purpose of a penetration test is to locate a single exploitable vulnerability. While a vulnerability scan might occur during a penetration test, the goal is find one or more weakness that can be leveraged for access to sensitive network(s) and/or data. As a result, during a penetration test, not all systems will be “tested”.
Why contract for a penetration test?
When do you need a penetration test?
As stated earlier, there are many reasons for a penetration test. The most common are:
- Regulatory compliance requirements (e.g. security audit for HIPAA, PCI, and FINRA)
- Unusual amount of virus, malware, spyware activity on the network
- After implementing significant software and/or hardware changes in website or network
- Suspicious traffic on network
- After installing new software or other upgrades
- If you store valuable data and have never had one
- Prior to purchasing or breach insurance
My data is stored in the cloud. Why do I need a Penetration test?
Software, particularly proprietary or custom-developed software, can be riddled with security holes unknown to the developer. Moreover, your cloud provider has no control over your software. Devices within your corporate environment, such as, printers, servers, and workstations may be vulnerable. Penetration testing is crucial for this environment to address actual vulnerabilities after which a relevant mitigation plan can be made.
What types of systems have you tested?
Each of the following should be considering for penetration testing:
- Network layer (firewalls, web servers, email servers, etc.)
- Application layer (all major development languages, all major web servers, all major operating systems, all major browsers)
- Wireless systems
- Virtual environments including cloud, internet-enabled devices
We’re already performing vulnerability scanning, why should we perform a penetration test?
Vulnerability scans leverage preconfigured pattern recognition. As such, there are many aspects of a system that will not be scanned completely or not scanned at all. Penetration testing provides coverage for large number and variety of serious security vulnerabilities that vulnerability scanners are incapable of discovering and testing.
Can a penetration test break my system?
Our penetration testing methodology is specifically designed to mitigate data loss, downtime, and risks to our customers. In cases where exploiting a vulnerability would pose a risk to the system, We will document the finding and report it to the client, but will not pursue the exploit unless our customer requests it.
How long does it take to perform a penetration test?
The length of the penetration test depends on the type and scope of testing. This includes determining the type and number of systems and any limitations. Generally, projects can vary greatly, but have an average testing time of one to three week
What’s the difference between your approach and others that have automated tests?
There are few recognized standards for penetration testing and quality varies dramatically among all vendors. Some vendors offer fully automated scans and call it a penetration test. If your goal is to satisfy a compliance mandate, this type of testing can be rejected by auditors and lead to numerous and expensive rounds of repeat testing. If you need to satisfy the requirements of an important potential client, they may want details about quality of the testing and could reject these methods. While automated methods still have a place in penetration testing, We leave the decision to the customer. This method is dependent on such critical factors as time, money, and scope of the engagement. We ensure that the testing meets compliance requirements where applicable. We use proven methods put forth by NIST and OWASP. For your potential or existing clients, We provide client-facing reports that include details about the scope and breadth of testing. But, the report will not include sensitive details of the testing engagement results. If your purpose is improvement of your organizational security, we provide testing that thoroughly covers network, system and application layers, addressing the latest security threats.
To scope your penetration test, your call will be answered by a qualified technician who will provide you with questions intended to scope out the project
Within 24 hours of the scoping process, the technician will respond with a quote and estimated price for the penetration test, if accepted a time is scheduled for your test.
The penetration test will be conducted as required and within the scope the customer has approved.
The report will outline the vulnerabilities found and provide mitigation strategies to repair them.
Here are a few other services that we offer
Our Free Wi-Fi Network Assessment Program will validate your network’s performance.
Our Free Servers, Desktops and Network Infrastructure Assessment will validate any potential issues.