PENETRATION TEST OVERVIEW
What is a Penetration Test?
In a Penetration Test, The Redspin security engineers put their hacker hats on, work remotely from our offices and attempt to breach your network security via the Internet.
What Questions Does a Penetration Test Answer?
- Can a hacker get to our internal and systems data from the Internet?
- Can you simulate real-world tactics and identify what an automatic vulnerability scan misses?
- Is my web-hosting site and service providers connected to my network as securely as they say they are?
- Is my email traffic available for others to see?
What are Some Common Objectives of a Penetration Test?
- Provide management with an understanding of the current level of security risk from Internet-accessible services.
- Provide recommendations and enough detail to facilitate a cost-effective and targeted mitigation approach.
- Create a basis for future decisions regarding IT strategy, requirements, and resource allocation.
What is the Penetration Testing Process?
|
 |
Reconnaissance
Identification of system assets, data and network components. |
 |
Enumeration
Determine the application and network level services in operation for all identified assets. |
 |
Research and Evaluation
Here we determine the vulnerabilities, bugs and configuration concerns with all systems. Flaws identified in any of these three areas can lead to system compromise.
- Vulnerability Testing
- Manual Service Analysis
- Password Testing
|
 |
Penetration Testing Analysis
For each issue or concern identified above, we escalate, validate and then determine the impact of any issues. This is used to develop findings along with impact descriptions and recommendations that take into account your individual business and network environment. i.e. throw away the false positives and create an actionable penetration testing report. |
|
What is vulnerability scanning and how does it fit into the process?
Redspin's penetration testing service which we call an "External Network Security Assessment" is actually a combination of a vulnerability scan/assessment, a penetration test, remote password checking and manual analysis by expert security engineers. Vulnerability scanning is an automated process using commercial or freely-available software to provide a shallow but quick exploratory view of the network. These automated tools can miss about 40% of the security risk so they alone do not adequately assess risk. Furthermore, about half of the findings from a vulnerability scan are false positives which reflects badly on your IT department and diverts their attention to spurious findings rather than the serious risks.
While vulnerability scanning is not suitable on its own as a complete or billable service offering, it does provides some value in the early reconnaissance phase of a more comprehensive External Network Security Assessment - see the figure below. At Redspin, manual analysis is at the heart of all of our assessments which not only gives you confidence that you have a complete view of your security risk, but provides tailored reporting and recommendations enabling simple work-arounds and cost-effective mitigation strategies for most security issues.
|
Redspin External Audit Process |
 |
 |
WHY REDSPIN?
|
 |
Independence
Redspin is independent, unbiased, and candid because we do not sell hardware, software, or services to fix what we find. By selecting Redspin, you no longer wonder if a recommendation is an opportunistic revenue generator. |
|
|
The Team
It’s about the people and the passion. Outside Magazine named Redspin, ONE OF AMERICA'S BEST PLACES TO WORK IN 2009, ranking 13th nationally. Whether we are assessing your security, creating free security audit tools (used by most of the big 4 accounting firms, top government defense agencies and the biggest global companies) winning the world's biggest academic hacking contests (DEFCON – Capture the Flag), or doing groundbreaking security research (Newsweek, Computerworld, American Banker) to help our clients better understand security risk, our team is passionate about security. |
|
|
Our Approach
With a proven team, leveraging a risk-based approach that focuses discovery and analysis on areas of greatest risk to your particular organization, customers consistently tell us that our services identified significant risk that other firms missed, while avoiding the nit-picking distractions. |
|
|
Our Ethos
The world is bigger than us. We care about our environment — we are a significant donor to environmental causes; we support up-and-coming security engineers on the path to stardom, by mentoring young students and we support university security clubs. |
|
|
Our Services
Redspin's services are limited to security assessments. These include:
- Penetration Testing
- Web Application Security Assessments
- Internal IT Security Assessments
- Social Engineering
These services do vary to address various compliance issues, including: PCI, FFIEC, GLBA, HIPAA, etc. |
|
|
|
 |
Contact a Security Specialist at
800-721-9177
|
 Go to Redspin.com |
 Download Redspin Brochure |
|
|
