An attack on a computer system that is carried out with the aim of finding and fixing security weaknesses.
Why is Penetration Testing Necessary?
Penetration Testing is used to determine if an organization’s security is robust enough to protect the Confidentiality, Integrity and/or Availability of the data that it accesses, contains, or processes. They’re an ideal service for improving overall security, but in many cases penetration testing is often carried out to satisfy regulatory requirements. For example, a PCI Penetration Test would satisfy the requirements outlined by Payment Card Industry Data Security Standard (PCI-DSS), a HIPAA Penetration Test would satisfy the requirements outlined by the Health Insurance Portability and Accountability Act (HIPAA), an FDIC Penetration Test would satisfy the recommendations made by the FDIC and the list goes on.
“We use Netragard to act as our White Hats. They are very good and cost effective. Before you select a vendor, do yourself a favor and talk with them.” -Financial Institution
Pen Test Service Levels
We understand that different organizations have different drivers behind their penetration testing needs. To help address this we offer three highly configurable service levels to our customers. The Silver level is our level entry option and provides coverage that is consistent with the industry standard. The Gold and Platinum levels are more advanced and use a research based methodology called Real Time Dynamic Testing™ .
Silver level Network Penetration Testing produces a level of threat consistent with the industry standard. At this level testing begins by running one or more automated vulnerability scanners against the in-scope targets. When the scans are complete the results are reviewed, and any identified vulnerabilities are confirmed through active exploitation. This level of service is ideal for clients looking to receive a low-cost test that will satisfy some security requirements.
Gold level Network Penetration Testing produces a level of threat that is substantially greater than the industry standard. This level of service uses Real Time Dynamic Testing™, an advanced research-based methodology that incorporates over 20 years of 0-day vulnerability research and exploit development experience. The Gold level specifically tests network connected devices such as servers, desktops, web applications, etc. This service aims to test customers at a level of threat that is at least realistic from a technological perspective. The Gold level of service offers a limited set of Threat Augmentation Modules (“TAMS”) such as statistical spear phishing and distributed metastasis (aka pivoting).
Platinum level Network Penetration Tests produce a level of threat specifically designed to match the capabilities of real-world threat actors. That threat can range from basic (script kid) to highly advanced (nation state). At this threat level a wider variety of TAMS are available which include Advanced Social Engineering, Advanced Physical Security Testing, Stealth / Evasive Testing, 0-Day malware (its safe, we made it), the deployment of clone networks, distributed attacks, distributed scanning, covert distributed metastasis, the creation and deployment of weaponized hardware (see our PRION mouse), and much more. This service level also uses Real Time Dynamic Testing™ and can be delivered with or without the use of automated vulnerability scanners. When operating at the Platinum level of service in an unrestricted capacity we maintain a 98.6% success rate at domain compromise from the vantage point of an unauthenticated external threat.