Penetration testing goes beyond that which is covered within a vulnerability assessment. Vulnerability assessment is akin to a burglar “casing the joint” and identifying where the latches on your doors and windows are left open and closed. Whereas, penetration testing will attempt to exploit any discovered weaknesses or, throw a metaphorical brick through the window and bypass any security features altogether. This allows a real-world test of the environment to leverage access to critical system components and sensitive information.
PCI-Secure base their network layer penetration testing methodology on the NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment. For Web application testing the methodology is based on the Open Web Application Security Project (OWASP) Testing Guide v4.
For the following reason:
We use all the same skills, experience, quality and diligence we would with a normal test. What we have come to realise is that when a test does not require a regulated report (i.e. reporting in line with CREST or CHECK requirements) most of the time the report is superfluous. All you really care about is seeing what the issues are and how to get them fixed, therefore, having a lot of extraneous words means it is more ‘stuff’ to filter out. But you still pay for the tester to write the report!
So just like your favourite ‘posh’ supermarket we take all the same great stuff you want, remove the stuff you don’t need and package it at a price that you are prepared to pay. Hence Pentest Essentials!
We offer the following:
- Internal network;
- Internal network segmentation;
- Internal wireless;
- External network.
All of the above services can be conducted as blind, unauthenticated or authenticated testing, and the tester will note in the output which version they used.
As we said, all of the same great stuff as with the prime service other than the report. What you get instead is:
- Method statement:
a) This is a generic method statement that tells you what the tester did; - Spreadsheet of findings:
b) Includes management summary, vulnerabilities table, statistics – see next page for an example.
There are some limitations with the essentials service and these surround hybrid test types and those for web applications. Hybrid testing requires considerable explanation and comment by the tester so this can only be completed with a full report under our prime service. This is the same for web application tests, as these are a little more complex as they usually require additional explanation to show how we reached the root cause of the vulnerability. Therefore, we usually do not offer this as part of the essentials service. However, if you are looking for a quick light test then it may be possible, so discuss your requirements with our principal tester to see if this is possible in your circumstance.
PCI-Secure has brought this service to market to allow you to make the choice on how much information you want / need, and only pay for that and nothing more. If you need more information and help then choose the prime service, and if you only need to know what to fix then choose essentials. But don’t compromise on quality, use our service. Our consultants are real people and the team has skills across testing, forensics, ISO27001 implementation and PCI DSS so we can provide real world testing and pragmatic remediation. If the team spots a breach or potential breach, we are best placed to use our forensic services to confirm if this has occurred, and can help you with all aspects of the criminal and legal processes at the same time. Talk to us today about how we can help you….