Network Penetration Test (NPT)

Finding vulnerabilities in your own systems before somebody else does it is an important process for your own infrastructure security. A Network Penetration Test has the purpose of identifying the vulnerabilities, focusing on the major impact areas for the business.

A Network Penetration Test is oriented to the evaluation of network and systems security and configurations. It can be executed from the inside (Internal PT), from the outside (External PT) and with different levels of knowledge and access to the client's infrastructure and resources (Black Box, Gray Box e White Box).

So it's possible to simulate different sets of attacks. A Black Box external PT, for instance, aims to identify which damage can be caused by a casual attacker external from the organization, whereas a Gray Box Internal PT simulates an ill-intentioned employee.

ISGroup ISGroup is the ideal provider for your Network Penetration Test needs and acts with seriousness according to internationally recognized standards at the highest quality levels thanks to a steady commitment in the research area. Contact us to request a personalized quote.

Description

Electronic trading, on-line B2B (Business-to-Business) and global connectivity, fundamental components of any successful business strategies, require that corporates adopt security processes and practices.

Most companies operate diligently in order to maintain an efficient and effective security policy that implements the most recent products and services to prevent frauds, vandalism, sabotage and DoS (Denial of Service).

Despite this fact, several companies don't put the right emphasis to a key ingredient for the success of a security policy: to verify that networks and security systems function as planned.

Network Penetration Test activities, using tools and methods to scan the network infrastructure in search of vulnerabilities, helps putting the finishing touches to a corporate security policy, identifying vulnerabilities and assuring that the security implementation really provides the protection that the company demands and needs.

Performing regularly Penetration Test helps companies to discover their network security weak points, that may lead to compromised or destroyed data and equipment by Exploit, Virus, Trojan, Denial of Services attacks and other intrusions. The analysis can exhibit other vulnerabilities that can be introduced from patch and updates or from errors on Server, Router and Firewall.

Network Penetration Test briefly:

  • Mostly exposed systems are analyzed for vulnerabilities from the outside or the inside of the network.
  • Identified vulnerabilities are then exploited in order to violate the network perimeter.
  • Internal systems are inspected for additional vulnerabilities that allow to obtain further access to data and infrastructures.
  • This process is repeated as long as it carries results.

Specifications of the Network Penetration Test service

The Network Penetration Test service is performed by skilled professionals according to internationally recognized methodologies, such as OSSTMM (Open Source Security Testing Methodology Manual, an Open Source guideline for the execution of security tests for infrastructures and cyber assets), suitable for the client's specific needs and for the attack area.

Each ISGroup service is personalized according to client's needs and can be integrated with our other services and products. A NPT can focus on purely technical items but can even be extended to people, processes (Social Engineering) and physical security aspects. The client will decide which are the most important aspects of the activity and where to direct the effort of the attack team.

All the most critical tasks and techniques are conducted by senior researchers to guarantee the maximum professionalism, so that there will be no damages neither to the infrastructure nor to the data.

Testing activity results are summarized and presented in the Report, a simple and detailed document formed by three main sections.

From the outside (External PT) or the inside (Internal PT) of the network and with the desired level of information chosen by the client (Black Box, Gray Box and White Box) to simulate different attack scenarios.

An initial non-technical overview, called Executive Summary, is dedicated to Management. A technical part, describing in detail the detected vulnerabilities and their impact, is dedicated to the Security Manager. A technical part with precise instructions on how to solve the identified problems, called Remediation Plan, is dedicated to the System Administrator.

Network Penetration Tests Scenarios

ISGroup performs its own tests according to the following operational modalities:

Internal PT
Tests are performed within the business network.

External PT
Tests are performed externally from the business network.

Moreover, it is possible to diversify between Black Box, Gray Box and White Box testing, according to the information provided on the systems that we have to attack. Here are some examples and sets:

External PT Black Box
It simulates a casual or external attacker (such as a dishonest competitor) without access to specific information and access credentials to the company.

Internal PT Black Box
It simulates an attacker that has physical access (such as an external consultant o a visitor in a meeting room) or a remote one (such as a jeopardized secretary's computer) to the business network.

External PT White Box
It tries to undermine externally exposed components in order to understand which level of access an attacker can obtain to the other corporate assets.

Internal PT Black Box
It simulates an attacker that has physical access (such as an external consultant o a visitor in a meeting room) or a remote one (such as a jeopardized secretary's computer) to the business network.

Wireless Penetration Test
It tries to undermine the wireless infrastructure. It simulates an attacker that is physically close to a company's building where a wireless network is installed.

Social Engineering
Instead of attacking the sole technical aspects, the human component is attacked with manipulation techniques. We try to induce people to take actions or to reveal information.

Output

The Report is a simple and detailed document that summarizes the results of the activity and it is divided in three different areas, as described previously:

Executive Summary
It is placed at the beginning of the Report and it is no longer than one page. It consists in a non-technical overview, destined to Management.

Vulnerability Details
It consists in a technical part describing the discovered vulnerabilities and their impact in detail. It is dedicated to the Security Manager.

Remediation Plan
A technical section with detailed and precise instructions on how to resolve the identified problems. Dedicated to the System Administrator.

On White-label activities (executed in the name of a third part) we work with ease using the provided Report model, with custom graphic and according to the methods that are indicated to us.

We place great attention on the Remediation Plan. This component, usually considered secondary, is fundamental for a more easy and efficient correction of identified problems.

Precision and details, simplicity and clarity are the foundation of a good Report. Seen the complexity of security problems, we always try to facilitate the job of who leans on our documentation. It's edited with the maximum care and designed to be really useful and ''pragmatic''.

Our Reports are homogeneous and easily compatible with each other.

Feel free to get in touch with us to discuss your specific needs and you can request an anonymized example of Reports.

Working with us is pretty simple, just call the number (+39) 045 4853232 or send an e-mail so that we can get to know each other and discuss about your IT Security needs.

Request our NPT - Network Penetration Test services

sales@isgroup.it