What is a penetration test?
Identify, Remediate, Protect and Monitor.
A penetration test is a form of ethical hacking where an authorised individual attempts to find gaps in the security of your IT infrastructure, applications or processes, with the aim of gaining access to your assets. The purpose of the penetration test is to review the security, and provide a report to management with the technical risk viewpoint with recommendations designed to mitigate those risk areas.
Penetration testing is also useful in validating the efficacy of your defensive controls and determining how well the end-user can adhere to their security restrictions.
What is the process to run a penetration test?
Gridware’s approach to penetration testing is to determine the extent to which your network can defend against threats by testing your exposure to common exploits and vulnerabilities on your infrastructure. The testing is performing from the perspective of an attacker with only limited knowledge of your network infrastructure and systems. Gridware utilises in-house developed tools, as well as scripts commonly used by attackers. The ultimate goal is to identify vulnerabilities that might pose a risk and determine the business impact of such an exposure. The tests are conducted at your place of business or run remotely from our headquarters in Sydney.
Identify domain names, potential for information theft, firewalls, associated networks, partners and any publicly available information through DNS and search engines.
Identify listening ports on your host to determine what services may be running that could potentially cross-checked for exploits.
Extracting information from target systems through listening services, dummy accounts or Wifi, SMTP and NetBios.
Assessing the organisations vulnerability appetite by assessing existing installed software and both the infrastructure and operating system level as well as individual user level for potential for exploits or vulnerabilities.
Analysis and Reporting
Data analytics of the results are provided as well as a detailed exploitation report identifying any vulnerabilities, misconfigurations or possible bugs.
Want to get started?
Speak with our consultants today about booking penetration testing!
Benefits to Senior Management and Board
Penetration testing will help you avoid the cost of downtime should a hacker take the website down or exploit a vulnerability. Organisations pay millions of dollars in IT remediation costs to get systems back up, and in most cases, these systems are exploited using trivial security flaws that take hackers just seconds to compromise. Being proactive will help you discover issues before they become a risk and lead to a security compromise.
Cyber Breach? 85% of Customers
will never do business with you again
will never do business with you again
Preserve corporate image and customer loyalty. Trust is something that needs to be earned. A recent report by PwC showed 85% of customers saying that they will not do business with a company if they are worried about its data practices. Each incident of compromised customer data can be costly: negatively affecting sales and ruining company reputation. Penetration testing helps you prevent data incidents that put your organisation at risk.
Types of Penetration Testing We Conduct
|Penetration Test Type||Scope||Frequency|
|IT Infrastructure External Network Penetration Test (ENTP)||Firewall configuration, public facing IP’s and infrastructure ie. servers, cloud, AWS configuration, Azure configruation, DDoS prevention, load testing etc.||1 per year or major change|
|IT Infrastructure Internal Penetration Test (INPT)||Testing of internal network controls, segmentation, dev and production environment, testing third-party access and access controls, internal user elevation of privileges, unauthorised accounts, sensitive data locations and security permissions.||1 per year or major change|
|Web Application Penetration Test||Identify existing or potential vulnerabilities, OWASP source code best practice review, internal review of access privileges, external testing of public facing IPs and servers. Testing of user accounts if applicable for escalation vulnerabilities.||Prior to launch, 1 per year or major change|
|Mobile Application Penetration Test||Identify existing or potential vulnerabilities for mobile applicable against Android and iOS standards, OWASP source code best practice review, internal review of access privileges, external testing of public facing IPs and servers. Testing of user accounts if applicable for escalation vulnerabilities.||Prior to launch, 1 per year or major change|
|Social Engineering Testing||Phishing simulation, attempting to retrieve sensitive data through social engineering techniques (calling, email based, fraud). “Trusted Authority” disguise, employee impersonation (IT Help Desk) to try and facilitate payment of invoice or unauthorised access.||1 per year|
|Wireless Network Penetration Testing||Testing configuration of wireless entry points against internal network controls, segmentation, separation, VPNs, privilege access management, sensitive data etc.||1 per year or major infrastructure change|
|Physical Security Penetration Testing||Identifying existing or potential access security control vulnerabilities. Attempting to bypass existing security restrictions, including RFID, lift access, biometric security. Infiltration using USB payloads, open workstations or unsecured device docking stations.||1 per year or infrastructure change or office relocation|
Want to get started?
Penetration Testing FAQs
A penetration test (or pen test) is a series of intentional attempts to gain unauthorised access through the use of specialised tools available to attackers and professionals. It is like a stress test for your business systems and applications. It assess the integrity of your business ensuring confidential data is secure, access permissions are appropriate, and that applications are compliant with the latest patches and free from vulnerability of exploits.
Penetration tests should be conducted by an external service provider to ensure there is no bias in the testing, that it is run independently from the business by technical experts who are familiar with the latest developments in exploits and both international and industry standards.
Gridware regularly conducts external penetrations tests, from the perspective of an attacker, internal penetration testing, from the perspective of a rouge employee after restricted information and network and firewall tests to ensure the integrity of your infrastructure. We also recommend running regular penetration testing on Wireless (wifi) networks as well as testing remote social engineering in electronic attacks such as phishing or directed human effort at compromising your systems.
Regular scans will only check and ‘compare’ to data that is often outdated or no longer applicable with the latest developments in the security industry. You need to ‘do as they do’ and perform tests from the perspective of an attacker with the tools attackers utilise to bypass your defences.
All business applications, even when used in the cloud, are subject to vulnerabilities and exploits. It’s only a matter a time before commonly used applications are compromised and then subsequently patched. We need to check that the patch management process is keeping up with the latest developments, and that they are being patched against exploits. The cloud will only act as a host and cannot guarantee the integrity of any application it hosts.
The cost of penetration testing will depend on the systems, infrastructure and complexity of your business applications. In our experience, most companies in Sydney and Melbourne look into undertaking both external and internal penetration testing, as well as firewall configuration and policy reviews. In our experience, comprehensive testing can take between 3-12 days to complete, depending on a variety factors such as your industry and company size, which reflects into the commercial range $5,000 to $25,000.
Penetration testing will take 6-12 business days to complete. When less testing is required, or focused on single applications, systems or processes, testing can completed in 1-2 business days.
Gridware primarily looks for security vulnerabilities at the network and host level configurations. This is a fundamental step in ensuring your systems are not publicly accessible to unauthorised users. We also focus server/cloud configuration, email servers, and all major operation system and browser exploits that are commonly seen.
Penetration testing is way of demonstrating reasonable efforts made to test the integrity of your business infrastructure and applications. It shows your company has put effort into protecting confidential and sensitive business data to regulators such as ASIC or AUSTRAC. With new legislation passing in Australia, businesses are required to demonstrate they’ve regularly checked their systems are compliant with the industry standards and that checks have been made to ensure there are no vulnerabilities which can be easily utilised by attackers.
What Our Customers Say
"Knowing our cyber risks in software we develop, as it is being developed, means my team can get on the front foot of security and protect the clients that utilise our software from data loss. The Gridware team are the best we've worked with."
"With Gridware, we gained a valuable security partner to review our IT programs across various large projects across Australia, without having to build our security expertise from scratch. They're flexible, thorough and quick with solutions."
"Gridware is an intelligent company with top talent. We've developed an new and improve information security program with the end result being more accurate security decisions and improved processes."
– Why Choose Gridware for Penetration Testing –
Gridware has extensive experience in a range of security penetration testing and risk management services. Our consultants are recognised for their depth of expertise and knowledge of deep web technical assessments and governance services.
We are proud to employ CREST (Council for Registered Ethical Security Testers) consultants that are familiar with your industry and infrastructure. Our headquarters is based in Sydney which is the financial and technological hub of Australia. The breadth of IT innovation in Sydney has provided Gridware with the high quality talent it needs to provide best-in-class cyber security services. We also service major capital cities including Melbourne, Brisbane and Perth.
Get secure today, team up with Gridware.