Penetration Testing provides a comprehensive review of your organisation's information security. It's a deep dive into your network's security, designed to discover areas of concern and highlight where improvements could be made in infrastructure, procedures and policies. By ethically exploiting your organisation Chess can help find, prioritise and remediate vulnerabilities in your network.
Our specialist penetration testers use a combination of automated and advanced real-world techniques that are closely aligned with the Open Source Security Testing Methodology (OSSTM) to scan your network to ensure it is as secure as possible.
Entrusting your IT systems and sensitive data to a stranger for PEN testing can be a risky business. Chess is certified by The Council for Registered Ethical Security Testers (CREST), a non-profit organisation which aims to bring high quality and constancy to the global technical cyber security sector. CREST provide internationally recognised accreditations for organisations and individuals providing penetration testing services, ensuring you’re in safe hands, and that you can expect the very best from your penetration tester.
Carrying out a penetration test helps you:
- Think like the enemy — identifying vulnerabilities from the perspective of a ‘black hat’ attacker or malicious user
- Improve your business security stance, meet regulatory compliance such as PCI DSS, ISO 27001 and reduce risk of attack and data loss
- Assist with GDPR compliance
- Ensure that due care is demonstrated by your organisation and its directors
- Helps preserve your brand and reputation
- Provides reassurance that your people are working to best practices
- Highlights areas that can be improved using your existing security product licenses and technology to achieve return on investment
1. Scoping and Planning
Determining the reasons you need a penetration test, and documenting the process you are going to use. Understand your drivers and motivations for requiring a penetration test. Is it regulatory compliance? Or the fact that your business holds commercially sensitive intellectual property? Your motivations will influence the scope of your pen test.
Researching the network and establishing what details and data can be found. Your pen tester will review and gather information on the system or systems where entry points might exist and how they could be accessed. These will include elements such as employees, IP addresses, email addresses, websites, social media and other network-based systems.
3. Threat Assessment
Using various tools and techniques to identify potential vulnerabilities, gateways and vectors into the network. Commonly, pen testers use a mix of automated and manual tools to examine attack avenues and find network vulnerabilities.
4. Exploitation of Vulnerabilities
Attempts to penetrate the network defences and (if in scope) gain of control over a target system. The aim, having first gained access to the network, is to see how far the attack can go, establishing administrative privileges where possible and then using them to effect lateral movement to other systems.
Having completed the exploitation phase, the pen tester will create a penetration test report which includes findings on the vulnerabilities discovered, the full extent of access that was gained, detail of systems that were breached, changes (if any) that could be made and a set of recommended remediation actions.
If required, your penetration tester may provide consultancy services to reduce or fix any vulnerabilities found and improve overall security. It’s also worth saying that your pen testing provider will ideally offer a social engineering test, such as a phishing exercise. The human security interface is always a difficult area because internal employees may unwittingly be duped into giving hackers security information or may click on bogus links.
Our UK-based engineers are certified to the highest standards and have proven experience in the field, including:
- CREST Approved
- Highly trained Penetration Testers (OSCP, CREST, SANS)
- Field engineers who are experienced and talk your language
- 2 levels of penetration test services to work within your budgets
- Penetration tests follow an established methodology
- Vulnerability Assessments and IT Health Checks.
Penetration Testing Knowledge
Staying Secure Online
Our Information Security Officer, Joseph Ball regularly writes articles on different aspects of security. Joe's articles have proven to be really popular with our own people and he's often asked if they can be shared with colleagues outside of Chess. With this in mind, I thought it may be something you are interested in.
Capturing Requirements in a Virtual Workshop
Until March this year, the assumption was that we could meet in person with a client or project partner several times to move through the requirements definition process. As it turns out, the process of developing a new digital approach which utilises a combination of existing and emerging tools has evolved like a project in itself. These are our tips.
Critical Thinking and Confirmation Bias
I'm not a supporter of #DeleteFacebook because it's like saying if you don't want to get electrocuted, get rid of electricity. It's stupid. No, demand better standards for your electricity, so you don't get electrocuted…" – Christopher Wylie, Cambridge Analytica whistle-blower
Chess Wins Two Cybersecurity Awards
The Chess team have proven the invaluable work they do and have been recognised for their outstanding performance and commitment to securing organisations, by picking up two awards in the Sophos Partner Awards 2020 - Public Sector Partner of the year and Education Partner of the year.
Changes to Terms and Conditions
We have made an amendment to our General Conditions to include a definition of Supplier. We have made this change because the General Conditions together with the relevant product and service specific terms and conditions contained with Schedules 3 and 4 will soon apply to all direct customer contracts across the Chess Group.