What is penetration testing?
A penetration testing, also called pentest, is an authorized simulated attack exercise conducted by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system. The testing involves manual process supplemented with automated tools to identify vulnerabilities from outside or within the network. Bearing independence, our expert performs the ethical hacking with little or no-prior knowledge about the system or the application in order to have a close-to-real-life situation. The purpose of the pentest is to assess the security posture of your environment and come up with recommendations to mitigate any potential cybersecurity risks.
When do you need a penetration testing?
Besides meeting compliance needs (such as HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019, PCI DSS /GDPR Compliance, SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018, Insurance Authority Guideline on Cybersecurity, eff. Jan 2020), a company may want to use pentest to check the effectiveness of its existing security controls against an active, human and skilled attacker. We recommend a pentest to be performed once a year or as and when needed in situations, including but not limited to:
Adding new network infrastructure or applications
Making significant upgrades to infrastructure or applications
Establishing an office in a new location
Validating new controls post security incident
During the planning phase, we define the scope, the objectives and the success criteria of the pentest together with our clients. Moving to the reconnaissance phase, we spend time gathering data and information to prepare for the testing. We use a variety of commercial and open source tools and technical skill sets to identify any potential vulnerabilities and attempt to exploit them. A risk analysis will then be performed by considering both the probability of a threat event given a vulnerability and its adverse impact on its business operations or the confidentiality, integrity and availability of the data resulting from a successful exploitation.
A presentation (either remote or physical) of findings.
A final report includes executive summary, scope, findings, evidence and recommendations.
A retest can be offered after remediation (optional).