Penetration Testing Services, UK - Fidus InfoSecurity

1
PENETRATION TESTING
Fidus Information Security are a CREST approved
and TIGER scheme approved consultancy with our
consultants holding some of the most recognised
certifications in the industry. Our highly
skilled and experienced penetration testing
specialists approach every piece of work with due
care and attention, ensuring your needs are
always put first, and more importantly met. Our
extensive knowledge and experience allows us to
advise on the correct approach to take for all
tasks, regardless of size. https//www.fidusinfo
sec.com/penetration-testing/ Red Teaming We
evaluate your entire business in the way an
advisory would and gain access using the same
techniques. A mixture of research, leveraged
weaknesses and stealth allow us to aim for
unrealistic? goals set by you. Infrastructure
Security Our experienced team of testers use
their expertise to assess both internal and
external corporate infrastructure, highlighting
any potential issues and working with you towards
remediation. Application Security We evaluate
both internal and external applications to ensure
a strong security posture has been
established. IT Health Check (ITHC) Our CREST and
TIGER certified consultants will work with you to
meet all of the compliance requirements of PSN
Code of Conncetion (CoCo) to ensure you have a
PSN compliant IT Health Check. PCI DSS Testing We
perform scanning on your behalf to ensure you
remain PCI DSS compliant and work with you to
remediate any troublesome findings. Physical
Security We leverage our experience in conducting
Physical Security assessments in order to gain
access to your offices and achieve a set of
predefined goals. PSN Assessments Our experienced
team performs PSN assessments on your behalf to
ensure a strong security posture has been
established. Industrial Systems We use our
extensive knowledge to help you establish a
strong sense of security surrounding your SCADA
and ICS systems. Stolen Device Assessments Have
you ever considered the affect if a company
device was stolen? We perform an assessment to
better inform you of the risk to your business
if a device is lost or stolen. Device Build
Reviews We assess the quality of your device
builds against security best practices.
2
GET IN TOUCH WITH FIDUS INFOSECURITY
GET IN TOUCH
PENETRATION TESTING WHY FIDUS? When selecting a
Penetration Testing provider it?s important to
ensure you choose the right one. Fidus
Information Security are a CREST approved and
TIGER scheme approved consultancy with our
consultants holding some of the most recognised
certifications in the industry, such as CREST
Certified Tester and Senior Security Tester.
Along with this, Fidus are also a Cyber
Essentials verified company. All of our
assessments implement UK industry approved
methodologies (OWASP, PETS, NIST) along with our
internal methodologies. Free Retesting We
provide free retesting on discovered security
issues to help you confirm reported issues have
been correctly remediated. Certified Security
Consultants Our team consists of CREST and TIGER
scheme approved individuals who hold the
following certifications OSCP, CCT, SST and
CISSP. Easy to Understand Reports Our reports are
aimed at all audiences. We have portions of our
reports aimed at executives and portions of our
reports aimed at the technical team. Fixed Price
Proposals Our proposals are broken down into a
costing table detailing each phase and the
associated pricing. WHAT IS PENETRATION
TESTING? There seems to be a lot of confusion in
the industry surrounding the definition of a
Penetration Test (Pen Test) and a Vulnerability
Assessment. Because of this, the use of both
phrases are commonly interchanged however their
meanings are very different. A Vulnerability
Assessment aims to identify and uncover security
vulnerabilities and simply note them down. A
Penetration Test aims to dig further into these
vulnerabilities and ascertain whether
exploitation is possible and how much of an
impact there is to the Confidentiality, Integrity
and Availability (CIA) of your data. The most
common types of Penetration Tests within the
industry are Network Penetration Tests and
Application Penetration Tests. Both of these
tests should be performed from an internal point
of
3
view and an external point of view to give an
accurate representation of your current security
posture. Just because an application is only used
internally it doesn?t mean it shouldn?t be
assessed! The most severe Web Application
vulnerabilities we see at Fidus usually are
within internally used applications which also
have access to the most customer
data. PENETRATION TESTING SOFTWARE? Penetration
Testing tools? are used as part of Pen Tests to
help assess, identify and exploit commonly found
vulnerabilities. There are numerous different
kinds of tools used within Penetration Testing,
each with a different use and varying popularity
like most things, people have a
preference! Whilst these tools are effective at
finding what they?re able to, it?s important to
ensure your Penetration Testing provider does
not simply run automated tools and issue a
report. Many vulnerabilities cannot be
identified simply by running an automated tool
without some form of manual verification and, in
some cases, manual exploitation too. Our
consultants at Fidus focus on manual testing
where possible and whilst some of these tools
are used to aid assessments, they will never be
the focal point of the engagement. Commonly seen
tools include NMap, Metapsloit, SQLMap, Nessus,
Qualys, Nikto, SSLScan, Cobalt Strike and many,
many more. THE GOAL OF A PENETRATION TEST The
end goal of a Penetration Test varies from client
to client and has many underlying factors, such
as complexity of application and/or network,
whether there have been previous tests, what kind
of data the application/network holds and the
size of the organisation. The most frequent goal
we are given by clients is Can you obtain our
customer information?. However, it is also
important to not overlook other issues which
could lead to things such as loss of business
reputation if the customer facing website is
compromised. DO I PASS/FAIL? Penetration
Testing should NOT become a Pass/Fail assessment
for your organisation. Penetration Testing
should be seen as an exercise to evaluate your
current security posture with the aim to make as
many improvements as possible. At Fidus, we
ensure the client is able to extract as much
value from the assessment as possible. As such,
our reports contain sections for both the
executive team which is aimed at the risks to the
business and a technical section for the
development and IT teams. We provide enough
information for the C-Level staff
4
members to fully understand the report and enough
information for the technical team to be able to
locate, reproduce and fix all issues
discovered. PENETRATION TESTING COST? Cost of
Penetration Testing is a widely talked about
subject in the industry. Throughout my years of
Penetration Testing, I?ve personally seen prices
vary from 750 2,000 a day depending on the
type of work being quoted. Along with this, some
companies charge more money for a Senior? to be
on the job. Using publicly available data on
G-Cloud (Gov.uk digital marketplace), we can
browse through different listings for
Penetration Testing and get a feel for the
average pricing. It appears the average price for
Pen Testing on G-Cloud is around the
800-1200/day mark which is far too expensive for
Small to Medium Enterprises (SMEs). At Fidus, we
aimed to break down the price barrier and provide
affordable security services to everyone which
is why our day rates start at 500 and do not go
higher 650/day. If you would like to take
advantage of this, please contact us. BENEFITS
OF PENETRATION TESTING The main benefit of
Penetration Testing is the proactive approach to
finding serious vulnerabilities before attackers
do. These vulnerabilities can lead to numerous
scenarios such as reputational damage, loss of
user data and financial fines. Compliance Penetra
tion Testing is also a key factor to becoming
compliant in multiple standards, such as Cyber
Essentials Plus, PCI DSS and ISO 27001. Evaluate
Current Security Controls A pen test allows you
to evaluate current security controls which are
in place. These could be Intrusion Prevention
Systems (IDS), Intrusion Protection Systems
(IPS), Firewalls and Web Application
Firewalls (WAF). We commonly see
mis-configuration of these devices, sometimes
rendering them ineffective at their main job,
keeping your data safe.
5
Avoid The Cost of Network Downtime Have you ever
worked out how much it would cost your business
if you had even a day downtime because of a cyber
attack? This is not simply the loss of a day
wages for all employees, it may also include
legal fees, incident response, customer
protection and damage control activities. A
security assessment also allows you to establish
the level of exposure if a specific area of your
company gets breached, such as the main user web
application, and ascertain how sensitive the data
held within is. Currently, sensitive breaches
must be reported to the Information
Commissioner?s Office (ICO) with fines sometimes
reaching 6 figures. However, with the upcoming
General Data Protection Regulation (GDPR) law,
these fines are set to multiply and only give
organisations 72 hours to discover and report a
breach. The easiest way to avoid a breach is to
proactively defend against one. HOW OFTEN SHOULD
YOU PERFORM A PENETRATION TEST? Penetration
Testing should be performed on a regular basis to
ensure newly discovered threats and previously
recommended implementations are evaluated. In
addition to this, penetration testing should
occur when there?s a big change to network
infrastructure, a new web application is
deployed, during/before mergers and Phishing
assessments should take place upon expansion of
your team. WHAT KIND OF PENETRATION TEST DO I
REQUIRE? The kind of Penetration Test you require
has many underlying factors. Some questions such
as We?re about to deploy a new web application,
what kind of testing do you recommend? are much
easier to answer than We?ve never had a
Penetration Test before, what do you
recommend?. For the latter question, there are
a series of questions which need to be answered
first. Such as What are your key assets? What
would cripple your business if stolen? (Signing
keys, source code, customer data etc), How many
employees do you have? What is your budget? It
is important to have all of the information to be
able to evaluate what would have the best return
on investment for your Penetration Test. If you
would like to talk through the different kind of
Penetration Tests available, please get in touch
https//www.fidusinfosec.com