The purpose of penetration testing is to identify weaknesses in an information system and recommend mitigation measures to increase the resistance of the information technology (IT) infrastructure and protect against unauthorized access, modification, or sabotage. Organizations often use the terms "penetration test" and "vulnerability assessment" interchangeably, when they are really two distinct tasks. SeNet works with our customers to ensure that the correct type of testing is selected. When a company's security maturity is at a high level, penetration testing can add value. However, if the security program is still growing or early in its life-cycle, an overall vulnerability assessment may be a better option.
Conducting a successful penetration test or vulnerability assessment effort depends not only on the skills and expertise level of the practitioners, but also on meticulous planning and oversight throughout the project life-cycle. SeNet has vast experience in performing these types of tests in both the commercial and government sectors.
SeNet follows an established multi-step methodology when performing penetration testing and vulnerability assessments. The exact process differs slightly based on whether the testing is being performed from an internal or external perspective. A key element of SeNet’s planning process is the development of a detailed test plan. This test plan will incorporate the rules of engagement, and will be developed following the kickoff meeting and a review of relevant documentation provided by the client. Its purpose is twofold: a working document to be used by the SeNet Team while engaged in this activity and a specific description for client stakeholders of planned testing activities.
When performing vulnerability assessments or penetration tests, one of the biggest obstacles in providing a valuable product is dealing with false positives. Once the raw results from the automated and manual tools are collected, SeNet’s team begins the process of verifying and cross-referencing them against not only our extensive vulnerability knowledge-base, but also against the Common Vulnerabilities and Exposure (CVE), National Vulnerability Database (NVD), and several other knowledge-based resources used throughout the security community. Findings discovered by the automated tools are further tested to ensure false positives, possibly caused by an organization's customizations, are eliminated. Weaknesses are also correlated against our knowledge-base to determine if potential false negatives were omitted.
A series of sophisticated tests then follow where our team leverages our extensive experience of security software, attack profiles, test scripts, and exploit programs to assess the security of the target environment.
Knowledge transfer is an important objective of this task. A study would be less valuable if the findings are not mitigated and changes are not made to reduce or eliminate the introduction of future security vulnerabilities. Full documentation of test results accompanied by formal presentations, informal work meetings, and discussions between the client and the test team, will ensure that knowledge transfer is complete and effective.