Penetration Testing

The reason for penetration testing is similar to the fact organisations have security policy: to leverage due diligence and due care data protection for the preservation of the company's capital investment.

1. By Stimulating Attacks

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it.

• Off-the-shelf products (operating systems, applications, databases and networking equipment / VPN)
• Bespoke development (dynamic web sites and in-house applications)
• Telephony (war-dialing, remote access, VOIP, PABX and VMB)
• Wireless (WIFI, Bluetooth, IR, GSM and RFID)
• Personnel (screening process, surveillance and social engineering)
• Physical (access controls and dumpster diving)

2. Under approved methodologies and standards

There are a number of applicable industry standard methodology and guidelines used while performing Information Security risk assessment depending on the nature of the projects. Notable organisations and standards used by RA are:

• The Open Source Security Testing Methodology Manual (OSSTMM)
• The Open Web Application Security Project (OWASP)
• Telephony (war-dialing, remote access, VOIP, PABX and VMB)
• The Payment Card Industry (PCI) Data Security Requirements
• The Web Application Security Consortium (WASC)

3. To determine feasibility of a successful exploit

Password cracking - Trojan Horses – Backdoors - Buffer Overflows - SQL Injection Attack - Cross Site Scripting (XSS) - Reverse Engineering – Sniffers - Denial of Service - Social Engineering - Attacks on Web Servers and Wireless Networks - Virus and Worms - Physical Security - Evading IDS, Firewalls, and Honeypots.