Infrastructure Penetration Testing
External and internal penetration testings are the two components that make up our Infrastructure Penetration Testing service. Each of these components will be independently tested to fully ensure the security of your corporate environment.
Infrastructure Penetration Testing aims to find and exploit vulnerabilities in your company’s networks and servers to strengthen your defences against internal and external threats.
Infrastructure Penetration Testing Methodology
Every infrastructure penetration test is carried out in accordance with internationally recognised frameworks. The fundamental framework is built on Penetration Testing Execution Standard (PTES) and NIST 800-115 at a minimum, although our methodology extends far beyond that.
Our team will find, verify, and prioritise exploitable holes inside your infrastructure using tools and approaches comparable to those used by real-world threat actors.
Infrastructure Pen Testing
Infrastructure Penetration Testing threats can differ depending on what digital assets are being attacked. Attackers use a plethora of techniques when assessing both internal and external assets. Take a look at some of the common security vulnerabilities we find when conducting External and internal penetration testing.
Common Internal Vulnerabilities
Unpatched Windows Machines Insecure Network Segregation Unencrypted Communications Password Reuse Default SNMTP Community Strings
Common External Vulnerabilities
Insecure Firewalls Vulnerable VPN endpoints Misconfigured Web Servers Default Credentials DoS (Denial of services)
What are the risks?
Internal systems cannot be completely protected by the perimeter. To get access, an attacker only needs to exploit a single vulnerability. An insecure internal network can be used to escalate increase privileges once inside.
This is why we highly recommend testing both the internal and external networks. It is common for an attacker to sit inside your network for some time before finding the most appropriate path to fully compromise the network.
Our CREST registered industry experts will show the consequences of exploitation, and give clear instructions on how to manage the risks. Get an infrastructure penetration test with us today.
How we can help
Our tests help manage the risks inherent in many corporate environments and prevent data breaches before an attacker has the chance to act.
We offer comprehensive infrastructure penetration testing from experienced experts all of which are CREST registered penetration testers. Our Test & Teach strategy allows the companies we work with not only to be given a report with remediation in plain English, but also to learn how to keep the company safe from vulnerabilities in the future.
The Sencode Way
Contact a member of our consulting team either by phone, email or pidgeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
Scoping & Proposal
In the scoping meeting our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liase with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well written report. Our reports are written in plain english, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Frequently Asked Questions
This is a common question asked by many. Vulnerability scans are almost always automated, it is a form of assessment that highlights known vulnerabilities using a vulnerability scanning platform.
Penetration testing, however, makes use of both automated and manual testing tools. It requires the expertise of a security consultant to find, exploit and verify a vulnerability to it’s full potential.
- Pre-engagement: An expert security consultant will accurately determine the scope of the assessment. This phase is incredibly important as it will detail the objectives of the test.
- Reconnaissance: To gather the intelligence required for the next phase. An expert consultant will utlize a plethora of resources to identify all possible information about the targets. The length of this phase will be determined on how much information was given to the consultants prior to the engagement. (White-box, Grey-Box, Black-Box)
- Threat Modeling & Vulnerability Identification: The tester discovers targets and maps attack paths during the threat modelling and vulnerability identification phase. During the penetration test, all information acquired during the reconnaissance phase is used to guide the manner of assault.
- Exploitation: The security consultant begins by assessing the network’s vulnerabilities. The goal of the penetration test is to determine how far they can penetrate your system, find critical targets, and evade detection. Scoping defines exactly how far the penetration test is allowed to go.
- Reporting: A penetration test is worthless without a well written report. A penetration test report will contain various categories for each security issue identified (Description, Impact, Complexity, CVSS, Risk Ratings). This is the primary deliverable for any penetration test.
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of assets being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based off experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed properly.
Example 1: A medium sized finance web application comprised of 35 unique pages with user and case management. 5 days of penetration testing. £3000-£4000
Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
These prices are variable based upon Number of IP Addresses, Retesting requirements, After-hours testing and skills required to conduct the engagement
Get a free, no obligation quote from one of our expert staff.