The purpose of a penetration test is to identify unknown flaws in your organization’s security by manually employing the same methods “backhat” hackers use to compromise thousands of systems in the wild every day.
While vulnerability assessment is a part of a full penetration test it does not cover manual unconventional attack methods.
The benefit of this is kind of testing is that it demonstrates the impact of vulnerabilities resulting in a security strategy that favors common-sense and real world defense over checklist compliance.
Penetration testing and Vulnerability assessment are terms that are often confused. A number of organizations have breached and ended up in the news regardless of the fact they dutifully conducted mandatory vulnerability scans and met industry standard compliance guidelines.
So the question becomes how did so many compliant organizations still get hacked?
The answer is the human element. While a vulnerability assessment drastically lowers the odds of being hacked using known vulnerabilities, it does not address unknown vulnerabilities and unorthodox attack methods.
Every day determined hackers are discovering new vulnerabilities and unorthodox ways to exploit them. Unless a hacker chooses to make a vulnerability or exploit public, it can go undetected in your infrastructure for months or even years, leaving your organization exposed to attack.
A good analogy would be “vulnerability assessment is to a real cyber-attack what competitive fencing is to pirate swashbuckling”.
A determined attacker is not interested in your organization’s compliance framework. Determined attackers are only interested in exploiting the single point of weakness that leads to a system compromise.
The military considers cyber-attacks a form of “Asymmetrical” or “Guerrilla warfare”. Simply put,the problem with defending anything, even if you have more resources, is that you need to win EVERY time to be successful. The attacker, who isn’t required to play by the rules only needs to win ONCE.
Our testers specialize in customized asymmetrical and out of the box manual attacks. We offer the following kinds of penetration tests:
• Web Application
• Hardware and IoT
• Physical Security Assessment
• Social Engineering
• Spear Phishing
• Blackbox Device Testing