PENETRATION TESTING SERVICES

What Is Penetration Testing

Penetration Testing is a proactive exercise to help identify vulnerabilities impacting your assets and infrastructure. A report is provided to our customers which details the severity and business impact each identified vulnerability presents. A Penetration Test is much more than a vulnerability scan. Our experts carefully exploit findings to weed out false positives and to provide true to life severity ratings to help our customers understand how to prioritise remediation. Penetration Test results are vital in order to properly understand your organisation’s risk and plan risk management strategies in order to better defend against a cyber attack.

Manual and Automated Testing

Identifies Obscure Vulnerabilities

Provides a Comprehensive Report

Get Advice from an Expert

Get a No-Obligation Quote

Penetration Testing Services We Offer

We perform Penetration Tests against almost any type of asset or environment. Below is some information about a few of the more common Penetration Testing services we deliver but if you are looking for something not litsed below or a bit more unusual contact us and we’ll find something that will work for you.

Web Application Penetration Testing should be considered when a organisation exposes a web application containing sensitive data or contected with internal systems to untrusted users or networks. Even web applications on the local internal network of the organisation should be considered as a strong candidate for web application penetration testing if it contains customer data / Personally Identifiable Information (PII).

Web applications account for a large portion of breaches and 2023 – 2024 saw a 180% increase in the amount of incidents originating from exploitation of vulnerabilities, for which web applications make up a majority share (https://www.verizon.com/business/en-gb/resources/reports/dbir/2024/summary-of-findings/).

All organisations should be strongly considering Web Application Penetration Testing on a regular (quarterly / annual) basis depending on the criticality of the web application and the nature of the data it houses.

Oxford Systems follow the OWASP Top 10 methodology for identifying the most common and dangerous web application vulnerabilities. Our consultants are experts in Web Application security and have experience with development and secure code review.

External Infrastructure Penetration Testing assesses the external perimeter of an organisation’s environment. This would be typically be against services being exposed to the internet such as mail servers, web servers or services being used for third-party integration. Unlike Web Application Penetration Testing which assesses at the application level, External focuses on service level vulnerabilities and misconfigurations.

An organisation should consider External Infrastructure Penetration Testing after any changes to the perimeter (such as exposing a new service) and on a periodic basis to detect new and emerging vulnerabilities.

Penetration testing helps identify weaknesses, improve security measures, ensure compliance, and reduce the risk of external threats.

Internal Infrastructure Penetration Testing assesses your organisations internal network for vulnerabilities and misconfigurations. While the main objective is to locate security issues, our consultants will also try and escalate privileges starting with no account at all to try and reach the highest level of privilege in the environment. This helps to demonstrate impact to the board and allows our experts to uncover vulnerabilities at a much deeper level.

Internal Infrastrucutre Penetration Testing should ideally be conducted on a regular basis such as annually. Improving a large environment can take a great deal of time and so periodic testing helps to ensure that progress is steadily heading in the right direction.

Oxford Systems can perform configuration reviews on certain components of Internal Infrastructure such as Active Directory. This activity is more passive and might provide an  alternative if you are concerned about disruption and want to start small.

Thick Client Penetration Testing is designed to assess the security of desktop applications that connect both directly or indirectly to a database and process company data. Thick Clients are very commonly used in larger organisations and can often be overlooked in terms of security. In many cases, they can provide a direct route to access backend connected databases which leaves a low barrier of entry should an attacker gain access to where the Thick Client is installed.

Thick Client Penetration Testing will identify security considerations with the application which your organisation can use to remediate vulnerabilities or, if remediation is not possible, put in place risk management strategies to avoid potential compromise.

Understanding the risk around Thick Clients is not always straightforward, but as with any Penetration Testing, we would be very happy to help advise you on what you can do to better understand the risks posed by these applications.

FAQ

Frequently Asked Questions

The vast majority of Penetration Tests do not cause any significant disruption or damage. However, Penetration Testing is by its nature a destructive exercise and there can never be any concrete guarantee that disruption or damage will not occur. Our experts are well-versed in how to safely manage testing in a wide range of client environments. We take as much care as possible to avoid disruption and follow a risk managed approach where if we believe an action may have a negative consequence we seek approval before carrying out the activity.

Our approach to Penetration Testing is open and collaborative, we believe this is the best way we can provide value to our clients and avoid potential damage and disruption. We are always happy to talk about ways in which we can tailor our service to give you the most peace of mind. Why not reach out and see how we can help?

We do not perform any Denial of Service testing as part of our Penetration Testing unless explicitly authorised. There is a small risk of an unintentional Denial of Service event which is always present with any Penetration Testing activity. However, this will never intentionally be performed.

This really will depend on the nature of the environment you are looking to assess and the risk appetite of your organisation. Annual testing is often enough for most typical environments and applications. However, high risk environments may warrant semi-annual or even quarterly testing. Many such environments may have regulations or compliance requiring regular Penetration Tests as part of an audit. If you need a helping hand to determine what would work best for you give us a call!

© 2024 | Oxford Systems

Address

5 Minton Place, Victoria Road, Bicester, Oxfordshire, OX26 6QB, United Kingdom

Email

cyber@oxfordsystems.co.uk