Penetration Testing is a term that can mean many different things depending on the audience and the context. Even the term “Penetration Testing” has synonyms; some call it Pen Testing or Pentest. Other more technical terms like Controls Testing, Perimeter Defense Trials, and Network Intrusion probes are common.
At CastleGarde Penetration Testing even takes on slightly different meaning when applied to our various lines of business. To ensure we effectively communicate our services to the reader, it’s important to describe what Penetration Test is, what forms Penetration Testing takes in CastleGarde Services and to differentiate our meaning and use of the term Penetration Testing from other common models in the marketplace.
At its core, Penetration Test is a method of evaluating the security of a system or process, often computer system, network or physical structure by simulating an attack to that entity. The methodologies employed will be different for each type of target. For example, an attack to a web site is substantially different than an attack to a main office or branch.
The process involves an active analysis of the system for potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and risk to the organization.
CastleGarde organizes our Penetration Testing by Client operational area:
External Vulnerability Assessment
– Network and system Penetration Testing as an outsider from the organization with only publically available information. Testing is from outside the Client Facilities such as the public Internet.
Internal Vulnerability Assessment
– Network and system Penetration Testing as an inside such as an employee or other individual that physically gain access, authorized or unauthorized, to the Client facilities. Testing is on-site, from inside the Client facilities.
is another form or Penetration Testing. In this situation, an attacker attempts to bypass the defenses of an individual to gain access to sensitive information.
Physical Security Assessments
is an analysis of the controls surrounding a physical building. These would include entry controls like keys and badges, guard procedures, camera, monitors and sensors. While the methods used for a Physical Assessment are substantially different from say a Network Assessment, the goals are the same; to determine the Risk of known threats exploiting weakness in Credit Union defenses that may lead to compromise.