Every company uses information technology in a unique way to enable and empower their business. Securing that technology is just as individual. There is no point applying the same tests to a law firm, that we would to a merchant bank, or apply the ecommerce tests we do for an online store against a local council. Beware the company who offers you a penetration test with no more than a few quick questions on what you are running!
To consider how ISCS can help your organization develop a strategy, we’ll consider how you use your information technology. Do you interact extensively with clients? If so, your web applications may need testing from the point of view of a client. Do you retain electronic records that would be disastrous if they were quietly changed by an employee or partner without authority? We can test internal access control mechanism.
Do you have a lot of staff turnover – casual staff, volunteers,
temps and contractors? Then your domain security should be the focus of
Penetration testing should go far beyond proving it is possible to break into a system. It should explore the impact of the compromise and give a business answer to the threats an organization faces. A client may not care that a development SQL server is vulnerable – but if that server is joined to the domain, we can demonstrate that it almost always allows an attacker to gain full access to the entire network. Likewise, a vulnerable firewall might not be important if the vulnerability cannot cause loss or embarrassment to the business. This type of analysis will assist you in directing security strategies and efforts.
If you want more than a list of servers and desktops that are vulnerable, consider carefully who you engage to perform penetration testing for your company. ISCS founder has over nine years of experience delivering security consultancy services to clients.
ISCS favors a mostly manual approach to penetration testing where other vendors rely almost exclusively on automated tools that cannot go as deep into an application or exercise an application as an experienced security engineer can.
If you want a partner to help you develop your information security strategy, it’s hard to go past that kind of experience.