Every company uses information technology in a unique way to enable and empower their business. Securing that technology is just as individual. There is no point applying the same tests to a law firm, that we would to a merchant bank, or apply the ecommerce tests we do for an online store against a local council. Beware the company who offers you a penetration test with no more than a few quick questions on what you are running!
To consider how ISCS can help your organization develop a
strategy, we’ll consider how you use your information technology. Do
you interact extensively with clients? If so, your web applications may
need testing from the point of view of a client. Do you retain
electronic records that would be disastrous if they were quietly
changed by an employee or partner without authority? We can test
internal access control mechanism.
Do you have a lot of staff turnover – casual staff, volunteers,
temps and contractors? Then your domain security should be the focus of
our testing.
Penetration testing should go far beyond proving it is
possible to break into a system. It should explore the impact of the
compromise and give a business answer to the threats an organization
faces. A client may not care that a development SQL server is
vulnerable – but if that server is joined to the domain, we can
demonstrate that it almost always allows an attacker to gain full
access to the entire network. Likewise, a vulnerable firewall might not
be important if the vulnerability cannot cause loss or embarrassment
to the business. This type of analysis will assist you in directing
security strategies and efforts.
If you want more than a list of servers and desktops that are
vulnerable, consider carefully who you engage to perform penetration
testing for your company. ISCS founder has over nine years of experience
delivering security consultancy services to clients.
ISCS favors a mostly manual approach to penetration testing
where other vendors rely almost exclusively on automated tools that
cannot go as deep into an application or exercise an application as an
experienced security engineer can.
If you want a partner to help you develop your information security strategy, it’s hard to go past that kind of experience.