A penetration test (pen test) provides a security assessment of the client's network, firewall configuration, and IDS (intrusion detection system) capabilities from a hacker's perspective. Because pen testing involves actual "hacker" type activities, pen testing is the best way to protect our clients from an actual incident. RBTi security consultants can perform this process either with knowledge of the Internet presence, or "blind", without any additional network information other than IP ranges and DNS domains (this is determined in the Required Client Information provided in the Penetration Test agreement).

Some of the pen testing techniques used by RBTi consultants are:

Advanced port scanning and network reconnaissance
Exploitation Public or Private
Denial of Service
Buffer Overflow attacks
Format String attacks
Configuration attacks
Social Engineering

Seven reasons for getting a penetration test from RBTi:

Compelling Event

An organization may have management at the lower level that know security is really bad and cannot address due to limited budget. A typical penetration test with a well documented report will articulate clearly the security issues and recommendations for the organization to begin to understand their challenge and what next steps to take place. With a penetration test report being presented to high-level executive management within the organization, it creates a compelling event for the entire management team to get behind addressing the security issue and applying the appropriate budget and resources.

Starting Point

A penetration test can provide a good place to start to understand the current security situation. It identifies the current profile and possible gaps in security. The results of a penetration test can help identify where to apply security technologies and services. Many companies underestimate how wide-open their security exposure is around their organization and overestimate their own internal resources to address them. By identifying these risks and what resources are needed to address them, an action plan can be developed to minimize the threat.

Good Routine Hygeine

By performing quarterly or monthly security penetration tests, an organization minimizes how many gaps and cracks in the armor may be exposed. With the rapid increase in newly discovered vulnerabilities, it is worthwhile to re-examine the same systems periodically with the new vulnerability knowledge to ensure closing the most recent holes quickly.

Independent Audit

An organization may have their own security team and resources to do their own audits, but it is worthwhile to periodically bring in an outside security firm to provide an unbiased security analysis and penetration test to keep all parties in check. These independent audits are becoming a requirement for getting cyber-security insurance and provide evidence of doing due diligence of protecting the network for legal purposes.

Regulatory Requirement

Regulatory and legislative requirements are making penetration testing a necessity of doing business. Financial has OCC Bulletin 2014, Graham Leach Blily, Healthcare has HIPAA.

Inter-Connected Partner Risk

An organization may have done a good job locking down their own internal network, but with the way the Internet is changing, and organizations are allowing in partners, supply chains, B2B exchanges, customers, and other trusted connections into that organization. Each of these connected partners if left unchecked may have horrible security and be wide-open to major risk. Many organizations are now having their security vendor provide doing security audits of their partners to ensure all connected partners have a standard baseline for security.

Validation

At the end of the security process and the organization thinks their business is now operating at minimal risk and overall their infrastructure is now tightly secured, a penetration testing provides the feedback validation for confirmation and validation of these assumptions. As organizations adapt to new business models and new technologies, a penetration test provides the validation of a closed gap between the business goals and having a security framework that minimizes risks.