As part of Fortis’ Security Risk Assessment Services suite, its Penetration Testing services enable clients to identify, assess and prioritise vulnerabilities and security flaws across their applications & APIs, platforms and infrastructure.
Penetration testing will help to identify security vulnerabilities which might otherwise leave your company open to compromise. Fortis has a proven track record in finding such vulnerabilities in some of the most complex, and sophisticated IT environments.
SECURITY PENETRATION TESTING
Over the last decade, threat vectors previously encountered only by nation states have become increasingly common in the Enterprise.
The Fortis team has been mitigating and managing the risks from these attacks for our clients for years, and as the threat landscape shifts, so too have the number of organisations that require access to our seasoned and trusted security professionals.
With its broad industry experience, Fortis Information Security can work alongside your organisation to provide the benefit of situational awareness, usually reserved for those associated with these government departments, together with the context and understanding of corporate environments and the associated challenges and culture.
Our security testing services are designed to:
Improve business awareness and understanding of your cyber security exposure to risk
Identify and fix security vulnerabilities before they can be exploited by cyber criminals
Support ISO 27001, PCI DSS, GDPR and PAS 499 ID & Authentication compliance
Provide independent technical security assurance of your security controls
Enable the prioritisation of security investments through actionable intelligence
Demonstrate a continuous commitment to security to your customers and partners
COMMON TYPES OF PENETRATION TESTING WE OFFER:
Fortis approach to security testing is based upon your requirements, and the required outcome.
Tests can be performed from the perspective of an external attacker with no knowledge of the target services or infrastructure, as an authenticated authorised user, or with comprehensive understanding of the service and its design.
Mobile iOS, Android applications and API penetration testing
Wireless Network (WiFi) penetration testing
Social Engineering (both physical and digital social engineering penetration tests)
Red Team, full spectrum attack simulation
Biometric systems penetration testing
External network (or infrastructure) penetration testing
Internal network penetration testing
Web application penetration testing
Cloud penetration testing including AWS, Azure and GCP
Fortis’ penetration testing and red teaming group is extremely well certified, holding multiple certifications awarded by bodies such as CREST, Offensive Security, and the Tiger Scheme. Fortis also complements this focused knowledge with its National Cyber Security Centre (NCSC) Certified Cyber Professionals, to provide a valuable wider viewpoint to penetration testing assurance.
Alongside certifications our testers also engage with the security community, present at specialist security testing conferences, and have co-authored books on testing.
Fortis is a CREST accredited Penetration Testing company. Through CREST’s demanding accreditation process, organisations buying security testing services get the assurance that:
The services will be delivered by trusted companies with best practice policies and procedures.
The work will be conducted by highly-qualified individuals with up to date knowledge, skill, and competence to deal with all the latest vulnerabilities and techniques used by real attackers.
Both the company assessments and individual qualifications are underpinned by meaningful and enforceable codes of conduct.
FORTIS PENETRATION TESTING METHODOLOGY
As the penetration testing industry has matured, certifying bodies have increasingly demanded a standardised way of performing penetration testing activities. However, there is only so much standardisation that can be done before the creativity inherent in “hacking” is removed and the benefit of the service is lost.
Nevertheless, this same standardisation encourages better quality testing exercises by making sure that a minimum level of testing is completed.
Next, exploratory attacks are launched in order to further understand the attack surface.
Each iteration starts with attack surface discovery – this can be at any level of the target, for example, authenticated or unauthenticated, or as a result of the exposure produced by another attack.
Fortis methodology is iterative in nature, this means that the process repeats itself until either all options have been exhausted or the testing time-period has expired.
Fortis only employ highly skilled and experienced penetration testers which, when coupled with our governance, risk & compliance team’s vast industry experience and our excellent service management support ensures unparalleled technical deliverable, business alignment and client satisfaction.
Should the attack be successful, the attacker has gained a foothold.
Will provide a detailed penetration test report. Vulnerabilities and security flaws will be ranked in order of criticality using the open industry standard common vulnerability scoring system (CVSS) framework.
Once the results of the initial attacks are known, the most likely to be successful attacks are developed further to maximise the chance of success and then executed.
In this iterations final stage, the attacker will look to take advantage of whatever access has been gained.