TestingIndependent penetration testing, or ethical hacking, is a key requirement in determining whether security policies are effective. Dionach penetration tests are resource intensive, with highly skilled consultants using manual methods as well as commercial and non-commercial tools.
Dionach carry out penetration testing on external networks, web applications, internal networks, 802.11 wireless networks, voice over IP and modem sweeping (war dialing).
Regular testing creates management and board awareness of security weaknesses and improvements, provide confidence in the security of the network infrastructure, and demonstrates to clients that their confidential data is an important asset to be protected.
External network penetration tests are carried out without any knowledge of the internal workings of the network. This puts Dionach auditors in the same position as potential intruders. Information gathering, scanning and probing, vulnerability assessment and exploitation will take place.
Skills relating to devices found on security perimeters are used, including web servers, routers, firewalls, email servers, DNS servers and VPNs.
The report will provide an executive summary section with a non-technical explanation of the impacts and likelihoods of the more serious issues. The technical results section will list the issues with impacts and likelihoods and recommendations for resolution.
Please read more on the features of a network penetration test and a case study in the further reading section on this page.
Dionach discover serious issues such as SQL injection and cross site scripting in the majority of web application penetration tests undertaken. PCI compliance requires that web sites are not exposed to application issues such as SQL injection and cross site scripting.
Dionach will test your web site, extranet or intranet for application layer vulnerabilities. Your applications will be tested for information disclosure, privilege escalation, SQL injection, cross-site scripting, access control issues, and other issues in an attempt to gain access to sensitive data and the network. Dionach uses the OWASP top ten as a base for common security issues and develops test cases to build attack vectors specific to the type of applicaiton.
If the application requires login credentials then a test can be carried out without credentials, and then with credentials if initial access was not possible. The test can be done blind, without access to the source code, as an attacker would do, or with more information about the architecture or source code.
The report will provide an executive summary section with a non-technical explanation of the impacts and likelihoods of the more serious issues. The technical results section will list the issues with impacts and likelihoods and recommendations for resolution.
As part of the test process Dionach consultants are available to meet and discuss any issues discovered. Dionach consultants are also available for ongoing calls to ensure that developers understand any issues found and resolve them effectively. Any retest of the appication following fixes is generally requires less days to carry out.
An internal penetration test is an attempt to gain access to internal systems from either the perspective of an attacker who has internal access or an employee with low access privileges.
The internal test objectives are to escalate privileges and gain access to systems or devices agreed to prior to testing. Proof of access may be Windows domain administrator passwords, database passwords, system or server screenshots, confidential emails or confidential documents.
War driving has been popular among hackers for years, as many wireless networks using the IEEE 802.11 standard (or WiFi) are easy to setup and use without any encryption. Even the first encryption system used, WEP, is now considered a weak method.
During a wireless LAN test, Dionach will attempt to identify and gain access to any target wireless LANs discovered at the physical site being tested.
Due to its low cost, existing infrastructure availability and increased flexibility, it is likely that VoIP usage will increase hugely in the near future.
With this growth comes the issue of VoIP security. IP Phones, the VoIP
Gateway and PC software based phones are key components in a VoIP system.
Potential issues may include eavesdropping with hacking and sniffing tools,
attackers being able to make free calls, and VoIP opening perimeter holes
in an otherwise well protected network.
