TestingIndependent penetration testing is a key requirement in determining whether security policies are effective. Dionach penetration tests are resource intensive, with highly skilled consultants using manual methods as well as commercial and non-commercial tools.
Dionach carry out penetration testing on external networks, web applications, internal networks, 802.11 wireless networks, voice over IP and modem sweeping (war dialing).
Regular testing creates management and board awareness of security weaknesses and improvements, provide confidence in the security of the network infrastructure, and demonstrates to clients that their confidential data is an important asset to be protected.
External network penetration tests are carried out without any knowledge of the internal workings of the network. This puts Dionach auditors in the same position as potential intruders. Information gathering, scanning and probing, vulnerability assessment and exploitation will take place.
Skills relating to devices found on security perimeters are used, including web servers, routers, firewalls, email servers, DNS servers and VPNs.
Please read more on the features of a network penetration test and a case study in the further reading section on this page.
Attackers have increasingly been targeting web applications as network security has improved. Dionach have discovered serious issues with over half of all web applications tested, so the requirement for testing should not be underestimated.
Dionach will test dynamic web sites for application layer vulnerabilities. The applications will be tested for information disclosure, privilege escalation, SQL injection, cross-site scripting and other issues in an attempt to gain access to business critical data and the network.
If the application requires login credentials then a test can be carried out without credentials, and then with credentials if initial access was not possible. The test can be done blind, without access to the source code, as an attacker would do, or with more information about the architecture or source code.
An internal penetration test is an attempt to gain access to internal systems from either the perspective of an attacker who has internal access or an employee with low access privileges.
The internal test objectives are to escalate privileges and gain access to systems or devices agreed to prior to testing. Proof of access may be Windows domain administrator passwords, database passwords, system or server screenshots, confidential emails or confidential documents.
War driving has been popular among hackers for years, as many wireless networks using the IEEE 802.11 standard (or WiFi) are easy to setup and use without any encryption. Even the first encryption system used, WEP, is now considered a weak method.
During a wireless LAN test, Dionach will attempt to identify and gain access to any target wireless LANs discovered at the physical site being tested.
Due to its low cost, existing infrastructure availability and increased flexibility, it is likely that VoIP usage will increase hugely in the near future.
With this growth comes the issue of VoIP security. IP Phones, the VoIP
Gateway and PC software based phones are key components in a VoIP system.
Potential issues may include eavesdropping with hacking and sniffing tools,
attackers being able to make free calls, and VoIP opening perimeter holes
in an otherwise well protected network.
