Introduction

This FAQ is intended to provide Clients with a basic understanding of the processes included in each type of assessment. Our services are designed to simulate a real life attack, with the added comfort that the Client is aware that the assessment is taking place. In each type of assessment, CQrity Limited will attempt to access sensitive assets by exploiting weaknesses of the target systems, allowing the identification of individual vulnerabilities, unsecured routes to critical systems and their data

What’s the difference between a Penetration Test and a Vulnerability Assessment?

A vulnerability assessment, in its simplest form, is designed to highlight systems containing vulnerabilities and software misconfigurations. Vulnerability Assessments or Compliance Audits verify that the required controls and their correct configurations are in place within an organisation.

A penetration test on the other hand, goes further incorporating active exploitation of vulnerabilities. This exploitation is performed in order to prove (or disprove) potential “real-world” attack vectors and threats against an organisation’s IT systems and their data.

When should you have a Penetration Test?

When correctly scoped and executed, a penetration test provides the company a certain level of assurance that their existing security controls are adequate against an active, skilled attacker. A number of past breaches have highlighted that, although an organisation may meet compliance regulations, they may still be vulnerable when taking into account an attack from a skilled attacker. A penetration test takes into account multiple attack vectors against the same target, systems or organisation.

What should the scope include?

The scope of an assessment should include all key assets where possible, rather than limiting to a subset of hosts.

In relation to an Internal Assessment this would include any host present on the network, e.g. desktops, laptops, servers, printers, switches and routers etc.

While a sampling approach can also highlight issues, limitation of scope should be carefully considered as it does not take into account the full context of all the interlinking systems.

“You’re a hacker, why do you want me to give you credentials?”

In the real world, an attacker would not have the same constraints imposed upon them, allowing them to dedicate as little or as much time as they wanted attempting to compromise your network. Credentials are only required for authenticated vulnerability assessments, designed to highlight misconfigurations and missing patches, providing a complete overview of your security posture.

Is the threat real?

Analysis performed on data breach figures released in the last few years provide some alarming statistics:

  • The average cost of a single attack where the attacker successfully gains access to the target is in the region of £200k
  • Financial organizations represent 37% of all data breaches, the most out of any vertical. Retail environments and restaurants are the next most frequently hit at 24%
  • The United States accounts for almost 50% of the world’s data security breaches, followed by the UK at 8% and India at 3%
  • Weak or stolen credentials account for 76% of network intrusions, and over 50% use “some form of hacking"

In the past few years, hackers have stolen the personal information and passwords of some of the largest companies:

  • Dropbox - 68 million users
  • LinkedIn - 117 million users
  • Adobe - 38 million users
  • Adult friend finder - 412 million users
  • Yahoo - 1 billion accounts

Using the above accounts, attackers were able to authenticate to other services using the same authentication credentials. Furthermore, some of these credentials later transpired to the users business email address, allowing access to company systems highlighting that password re-use is still occurring and that a large amount of companies do not provide a suitable user awareness program.