Penetration testing of networks and internet applications, both externally and internally, is required of organizations accepting payment cards for PCI compliance. It is also an essential practice for any organization concerned about protecting its data, intellectual property, and business continuity.
Trust through Verification
Penetration testing performed by an independent, experienced, and fully certified security engineer is the best way to learn how effective your planning and design for security has been. Since networks and applications are always changing, as are the capabilities of attackers, it is critical to make this a periodic practice.
Penetration testing is not an automated process. It requires thoughtful analysis of a specific network’s potential vulnerabilities and an expert attempt to exploit them. Vulnerabilities can then be identified and fixed. A test generally requires a total of 3-4 days dedicated effort by a security engineer, and consists of the following primary components consistent with the ISSAF framework.
- Planning and Preparation
- The Penetration test team learns about your network and applications through interviews, documentation, and automated vulnerability scans. Potential vulnerabilities are identified and a plan is created to benignly gain access to restricted resources.
- A variety of tools and manual techniques are applied by the testing team based on the test plan. New information gained during the test is also applied to the penetration effort, just as an attacker would do.
- We present a report with findings and recommendations for remediation.
- The client is responsible for making any changes to the network, systems, or applications to close vulnerabilities identified in the test.
- Retesting (if necessary)
- If significant vulnerabilities were found and fixed, retesting of the appropriate components is done to ensure that remediation efforts were successful.
KalioTek is an integrated IT Security and IT Solutions company working with emerging and midsize organizations to meet their security needs, including complete PCI compliance services. As a security company with deep operational IT experience, we provide unique value to our clients by recommending security solutions that are effective, yet practical.
We bring many years of experience in data center management, IT security and PCI compliance to each client engagement. Our QSAs are passionate about helping our clients earn and maintain compliance over the long-term through the adoption of relevant, business-appropriate security practices. KalioTek is also a full-service IT consulting firm and can help with strategic IT planning and solution implementation.