As required by control A.18.2.3, an organization should conduct periodic reviews of technical compliance, in other words, make sure that systems are protected as described in the policies.
What better way to make sure your web site, portal or application (and the data that is stored in them) are safe, than to ask an actual hacker to try to break in?
According to the agreed scope, your system(s) will undergo a proper wash down, using known vulnerabilities and lesser known hacking techniques. Common vulnerability scanners may be used as a starting point, but an ethical hacker has the proper knowledge to interpret the results and go several steps further.
Penetration tests exist in three flavors:
- Black box: The ethical hacker has no or a little knowledge about the system to be scanned. Usually just a URL and the name of the company. This allows the test to take place without any prejudice.
- Gray box: The hacker is provided with extra information, usually credentials so he/she can log in and go deeper into the software. This can be a starting point to see if user privileges can be escalated in any way.
- White box: The hacker is provided with as much information as possible, such as used technology, architecture diagrams or even insight in source code. This will help him/her finding possible weak spots beforehand and may even reduce the effort needed to produce usable results.
Interested in penetration testing? Contact us for more information!