Are you protecting your stakeholders?
Financial fraud, denial of service, malware, espionage, phishing, identity fraud and spam are some of the threats your business may face. Are your security controls operating effectively to manage the risks that these threats pose?
Our services are offered in two forms, overt and covert:
Overt Tests
An overt test is where the penetration test team and the customer employees co-operate fully in the test. The penetration test team will learn the full environment of IP’s provided and will formulate tests accordingly. This ensures that all possible routes of entry into the company systems are identified and tested.
Covert Tests
A covert test is where the existence of the test is only known to the penetration test team and key customer employees. The penetration test team will approach the customer network as would any external hacker or disgruntled employee, and will have no prior knowledge of the customer environment. This allows security to be tested in the same way as a real hacker would, and also tests the security detection and response capabilities of the customer. (Outside of hours recommended).
The value of penetration testing
We provide evidence of any system weakness and the extent to which it may be possible for unauthorised personnel to gain access to and / or even misuse information assets from a system’s boundary. Regular, unbiased penetration testing can assist in focusing security resources where they are needed most, and provide a baseline for remedial action, in order to constantly ensure an information protection strategy.
BII's penetration testing services
BII provides a comprehensive and independent penetration testing service, using a team of experienced and UK Government-accredited CLAS and CHECK penetration testers. BII experts continuously update their knowledge of the latest security vulnerabilities to ensure their advice is as current as possible. The scope of services include:
- CESG (CHECK) IT Health Checks – providing public sector clients with thorough and comprehensive penetration testing plans to UK Government accredited standards.
- Embedded System Testing (inc. SCADA) – conducting security studies and examining architecture to meet the security challenges associated with autonomous embedded systems.
- Intrusion Detection/Prevention System Testing (IDS/IPS) – providing operators with the opportunity to observe and understand the characteristics of hostile attacks within a controlled security assessment.
- Mobile Device Testing – reducing risk and identifying threats affecting the confidentiality, integrity and availability of corporate data on mobile devices.
- Network Infrastructure Testing – employing the appropriate tools and technologies to assess the level of network security required by the most complex of infrastructures.
- Open Source Research – analysing an organisation’s presence on the Internet to create a comprehensive profile of its online security posture.
- Remote Access Testing – identifying and preparing for the range of threats presented by traditional telephony systems as well as digital and IP networks.
- Source Code and Binary Review - reviewing software coding in order to identify possible issues of poor programming practices and resulting vulnerabilities.
- Standards and Compliance Review - assessing compliance of the target system or design to industrial, governmental or regulatory policies, procedures and standards.
- Web Application Testing – understanding the inherent security threats of web applications, identifying weaknesses, and developing the appropriate security plans and policies.
- Wireless Testing (WiFi) – determining the risks associated with incorrect WiFi configurations or unauthorised devices, and making recommendations for planned infrastructure.
- Workstation and Laptop Testing – Identifying the risks of authorised and unauthorised users attacking systems to gain access to data or privileges for which they are not authorised.
Demilitarized (DMZ) Penetration Testing
DMZ tesing will provide an organisation with an in-depth assessment of the applications and resources available from machines that attach to the DMZ network. These forms of tests do not test the strength of firewall or other perimeter security devices. Instead, they concentrate on operating system and application services configuration, whilst reviewing how these resources interact with other Internet and internal / DMZ based networks.
Demilitarized Network Testing provides an organisation with an accurate assessment of the build quality of DMZ attached devices. As well as observing ports, services and applications that are reachable over the Internet, DMZ tests will also assess the services and resources that are not published to Internet based users. This provides an organisation with a much more holistic review of their overall security posture.
DMZ tests deliver both a high-level management review document as well as an in-depth technical security analysis document.
Please contact your your BII account manager or alternatively email PTest@bii-compliance.com for a scope document.
