We always suggest doing a network security check before we start penetration testing.
The reason for this is simple. If we’re talking about conducting a penetration test and your business doesn’t even have the most basic IT security protections and mechanisms in place, we can tell you right away that a penetration test would be a waste of money.
In such cases the probability that we’ll be successful with a penetration test, i.e. that we’ll hack into your IT systems, actually equals 1. In other words, we’re confident that your systems are insecure and we can hack them.
It’s like ordering a physical security test of your premises from a building security company to identify any weaknesses, but you don’t have an alarm system, sensors on the windows, grilles on the ground floor openings or video surveillance, and your employees regularly forget to lock the office doors and even the main entrance door when they go home.
Will the contractor be able to identify anything particularly useful in such cases? No, because you yourself already know that your offices are fully accessible. The first step would thus be to take care of the basics of asset protection, and then you can test to see if there are any serious weaknesses that the designers of your security system didn’t think of.
So if your company doesn’t have a pretty good information security system in place, then penetration testing simply doesn’t make sense, and you won’t learn anything that you didn’t already suspect or know.
And this brings us to the main purpose of a network security check. It’s about finding out how security-mature your organisation is, and the weaknesses of any information security you have already have in place.
If after a security check you then decide to go on to a penetration test, you can be sure that it will give you relevant information about how well prepared you are to prevent and deter cyberattacks.
However, when a security check is carried out as a stand-alone service, the results will serve as useful input to help you plan the necessary changes to make your business safer.
What does a security check look like?
In the first step we scan your network with all the tools available, including some we developed ourselves. We’re interested in the security patches that are installed on each device, as this is how we detect devices with outdated software.
Most obviously, we can identify which urgently needed patches are missing from computers and servers. But we also examine routers, network switches, wireless hotspots, printers, network-attached storage (NAS) devices and other IoT devices that might be in your network.
The second step is a thorough review of the configurations on firewalls and network switches. We carefully review all settings in the domain environment, Group Policy Objects (GPOs), servers and other devices.
All the data we have collected in the first two steps provide a good basis for producing a very detailed network security check report.
Security check report
Our report covers all the safety weaknesses we found in the course of our testing. We use a kind of traffic light system for the findings we consider the most critical. We also use a criticality level to mark all the other vulnerabilities that we found, but which have a slightly lower level of risk.
In our report, each security weakness comes with links to expert articles on the internet, so you can easily learn more about each subject.
The last part of the report contains our instructions on what needs to be done to eliminate the weaknesses that we found, and in what order they need to be addressed.
Only when all these have been addressed can we actually start talking about carrying out a penetration test, which in this case will give a concrete and realistic insight into whether your organisation has taken all reasonable actions to protect its IT resources against hacker intrusions.