Penetration Testing

What is Penetration Testing?

Penetration testing, often referred to as a pentest or an ITHC (IT Health Check), is a security assessment used to identify vulnerabilities and weaknesses in your systems, environments and applications. This serves to evaluate the overall security posture of your environment and organisation and identify potential weaknesses that could be exploited by adversaries.

Our Approach and Delivery

Our penetration testing is carried out by a team of highly skilled, vetted, and certified security experts. They possess the skills, curiosity and passion required to uncover and expose vulnerabilities that could potentially compromise your organisation. Our experts are trained to think like potential attackers, which allows them to identify and understand the vulnerabilities within your security measures, from an internal and external perspective.

We will tailor our testing methods to match your specific business needs and security requirements. Once we understand your principal concerns and security requirements, we will systematically explore threats and attack vectors, highlighting any potential risks that may be areas of concern to your environment.

Concluding every assessment, we will provide a detailed report of all findings identified, ordered by their significance to how they affect your organisation, with full technical breakdowns and detailed recommendations. Each finding will be reported in such a way that your remediation teams can reproduce and resolve the issue easily, including how it affects the respective system and the organisation as a whole. This is followed by a breakdown of how to resolve the issue, with example steps where relevant. Whenever the recommendation is not appropriate, we will work with you to determine a compromise that aims to reduce the associated risk as much as possible.

Our engagements do not end with the delivery of a report. We believe in providing practical, actionable, and prioritised insights that aid your organisation in addressing any identified vulnerabilities effectively. Our focus is on high-impact fixes that will bolster your defences quickly and sustainably. We provide post-assessment support empowering you to resolve any findings within a timescale that best suits you.

Services We Offer

Internal & External Vulnerability Testing

We will conduct an assessment of internally hosted and Internet-facing assets to determine the attack surface of any exposed network services. We will take on the role of an attacker by using a combination of automated and manual testing techniques, which will be utilised to identify any risks that may be of concern to your organisation. Exploitation of such vulnerabilities can be undertaken if required, which will highlight the full impact of the vulnerability and how it affects the greater organisation.

Website & Mobile Application Testing

We will conduct an assessment of internally hosted and Internet-facing web and mobile applications against industry-recognised benchmarks, such as the OWASP Application Security Verification Standard (ASVS) standard, using a combination of automated and manual tools and techniques. Each web application is different so we will customise our approach as required to ensure critical business functionality is prioritised.

Application Security Assessment

We can assess any internally developed or third-party implemented thick or thin client applications installed within your environment. These can often be bespoke assessments, we will work with you to understand your requirements, how these applications may be tested and how any identified vulnerabilities affect the wider environment.

Server & Workstation Build Review

We will review the security posture of a range of operating systems installed on a variety of hardware platforms. We will review the patching levels as well as the security hardening status based on industry best-practice guidelines. This will be undertaken through a combination of automated, authenticated scanning as well as an on-host review. This ensures that any vulnerabilities can be verified, ruling out false positives.

Database Security Assessment

We will review the security posture of a range of RDMS and NOSQL database services against industry best-practice guidelines. This will be undertaken through a combination of automated, authenticated scanning as well as an on-host review using internally developed processes. This combination ensures that any vulnerabilities can be verified, ruling out false positives.

Network Device Build Review

We will review network and firewall device configurations from a wide range of vendors. These are typically reviewed through a combination of automated and manual techniques against an exported copy of the device configuration. We are also able to review devices via their management consoles or through a screen share with your engineers.

Code Review

A source code review should be performed as part of the Software Development Life Cycle (SDLC). We will perform a review of your source code to identify potential security vulnerabilities. These reviews could be performed individually, or in conjunction with a web application or thick client application assessment. A combination of automated and manual techniques would be used to ensure full coverage of larger codebases and so that business critical functionality can be prioritised.

Mobile Device Build Reviews

We will review the security posture of a range of mobile operating systems installed on a variety of hardware platforms. As more and more devices are used by employees to access sensitive organisational data from varying locations they must be configured to a secure standard and comply with the latest developments in mobile device management processes. We will review the firmware patching levels as well as the security hardening status based on industry best-practice guidelines and whether the company policies applied could be circumvented.

Cloud Penetration Testing

We will review the security posture of your cloud infrastructure for security weaknesses in line with industry best-practice guidelines. We will assess each resource within your subscription and identify anything that may expose unnecessary information or misconfigured settings that may affect the confidentiality, integrity and availability of the data they host and process.

Why AMR CyberSecurity?

AMR CyberSecurity has extensive experience in security penetration testing and only uses experienced, qualified, vetted security testers. All of our tests are carried out in accordance with our robust security testing methodology.

AMR CyberSecurity is committed to providing our clients with the best customer experience. Our tried and tested methodology ensures efficient and accurate initial engagement and scoping, scheduling, delivery and reporting.

AMR CyberSecurity is certified in accordance with ISO27001 and ISO9001, providing customers assurance that we manage our quality and internal security in accordance with best practice standards.

AMR CyberSecurity is an NCSC CHECK, CREST and STAR approved company with a team of experienced principal consultants holding the highest technical qualifications, providing our customers with robust assurance that our security testing methodologies and processes are in accordance with industry best practice.

Registered address
AMR CyberSecurity, 3000a Parkway
Whiteley, Fareham
Hampshire, PO15 7FX
UK
© 2024 AMR CyberSecurity · Registered Company Number: 11551941