A vulnerability scanning security assessment is a type of security test that uses automated tools to scan an organisation's IT systems and networks to identify potential security vulnerabilities. This assessment is conducted by us who use specialised software tools to scan an organisation's IT infrastructure and identify potential vulnerabilities, such as unpatched software, open ports, and weak passwords. The goal is to identify potential security risks that could be exploited by malicious actors and provide recommendations for addressing those vulnerabilities. By conducting a vulnerability scanning security assessment, organisations can proactively identify and address security risks, improve their security posture, and minimise the risk of a successful attack.
We will undertake a comprehensive penetration test of your digital estate.
OSINT and Phishing: The assessment will begin with Open-Source Intelligence (OSINT) gathering exercises. Information collected during this phase may include potential assets/targets, credentials and information about technologies used by the organization. We will supplement the OSINT gathering activities with a facilitated phishing exercise designed to capture credentials.
External Network Penetration Test: An external penetration test will be undertaken to establish the security posture of your public facing assets. The scope of the external penetration test will be made up of assets discovered during the OSINT phase, and an exhaustive list of assets provided by you. We will attempt to identify and exploit vulnerabilities within the internet facing environment. Credentials collected during OSINT and Phishing will be used to attempt to authenticate with internet facing systems. The goal of the external penetration test is to identify and exploit vulnerabilities which could allow us to compromise an asset and potentially gain access to your internal network.
Web Application Penetration testing: Web application penetration testing will be undertaken against your public facing websites and applications. The penetration test will use a black box methodology to assess the assets in scope. The targets for assessment will be compromised of assets identified during OSINT and assets provided by you.
Internal Network and Wireless Penetration Testing: We will perform a time-boxed grey box penetration test against your internal network. During this assessment, we will conduct an authenticated vulnerability scan of assets in scope. This will allow us to provide you with a comprehensive overview of the internal network’s security posture, and it will also provide efficiencies, allowing the consultants to save a significant amount of time enumerating the environment.
The penetration test will be undertaken from two perspectives, black box and assumed breach. The black box perspective will be used to enumerate the network and its connected devices, and it will also be used to assess unauthenticated access to services available on the network. The second phase will be an assumed breach scenario in which you will provide us with an end user device provisioned with your standard operating environment and a low privilege active directory account. We will assume the role of an internal threat actor/compromised identity and attack the network from this perspective. During this phase, Infotrust will also perform a black box penetration test of wireless networks in a single geographical location.
Cloud Configuration Audit: We will perform a cloud configuration audit of your Azure environment.
