Penetration Testing

Penetration Testing

A Pen Test review is a survivability and resilience test that may be used in conjunction with any other VA level (see below). It is intended for system identified specific requirements in this area. (E.g. Web servers having to survive a 'denial of service' attack).

This will involve the use of specialist personnel as well as both manual and automated tools and test both physical and procedural security measures.

Vulnerability Assessment Levels

• Basic compliance assessment

This consists of a basic configuration check of the Electronic Security Environment (ESE), processes, mitigations and controls to establish whether a system is correctly configured and supported, to meet the security measures specified in its security policy documentation set. It consists of manual and automated tests using review tools and pre-scripted tests.

• VA 1 - Basic assessment

A VA 1 will identify all system and connected network elements, analyse topology and locate vulnerabilities and/or initial entry points. The assessment consists of a network survey and a basic scan typically performed with automated tools.

• VA 2 - Intermediate assessment

 A VA 2 demonstrates that the basic vulnerabilities discovered during VA 1 could be used to gain further access to the system, or compromise its integrity or confidentiality. This will typically use manual and automated tools.

• VA 3 - Enhanced assessment

A VA 3 aims to identify exploits which can be used against those vulnerabilities identified as part of the VA 1 and 2 in order to gain access, exploit trusted relationships, and exploit new vulnerabilities. A VA 3 may involve specialist personnel, automated and pre-scripted tool sets.