Texas Compliance, LLC is Texas’ leading provider of network penetration testing services for businesses in Austin, Dallas, Houston, San Antonio, and all other areas throughout the Lone Star State.
Listed below is a comprehensive overview of some of the most commonly requested types of penetration tests from Texas Compliance, LLC, a leading provider of pen tests for businesses throughout Texas:
Network Penetration Testing
“External” Network Penetration Testing
“Internal” Network Penetration Testing
“Network Layer” Penetration Testing
“Application Layer” Penetration Testing
Website Application Penetration Testing
Application Penetration Testing
Cloud (SaaS, PaaS, and IaaS) Penetration Testing
Client-Side Penetration Testing
Wireless Penetration Testing
Social Engineering Penetration Testing
Black Box Testing
White Box Testing
Grey Box Testing
Network Penetration Testing
When the subject of penetration tests comes up, generally the phrase “Network Penetration Testing” often surfaces, and for good reason, as this is one of the most common types of pen tests performed. In fact, almost every penetration test conducted by a pen tester involves some aspect of “testing” the network, hence, network penetration testing by default is performed on most pen tests.
Network penetration testing is also commonly referred to as “Network Layer Penetration Testing”, which typically includes external/internal testing of networks (LANS/VLANS), between interconnected systems, wireless networks, and social engineering, etc.
There are generally two (2) types of network penetration tests – internal network penetration testing and external network penetration testing. Regardless of which type of network penetration testing is performed, such a test generally includes testing the security of – and trying to bypass – the following network systems and components: Firewalls, routers, switches, load balancers, and other related network devices.
External Network Penetration Testing
Network penetration testing is generally the most common type of pen test performed, with testing done externally, from outside the network, hence the phrase “external network penetration testing”. The goal is for an attacker – or an ethical pen tester – to attempt to gain access into the internal network, thereby obtaining sensitive corporate and client data and information. By exploiting external facing web servers and network devices, the ultimate goal is to get “inside from the outside”.
Internal Network Penetration Testing
The goal of internal network penetration testing is essentially identical to that of external network penetration testing; exploiting vulnerabilities and gaining access to internal systems. The difference in the type of attack – and in the type of pen test conducted – is that the attacker (or in the case of pen testing, and ethical hacker) begins within the network, not from the outside. More and more internal attacks are occurring, so much so that the phrase “insider attacks” is now very common in the InfoSec world.
Network Layer Penetration Testing
Network layer penetration testing is testing performed that generally includes external/internal testing of networks, such as Local Area Networks (LANS) and Virtual Local Area Networks (VLANS), testing between interconnected systems, wireless networks, social engineering, and more.
Application Layer Penetration Testing
Application layer penetration testing, as the name implies, it testing done on various type of applications, such as web applications, client-server applications, and more. As to the type of testing performed, it can be credential and access testing (for determining what type of access a pen tester can actually obtain), to testing of the underlying security and functionality of the code for the applications.
Website Application Penetration Testing
With the massive growth in web development, it’s no surprise that website application penetration testing is now one of the most commonly requested penetration tests. This is especially true for e-commerce sites that store, process, and/or transmit cardholder data (i.e., credit card information).
This type of test can assess a wide range of systems and supporting applications, including different types of test methods (i.e., Black Box, White Box, Grey Box). It’s therefore critical to conduct proper scoping for website application penetration testing.
When conducting website application penetration testing, a pen tester is trying to exploit the web applications themselves, their underlying languages and code, API’s, connectivity, systems, frameworks, credential & access rights, and more.
Application Penetration Testing
While a large portion of application penetration testing is generally geared towards web-based applications – and understandably so – other forms of application testing can be performed. Internal systems on a Local Area Network (LAN), and other non-web-based applications are often tested during application testing.
Tests can include, but are not limited to, the following: (1). Testing for privileges and access granted to application users. (2). Testing of the underlying code for internally developed applications. Additionally, application penetration testing is also commonly referred to as “Application Layer Penetration Testing”, which typically includes testing of websites, web applications, thick clients, or other applications, etc.
Cloud (SaaS, PaaS, and IaaS) Penetration Testing
With migration to cloud environments in full swing, penetration testing for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) is becoming very common. Two (2) of the biggest cloud providers in the world, Amazon AWS and Microsoft Azure, provide services to an untold number of businesses that need to have an annual penetration tests performed. And with growing regulatory compliance requirements for many businesses operating in the cloud, penetration testing is going to become even more of a mandate.
Please note that for penetration testing performed against environments in Amazon AWS, you’ll need to submit a penetration testing request, which essentially means gaining approval from AWS for such testing. Learn more here: https://aws.amazon.com/premiumsupport/knowledge-center/penetration-testing/
As for Microsoft Azure, you’ll need to adhere to the Microsoft Cloud Unified Penetration Testing Rules of Engagement. Learn more here: https://technet.microsoft.com/en-us/mt784683.aspx
Client-Side Penetration Testing
A now very commonly requested test, client-side penetration testing is essentially designed to find any types of security vulnerabilities on software which can be exploited very easily on a client computer, most notably on user workstations. First and foremost, most user workstations are actually quite insecure, ultimately not properly hardened, which can create massive security challenges. And considering the fact that user workstations have access to critical network services, protecting user workstations is now more important than ever.
Texas Compliance, LLC offers comprehensive client-side penetration testing for assessing what vulnerabilities exist within client-side environments. Specifically, from browser testing to assessing other well-known software solutions/platforms, our client-side penetration testing is very comprehensive. Once organizations start to really learn more about the growing list of vulnerabilities found in many of today’s most commonly used programs, they then understand the importance of client-side penetration testing and any subsequent remediation that needs to be undertaken.
Wireless Penetration Testing
Almost every business today is using some form of wireless access, either for internal employees, guest access, and for other environments. Having one’s wireless platform compromised can create serious security issues, so it’s critical to assess the overall security pertaining to a businesses’ wireless platform. It’s important to note that we often assess and test wireless platforms as part of any comprehensive network penetration test, but we can go much deeper, if necessary. From testing default credentials to access points, and more, Texas Compliance, LLC’s wireless penetration testing is thorough indeed.
Social Engineering Penetration Testing
Attackers are finding a number of avenues for gaining access to an organization’s internal systems, and social engineering attacks are one of the most commonly used tactics. From fake Facebook pages to random phone calls requesting access rights to systems, the social engineering attacks are on the rise, so be prepared. Nothing protects an organization better than well-trained, educated, and knowledgeable employees, hence the reason for performing simulated social engineering attacks to test an organization’s preparedness.
Texas Compliance, LLC can perform the following social engineering penetration tests:
Phishing email testing
Phishing website testing
Personalized social engineering testing
Vishing phone testing
Other necessary testing
Black Box
This type of penetration testing, which is more of a methodology of pen testing, is performed with no prior knowledge of the target host/in-scope environment. It’s highly beneficial and reflective of a real-world attack, but also challenging in that a pen tester can push the limits and possibly compromise/damage information systems. Texas Compliance, LLC offers black box penetration testing services for businesses all throughout North America.
White Box
This type of penetration testing, which is more of a methodology of pen testing, is performed with comprehensive knowledge of the target host/in-scope environment. It’s highly beneficial in that such testing is very thorough and deep, allowing for excellent feedback on one’s security posture. Unfortunately, it’s not a realistic real word test as hackers that attack systems rarely have any knowledge of the environment, or any type of credential access to it. Texas Compliance, LLC offers white box penetration testing services for businesses all throughout North America.
Grey Box
Just as it implies, this type of testing lies somewhere in between black box and white box testing. The idea is to provide basic information to the pen tester regarding the target host/in-scope environment, but not enough to where they have a full and complete understanding. Grey box testing has become quite common in today’s InfoSec world, as it has some obvious advantages over a pure black box and/or white box testing scenario. Texas Compliance, LLC offers grey box penetration testing services for businesses all throughout North America. Complete our quick-and-easy Penetration Testing Scoping Questionnaire today to receive a quote.
Texas Compliance, LLC also provides testing for all major regulatory compliance laws, regulations, and industry directives (i.e., PCI DSS, HIPAA, FISMA, DFARS NIST 800-171, and much more)