CNS Hut3 - The External Penetration Testing Experts
At CNS Hut3 we're experts in performing and managing external penetration testing on behalf of our clients. We help evaluate and manage the risk of external attacks through a simple, clearly defined process.
There is more information about our penetration testing services below, however if you'd like to have a chat with one of our experts feel free to call us on or get in touch online.
Continuous Testing
The CNS Hut 3 Continuous Testing Service has been designed to help clients manage risk in a dynamic and more efficient manner than regular penetration testing. Currently most organisations test their external perimeter once or twice a year. As their networks change constantly and new vulnerabilities and attacks are discovered constantly it means that, for the bulk of the year, the client has no detailed knowledge of the risk they are currently carrying. In addition, modern pen tests often produce such a high volume of results that the information becomes unmanageable for large organisations. The CNS Hut3 Continuous Testing Service works by first establishing a base line by conducting a full manual penetration test. The network is then monitored for changes, at a rate determined by the client (daily, weekly, monthly etc.). Any changes are then manually tested and the results updated. The client can also request retests or new tests on demand, to validate fixes or changes. As well as monitoring for change, the system is intelligent enough to monitor existing results for new vulnerabilities that then require re-testing (e.g. if a new vulnerability comes out in the version of an OS).
At any stage the client can generate formal reports, XML files (for import into ticketing systems or other risk systems), CSV files for excel and a selection of other formats. The client can choose to report on all hosts or just a subset. At all stages the client is in full control. This offers the client the best parts of both automated and manual testing, producing a continuous and long term, technical risk identification and management system.
Requirements
IP Addresses - The IP addresses to be tested, this should include the full ranges, and even unused IPs as these will be constantly checked for rouge or unknown devices.
Client Priorities - The client can provide priorities for IPs and risks, which should be checked more frequently as a priority.
Client IP Weightings - The client can select the importance of IPs on a scale of 1-5, 5 being the most important. This will affect the risk rating for each issue identified.
Client Risk Weightings - The client can select the importance of types of risks on a scale of 1-5, 5 being the most important e.g data leakage is 4
Regulatory Requirements - If the client needs to comply with regulations such as PCI, they can be selected here.
Baseline
Initial Scan - An initial scan of all IPs is made, this includes version and operating system details. This is used to create a base line scan
Manual Pen Test of All open Ports and Services - A full manual penetration test is conducted of every open port and service. This is used to create a base line.
Update Scan
Scan - A full port scan including versioning information is performed against the targets.
Differences Identified - A diff is performed between the new scan and the base line.
Manual Pen Test - A full manual penetration test is conducted against any ports that have changed state or version, the base line is then updated.
Online Report Portal and Test Manager
Generate Reports - Reports can be generated on-demand, these can be of specific hosts, ranges or all IPs.
Adjust Weightings - The risk weightings established in the requirements can be adjusted to meet the clients changing needs.
Order Retest - A retest of specific issues can be requested to confirm fixes.
Order New Test - A new test can be ordered of specific hosts or all host e.g after a change.
Add New Assets - Assets can be added or removed.
Dispute Results - The client can dispute any issues and they will be further investigated and the client contacts.
Ask for More Info - Should the client need any further information on a particular issue to remediate it , this can be requested.
Reporting
XML - An XML report meeting the clients Schema can be generated on demand, this is ideal for import into other tools such as ticketing systems.
CSV - A CSV of issues can be generated on demand, this can of of all results of specific hosts.
Formal Report - A full formal PDF report can be generated on demand. This can be of all results or specific hosts.
Continuous Testing Process Flow