Penetration test

A penetration test is an authorized, simulated cyber attack on a computer system (embedded and vehicles included), network, or application. Most often the penetration testers are well informed of the system under test, has access to source code and are in contact with the systems' owners to provide correct and detailed results in a short time.

A penetration test could have an element of physical presence at the customer's premises and could be performed with different levels of awareness, depending on the scope of the test.

Investing in cybersecurity through penetration testing is a way to protect business, customers and valuable data. For some companies and systems it is also about regulations and safety, to ensure operations for critical infrastructure, to reduce theft in financial systems or road worthiness of vehicles. A penetration test's primary goal is to evaluate the security of the system under test. This is done by identifying weaknesses (vulnerabilities) in the target's configuration and/or implementation which could lead to unauthorized access to features or data.

Although the technical details vary depending on the system under test and the target of the test, the process is the same:

• Scoping of the target and planning is done closely together with the customer. The scope can focus on very specific functionality to identify hard-to-find issues or be broad to cover common issues in a large attack surface. The scope and planning is tailored to the maturity of the system under test and the customer needs. Access and availability to systems and hardware are also considered.
• Startup meeting is held with the customer to kick-off the testing, hand over access and any hardware or other information needed.
• Information gathering and reconnaissance is performed to understand more about the system under test and to tailor the coming test.
• Testing consists of multiple activities which can for example be discovery, scanning, vulnerability assessment, exploitation (post-exploitation), final analysis and review. This is when we challenge the system under test.
• Reporting and presentation of the results are done with the goal to enable improvements of the customer's security. After the report is handed over to the customer, a debriefing presentation is held to showcase and discuss the findings with the customer and interested parties.

After a penetration test we offer verification tests to affirm mitigation of previously found vulnerabilities, as well as advisory services and training to improve the overall security.

It can be performed in several stages of the development and release cycles, for example when a new feature is implemented or a new system is about to be deployed. It all depends on the target, its life-cycle and applicable requirements. Penetration tests can also be performed on older systems to asses the security and clarify risks. Any vulnerabilities that are mitigated benefit from a verification test to confirm the solutions and investigate any new vulnerabilities or risks.

The goal of the penetration test is to make security easy and understandable for you and your colleagues, to be aware and take active decisions on improving security. You will recieve a written report and a presentation detailing the findings including risk rating and recommended actions for mitigation. We describe the tools used, how the test was performed and the reasoning behind the findings and the risks. Any useful scripts for testing can be handed over. The information we provide can be used to strengthen and improve the security posture of your assets. Some of our customers use the testing outcome to learn and to improve their own security testing. If there are specific competence gaps we also offer trainings stretching from general introductions to hands-on hacking sessions with your developers and testing teams.