What Is A Penetration Test? Penetration testing AKA pen-testing or pen test is a process where a tester looks for exploitable vulnerabilities from within an IT infrastructure that may allow the tester to subvert, modify and extract information. Attacker’s objective is to identify entry points accessing your data; these entry points can have vulnerabilities in one or more systems that may include Operation System, Firewalls, Web servers, web applications, services and other devices. External Penetration Testing will simulate an attacker targeting Internet facing systems that are connected to internal resources such as database extracting data or installing back-doors for a later use, in most cases that attacker would do both (see diagram). This penetration testing will include three main ways into a given system: (1) open services on servers. (2) Network devices such as routers, and Firewalls. (3) Find weakness within Web Application retrieving sensitive information by using code injections and other methods. Within each method we search for human-errors in the design and/or implementation, and/or user miss-configurations that can pose potential weaknesses. These weaknesses can be later exploited to deface website, upload files, obtaining access to user’s mailbox and obtaining administrative rights. Internal Penetration Testing will simulate an attacker that has a foot hold in the internal perimeter (see diagram). This penetration testing will include three main ways into a given system: (1) open services on servers and workstations. (2) Find and locate systems defaults, security updates and etc. (3) Find databases that may have sensitive information due to vulnerabilities, updates, miss-configuration targeting internal resources such as servers, workstation, storage devices and other devices gaining unauthorized access to said systems. Deliverable The final report will include detailed information on security risk, vulnerabilities, and the necessary countermeasures and recommended corrective actions. The final report will consist of the following sections: Introduction – including the scope and methodology used for this pen-testing. Executive Summary – appropriate for senior management to review and understand the current level of risk. Findings and Recommendations – providing sufficient technical details for the IT team to understand and correct the issues.