Penetration Testing is the simulation of an attacker's activities with the goal of testing/validating the security of IT systems. Ideally, a penetration test includes systems or networks thought to be reasonably secure. A penetration test may be limited to specific network areas or allow the tester full network access to most accurately simulate an attacker. A good penetration test makes no significant, irreversible changes even to systems compromised as part of the test; however, any penetration test could cause a system to fail unexpectedly.
- Perimeter - A perimeter penetration test probes the security of the network perimeter and externally accessible devices and attempts to gain access to corporate assets from outside the organization. This type of test typically includes Internet-based attackers; it may also include dial-up (modem) access, telephone calls to company personnel ("social engineering"), dumpster diving for important information and even physical security checks (access to corporate facilities). Because many of these systems are sensitive, we carefully scope all perimeter penetration tests with the client.
- Internal - An internal penetration test tries to simulate an insider's ability to gain unauthorized access to systems. This type of test discovers and attempts to circumvent the security controls of internal servers and systems, attempts to gain escalated access privileges on these systems and access to other users' data. An internal penetration test allows the client to estimate and mitigate the damage that might be done by disgruntled insiders or those who can gain access to the internal network.