Find out how your site’s security holds up against attacks
DDoS protection, proactive 24/7 anomaly detection, and intelligent cutting-edge security comes with every Storm server. But no one is immune to online threats, or the subsequent financial and reputation damage. Storm’s controlled penetration testing helps you level up your security for proven protection against online threats.
- Expose your own vulnerabilities
- Avoid crippling fees and bad press
- Enhance PCI DSS compliance
9 out of 10 sites are vulnerable
Studies have shown that 90% of websites are vulnerable to malicious attacks. With penetration testing you can identify weak spots and implement next-level security to protect your information and customers.
Slash your risk, up your protection
Website plug-ins or other fancy enhancements might satisfy your end-user requirements, but they can also increase your exposure to vulnerabilities. Storm’s penetration testing uses controlled “black hat” tools and methods to simulate legitimate cyber-attacks. Our mission will be to gain entry to your servers or sites to see how secure they really are.
Solidify your business continuity
Whether it’s uptime or downtime, time is money. Reports and recommendations from Storm’s security analysts deliver the intelligence needed to adjust your hosting environment to operate with continuity and minimal risk.
Avoid crippling fines & negative press
Negligence can kill a business. But with Storm’s penetration testing you’ll prove regulatory compliant – no toxic press or crippling fines. Complement your pen-test reports with audit reports from the Security & Performance Centre as evidence of continuous due diligence to ICO auditors, stakeholders, and end-users.
Maintain PCI-DSS compliance
Penetration testing aids compliance with PCI-DSS requirements. See how well your sites, servers, and networks stack up against PCI-DSS requirements by checking security, performance, and data protection scores within the Storm Security Centre.
FAQ: Server Penetration Testing
Penetration testing, often referred to as “pen testing” is a controlled attack against a web application, network, or computer system. The purpose of a penetration test is to identify vulnerabilities that could be exploited by legitimate attackers. Examples of potential vulnerabilities include API Insecure Direct Object References (IDOR) and injection flaws, unsanitized inputs, open ports, unpatched software components, and so on.
Penetration testing is usually performed in five stages:
Planning & Reconnaissance
Since the goal is to simulate a real attack on a target, the first step involves defining the scope of the penetration test, which includes identification of the targets and potential methods that can be utilised during the attack. This is followed by intelligence gathering, where the pen test team will gather any information on the target, which can include domain names, network topology, server names and IP addresses, operating systems, user accounts, and so on.
During the scanning phase the pen test team will use software tools to scan the target. These tools may vary depending on the target, and also what type of penetration test it is. They can be used to identify open ports, analyse network traffic, scan code, and so on. The idea is to look for potential entry points and / or vulnerabilities that can be exploited.
Gaining Access (Exploitation)
With reconnaissance and scanning completed, the pen test team puts the gathered intelligence to use by attempting to compromise the target by exploiting vulnerabilities. This stage often involves web application attacks like cross-site scripting, SQL injection, backdoors, and other methods.
Maintaining Access (Post-Exploitation)
An additional phase can be added to the penetration test in which the pen test team attempts to maintain access to the target system. This can involve creating backdoors, or installing rootkits or Trojans.
Analysis and Reporting
The pen test team provides a detailed report that summarises the test. The report generally includes the identified vulnerabilities, their severity, and the steps to reproduce them. It typically also includes recommended mitigations or corrective actions to address each vulnerability.
There are three types of penetration testing:
Black Box / Black Hat Penetration Testing
The key characteristic of a black hat pen test is that the team has no prior knowledge of the target. This type of pen test simulates a real-world attack.
White Box / White Hat Penetration Testing
With a white hat pen test the team has full access to the target as well as all necessary source code and documentation. The purpose of this test is to evaluate all aspects of system security.
Grey Box / Grey Hat Penetration Testing
The pen test team has partial knowledge of the system. This type of pen test is meant to simulate a real-world scenario where, say, a disgruntled employee could be the attacker.
In addition to these three flavours of penetration tests, different types can also be requested, each with a specific aim:
Network Penetration Testing
The purpose of a network pen test is to identify vulnerabilities that could be exploited to allow unauthorised users control over the network or network resources. This can involve testing of servers and network hosts, firewalls, and other network protocols.
Web App Penetration Testing
Websites and web apps are tested for vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). This is especially important for eCommerce sites and applications working toward PCI DSS certification.
Mobile App Penetration Testing
Here the pen test team tests mobile apps for potential vulnerabilities such as insecure data storage, weak encryption, or vulnerabilities specific to Android or iOS operating systems.
Wireless Penetration Testing
This type of testing probes wireless networks, such as WiFi and Bluetooth, for vulnerabilities which may include weak encryption algorithms, insecure protocols, or unauthorised access points.
Social Engineering Penetration Testing
How aware are your personnel? Do they adhere to security policies? That’s what the social engineering penetration testing examines with techniques such as phishing emails, pretext calling, or physical security tests to manipulate employees into revealing sensitive information or granting access to systems.
Physical Penetration Testing
As the name suggests, the pen test team attempts to gain physical access to sensitive areas on the premises such as server rooms or on-premises data centres. The goal is to assess physical security measures.
Cloud Penetration Testing
Cloud penetration testing evaluates the security of a company’s cloud-based systems and infrastructure. This is especially important in a cloud-enabled digital landscape where access to cloud-based services have become the norm.
Red Teaming combines all the (applicable) penetration tests mentioned above into one. It is a full scope controlled attack on an organisation’s security, both digital and physical.
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Prevention is better than cure. In that context, a penetration test actively identifies weaknesses in your online security, and provides the reporting and assistance to eliminate those vulnerabilities. A penetration test can also be used to fuel compliance with regulatory auditing requirements, enhance technical controls, and deliver overall confidence in your hosting security.
No. The difference between penetration testing and “black hat” hacking attempts is that penetration testing is controlled and therefore pose no threats to your sites or servers. Another term for penetration testing is “ethical hacking”, of which the aim is simply to improve the security of the target website.
By shoring up the vulnerabilities exposed during penetration testing, you can dramatically reduce the risk of a breach through your website or server.
Vulnerability scanning proactively identifies vulnerabilities. Typically, a vulnerability scan is an automated process that relies on software to scan for and identify vulnerabilities. Human input can sometimes be required during the analysis phase to interpret results and to eliminate false positives.
An example of a vulnerability scan is Storm’s PCI external vulnerability conducted by SecurityMetrics, which is a Payment Card Industry Data Security Standard (PCI DSS) Approved Scanning Vendor (ASV). Learn more about Storm’s PCI External Vulnerability Scans.
Storm Internet wins Best Hosted Provider at 22nd ISPA Awards
Over the years Storm Internet has collected a number of awards. They reflect a core methodology by which we empower our clients by providing them with the technology and tools they need to accomplish their goals efficiently.Read More