Levels of Penetration Tests
Which level of test do you need?
The below table provides a comparison of the different levels of tests available to assess and exploit potential vulnerabilities on your networks and systems.
Any combinations of the below tests are available, depending on client requirements. The scope of each test is established and agreed based on detailed consultation with our clients.
In most cases, IT Governance’s CREST-approved penetration testing team recommend a Level 1 Penetration Test that will identify exploitable vulnerabilities before they can be uncovered by an indiscriminate cyber attack.
Level 1 Penetration Test
Our Level 1 Penetration Test identifies potential vulnerabilities that your networks, systems, websites and web applications, or wireless networks may be exposed to. Combining a series of manual assessments – where systematic and logical thought processes, analytical thinking and skilful decision-making are required – with automated scans, our team is able to assess the true extent of your system or network’s vulnerabilities. Conducted by highly skilled ‘ethical hackers’, the Level 1 Penetration Test includes a detailed report providing recommendations for fixing any holes and addressing each of the identified issues. This type of test provides a good overview of an organisation’s security posture and in most cases is a faster and more cost-effective solution than the lengthier Level 2 Penetration Test.
Level 2 Penetration Test
This test involves looking at the potential vulnerabilities identified and explicitly trying them one by one to see if the tester can obtain access to the resources. A Level 2 Penetration Test is a painstakingly detailed process of identifying security holes and vulnerabilities in your hardware and software (including printers, fax machines, workstations), systems or web applications and then attempting to exploit them. Due to the extent of these tests, Level 2 Penetration Tests often take several weeks to complete and are usually only recommended to clients who require a complex cyber attack simulation.
Vulnerability scans
A vulnerability scan is a series of automated tests that provide a very high-level overview of the potential vulnerabilities. Vulnerability scans do not provide the deep analysis and insights of a vulnerability assessment or a penetration test, due to the expertise, experience and depth of combined automated and manual tests employed by penetration testing teams.
|
Detail of test |
Vulnerability Scan |
ITG Penetration Test – L1 |
ITG Penetration Test – L2 |
|
Pre-assessment client scoping and consultation |
 |
|
|
|
Scope of assessment |
Agreed with client |
Agreed with client |
Agreed with client |
|
Fixed-price package available |
--- |
Yes, limited scope |
--- |
|
Can be conducted internally and externally |
|
|
|
|
Identification of potential vulnerabilities |
|
|
|
|
Identification of configuration vulnerabilities |
|
|
|
|
Identification of potential security loopholes |
--- |
|
|
|
Immediate notification of critical issues |
|
|
|
|
Automated scanning |
|
|
|
|
Manual scanning |
--- |
|
|
|
Manual testing |
--- |
|
|
|
Manual grading of vulnerabilities |
--- |
|
|
|
Exploitation of potential vulnerabilities to establish the impact of an attack |
--- |
--- |
|
|
Reporting |
|
Type of report generation |
Automated report |
Manually written |
Manually written |
|
Executive summary in business terms |
--- |
|
|
|
Technical report with remedial actions per identified issue |
--- |
|
|
|
Where used |
|
Facilitates compliance with the PCI DSS (dependent on compliance category) |
Not recommended |
|
|
|
Facilitates compliance with ISO27001 |
Not recommended |
|
|
|
When to conduct tests |
|
On a regular basis |
|
|
|
|
After changes have been made to the network/website |
|
|
|
|
After a data breach |
Not recommended |
|
|
Purchase a Level 1 Infrastructure, Web Application or Wireless Network penetration test now or contact us to discuss your Level 2 penetration testing requirements.