How it works
CSIS supplies a laptop to the customer, who then connects the laptop to the organisation’s network. The laptop establishes a secure VPN connection back to CSIS, either via the organisation’s network, or via a built-in 3G mobile connection.
The laptop observes, collects and analyses information flowing through the organisation’s network. The work is primarily manual, although some processes are automated.
The test will typically run for 2-4 weeks, although this figure varies according to the nature of the organisation and IT setup.
As results accumulate during this period, CSIS increases the amount of active testing and applies a range of simulated attacks. The actual man hours spent on this are typically much less than the total duration of the test.
The customer may set up 3 pre-defined targets for simulated attack (e.g. customer data on a single drive, the organisation’s ERP system, or even accessing the CTO’s email).
Standard penetration test
A standard penetration test requires that the laptop has a continuous supply of power and continuous access to the customer network for the entire duration of the test. A standard penetration test is carried out over a 2-4 week period.
A technical report usually takes 1-2 days to create, but may take a day longer if the number of vulnerabilities found are excessive, or if a management summary is required.
Automated and manual testing
CSIS’s penetration tests are based on a user who has no rights in the organisation’s systems, simulating the tools, tactics and procedures of a real-world attacker’s breach of the organisation’s internal network.
CSIS penetration tests are a combination of automated and manual testing, and all results are verified manually to eliminate false positives from the report.
Additional service options
If the customer wants to test an initial attack vector (e.g. phishing, spear-phishing, tailgating, burglary, lost USBs) this can be done by extending the scope before the work starts