Information Risk Management - the independent information security experts

In a penetration test instead of simply examining a system or application for potential vulnerabilities, one of IRM’s security cleared teams will attempt to gain illicit access to protected resources and exploit any underlying vulnerabilities. In doing this the team will use the precise methods and tools that are in practice employed by 'real' hackers and computer criminals.

To do this we build a 'Scenario' of the type of person and the type of activities that might be targeted at the client's infrastructure. This might be of an ill-informed external hacker or perhaps of a disgruntled insider; it might even encompass a determined criminal willing and able to gain illicit physical access to a building. IRM audit engineers have enacted these and many other extreme scenarios so as to provide a realistic appraisal of information security.

A precisely defined engineering methodology is applied by the audit team. This allows vulnerabilities to be identified and isolated, allowing necessary intrusion tools to be obtained or developed. This then ensures that access is gained in a safe and controlled manner - be that physically or logically.

Throughout this intrusion exercise the audit team will endeavour to understand precisely how a 'real' hacker would feel about the information obtained: would they be excited or disappointed, optimistic or pessimistic about their prospects of gaining entry; in other words, quite apart from whether they would succeed, would they hope to succeed in gaining access?

By using the same tools and approach as a hacker would, the penetration test audit team can provide clients with a precise idea of the 'view from the hacker's eyes' into the target system. In this way we can help clients to ensure that not only are they secure but that they are demonstrably secure, thereby assisting in deflecting or deterring the hackers' attentions from the client's computer infrastructure.

As an output from the penetration test, the client receives a detailed report indicating not only the vulnerabilities but also recommendations for the ways in which the overall security of the targeted infrastructure can be improved.