Engagement Summary

1.1 Introduction

Vulnerability assessments focus on examining a particular application or service for vulnerabilities, whereas penetration testing is a crafted set of tests conducted specifically to penetrate customer cyber defences with the goal to gain access to a customer specified information or system asset.

Our goal is to identify the most vulnerable or risky network and/or application parts for business resilience and to recommend the initial remediation plan by using our unique test methodology.

This security review is conducted based mainly on Black-Box hands-on sampling (manual penetration test) in accordance with an organized methodology for representative platforms and systems. In a relatively short period, the test team will identify the application architectures, infrastructure related issues and implementations that need to be improved.

The purpose of this initial test is to afford customers a quick snapshot of the status of their website vulnerabilities so that they may address the typical vulnerabilities most exploited by the average low level hacker enabling a quick improvement in a customer’s cyber-posture. Although these initial tests are important for a customer taking the first step in closing any major deficiencies, they do not bring the breadth of testing that typical compliance testing would require. For that, Intact uses more extensive testing that meet the various compliance requirements.

With over 20 years of hands-on experience as elite, government-level security experts, each team member brings a unique set of skills and expertise to the test process. In addition, with our partners, we have created a unique global red team community to stay on the cutting edge of penetration testing tools and know-how. These tools and understanding have been combined with our own leading-edge technology in support of our own proprietary attack-tasking methodology that is underpinned by machine intelligence and advance statistics. The results are in-depth vulnerability identification that is supported with actionable mitigation strategies to proactively address the security coverage gap.

For a more comprehensive overall security assessment, customers may nominate which compliance related test they require. Alternatively, the customer may identify a threat surface to be assessed to identify vulnerabilities that an attacker could exploit in addition to testing against these to obtain access to a customer’s information assets. In this context, the customer may also request that Intact demonstrate the exploitation of the vulnerabilities by including a penetration test targeted at a specific information asset. Alternatively, a penetration test may be set up by specifying the target information asset without any comprehensive vulnerability assessment. The goal of these penetration tests would therefore be simply to “capture the flag” and would usually be used in the scenario where a customer would want to test their security detection and response capabilities. These types of tests are scoped with the customer and costed specifically to the assessment project requirements.

The tests are also an important part of any organization’s regulatory compliance programme and most cyber security standards require that a customer’s website should be assessed on at least on an annual basis.