A penetration test or external audit is a detailed analysis of your network and associated systems from the perspective of a potential hacker. A penetration test will test your network for thousands of known vulnerabilities and provide a detailed report of any vulnerabilities that are found.
 
Because every organization is different, our Penetration Testing service can be customized to meet your needs. Our security consultants will work with you to properly estimate the size and scope of your test. The one-time Penetration Test service provides a single test, while a subscription provides a repeated periodic test of your company’s network and associated systems.
 
You can specify who in the organization will be informed of the test and what systems will be tested. If you would like to specify that certain systems or components not be tested, they can be removed from the test. NDI will not undertake any Penetration Testing until the test has been duly authorized by the client and the scope clearly defined. As a client you can specify, for instance, a “look, but don’t touch” policy, or a “please inform us immediately of any found vulnerabilities” policy. We are flexible regarding these options and can customize a process that will meet your specific needs.
 
The testing process initially gathers available information or intelligence about your company’s network to find details that could prove useful to a potential attacker. Your network is then actively probed (also known as scanning, mapping or penetration testing) looking for security weaknesses that could be exploited. When performing Penetration Testing, NDI will not place or alter any files on any systems. Our tests are designed to limit bandwidth usage so that system resources are not drained during the test. 
 
Our penetration test will include testing for:

* bugs, exploits, vulnerabilities and security holes
* firewall and router weaknesses
* exploitable trusts and shares between systems
 
Testing will not include application vulnerabilities such as CGI scripting weaknesses, cross-site scripting vulnerabilities or SQL injection vulnerabilities.
 
While performing these tests, we may also uncover other issues that do not pose a security threat but indicate a non-optimal configuration that may cause performance problems or functional instability. We will fully document these issues.
 
Once the tests are completed, the results are compiled into a report. This report contains both a management level overview of any issues and also technical level details of the test results including full details of each security issue uncovered. Full technical details of how to fix each security leaks is included in the report. In addition to any security issues, the report also lists any non-optimal configurations that were found during the tests.
 
The report is just the first step. The report will not enhance network security unless quick action is taken to implement the suggested changes.  The service does not include consulting services to assist with making the changes to the network identified by the report.  These consulting services are available as an option for an additional fee (this fee will be quoted once the scope and extent of the additional consulting services is known.)
 
Security is a process, not an event. Servers and network devices are changed regularly, new patches are released and new vulnerabilities are discovered daily. In addition to correcting any identified possible vulnerabilities, you should plan on regularly re-scanning your internet exposed devices on a regular and recurring basis.