This site uses advanced css techniques
I've been doing TCP/IP networking for more than 10 years and have been setting up internet firewalls since 1994: these have provided a very strong base in understanding internet services, the protocols as they travel over the wire, and how to defend a network's border.
In 1999 I began performing active network reviews for customers, which are more "on the offensive". These tests vary widely in scope, from a brief few-hour review, to a see-if-I-can-get in penetration test, to a multi-week, fully-documented audit.
For modestly-sized networks, I can generally perform a once-over inspection looking for the obvious holes in a few hours. This is not so much to provide a "you're secure" stamp of approval, but to simply catch the serious oversights that can lead to simple network compromise by casual passers-by. I use the normal stable of scanning tools, plus those of my own design, to get a sense for your network's internet "footprint".
The result of these brief reviews is a list of recommendations for steps that would improve your security (if any) and an overall assessment of risk. Occasionally the report will be accompanied by a suggestion that certain problem areas be investigated more fully, either by me or by your own staff.
A penetration test is where the tester attempts to gain access to private network resources: credit card numbers, medical records, confidential documents, and the like. The idea is that if the tester can get in, the bad guys can too, but the bad guys seldom report what they find. By taking proactive measures to shake out these weaknesses, your network becomes less attractive to the bad guys and they hopefully rattle doorknobs elsewhere.
These tests can be fully open or covert: in the latter circumstance, the tests are engaged by upper management or even company boards of directors. The idea is not only to test the network infrastructure, but network staff. If staff properly detects and repels the attempts, they pass the tests. But if they never saw anything, they fail. There have been cases when network staff has never known of the engagement even after the fact.
But more often these tests are fully open: ground rules are established (say, no denial-of-service attacks, and taking special care with production machines during normal business hours), and everybody knows what's being done.
In most cases, the tests are "blind": I'm not given any inside information about the constitution of the network, so I work with the same data that a bad guy would have. Of course, those with inside knowledge will likely have an edge in this respect, the point of a penetration test is to simulate a motivated but outside attacker.
Whether successful or not, a full report accompanies a penetration test that details the approaches that were taken and with suggestions for mitigation.
These are the most comprehensive of the three. They involve probing every possible access to the network, and these are almost always fully disclosed to the IT staff. Rather than simply trying to find one way in, the tester exercises all ways in. For even a moderate-sized enterprise, this can be a substantial effort.
It can be even more tedious if the customer suspects that a disgruntled former employee might have left himself "back door" access to the network: this requires looking in every nook and cranny, not just in the "usual" places for the "usual" services. These tests can run several weeks.
The first step is always information gathering: I attempt to locate all network resources, and this may be more than just the main T1 to the corporate office. Remote offices, offsite web hosting, even employees working at home via VPN connections: all are "interesting". To the extent that separate companies are trusted "partners", they are included as well.
The result of this step is what amounts to a spreadsheet listing every IP address that is in any way associated with the target. Sometimes the list is initialized by the customer ahead of time, while in other cases I am left to discover them myself. I often find resources that the customer didn't think to include.
The next step is typically an enumeration of open services on all the network resources, and this provides a roadmap for what is to follow. A very tightly battened-down network will expose very little to the outside world, and this greatly limits what an outsider can exploit, but more often than not there are services exposed that should not be.
Each of these is probed in turn, with results recorded for the final step, which is preparation of the report. These typically run many pages and include everything that was discovered. The topology worksheets, discovered passwords (if any), open services, and the like. An extensive narrative accompanies the data describing methodologies used and results found. Always included are an executive summary and recommendations.
A sample, sanitized report is available upon request.