About this iReport
  • Not verified by CNN

  • Click to view ITsecurity's profile
    Posted March 31, 2014 by
    London, United Kingdom

    How to offer Penetration Testing Services


    How to offer Penetration Testing Services


    Security professionals are not big on surprises especially when these surprises have something to do with weak security defenses, taken down applications, and stolen information. There are different ways on how such surprises are prevented but the best way to do it is to think just like the how the culprits do which means to test environments regularly. This is why penetration testing services are profitable business opportunity for those VARs or value-added resellers.


    Some customers are apprehensive about this security process. However, they should be reminded that this is what exactly security attackers do. They test the customer’s security defenses every day. It is best to show the customers the firewall logs so they can see how serious and consistent the attackers are.


    Ethics are unknown to security attackers. They will do just about anything that it takes to break into any computer system and network defense. Therefore, the customers should do the same to check if the attackers succeeded or not.


    There are four different testing services to help customers ensure that their network systems are fully protected from attacks.


    • Vulnerability Scans. This is a direct opportunity and a mature venture. One would just need to decide whether a service such as Qualys’ should be resold or if it is wiser to purchase a tool to use for systems and networks scans. Scanning is necessary and perhaps the easiest security assurance process.

    • Infrastructure Pen Tests. This testing service features live exploits such as Core Impact and Metasploit. It also uses other components such as live ammunition. To facilitate this process, there should not be much disruption to ensure its efficiency. In this process, all externally visible IP addresses are tested. These are exactly what the attackers see and what they want to penetrate. As conference room networks are perhaps the weakest components of a system or a network, it should also be tested.

    • Aplication Pen Test. For attackers, the most common goal is to break into a system or a network’s applications. In fact, these applications are usually directly targeted. There are different online application scanners that are popularly used such as AppScan from IBM and WebInspect from HP. It is also wise to invest on people ware to exploit logic errors of every application in the network. Human skill in such exploitation is still unparalleled. In case that the system’s initial application has been compromised, focus on the database as it holds the most important files and information.

    • User Test. This is something that testers will actually like. Most testers find it fun when they see how other users are very gullible. This type of testing uses fraudulent emails to customer service representatives to walk past the receptionist or the security. It also involves other processes such as dropping thumb drives in unlikely places and wait to see who will use it in their computers.



    Everyone will learn a lot as they go with offering and using penetration testing services. Testers will learn about effective and ineffective methods. Customers will realize its importance. Lastly, the Value-Add Reseller helps strengthen the network or system security and build strong relationships with customers.


    Four courses, please have a look at:

    ECSA - EC-Council Security Analyst and Licensed Penetration Tester

    IT Risk Management & Security Training Courses (PCRIM)

    CRISC ISACA Certification Courses

    ENSA - Network Security Administrator Training Courses


    PKI - Public Key Infrastucture Certification & Training Course

    Add your Story Add your Story