top of page
9d3347_5f5df953b1934257b8b76d3503203caemv2.png

Penetration Testing

What is Penetration Testing?

Penetration testing, often referred to as ethical hacking or pen testing, is a cybersecurity practice that involves simulating a cyberattack on a computer system, network, or application to identify vulnerabilities and weaknesses. The goal of pen testing is to assess the security of the target system by attempting to exploit potential vulnerabilities in a controlled and ethical manner.

Which facility types would benefit from Penetration Testing?

Penetration testing, often referred to as ethical hacking or pen testing, is a cybersecurity practice that involves simulating a cyberattack on a computer system, network, or application to identify vulnerabilities and weaknesses. The goal of pen testing is to assess the security of the target system by attempting to exploit potential vulnerabilities in a controlled and ethical manner.

  • VFX

  • Animation

  • Live Action

  • Post Production

  • Subtitle and Dubbing

  • Replication and Distribution

  • Broadcasters

  • Cinemas

  • TV Stations

  • Radio Stations

  • Video Streaming Services

  • Music Streaming Services

  • Digital Asset Management Platforms

  • Cloud Render Platforms

  • Gaming Platforms

  • Digital Publishing Platforms

shutterstock_2176801983.jpg

Why does my facility need to conduct Penetration Testing?

Pen testing is a crucial component of a comprehensive cybersecurity strategy. It helps your business stay ahead of potential threats, comply with guidelines and regulations, and maintain a robust security posture in an ever-evolving threat landscape. If you are considering completing a TPN Blue or Gold Shield Assessment or are about to be assessed directly by an MPA, CDSA, or ACE member studio content owner such as Disney or Netflix, then you must provide evidence that you have conducted a penetration test in the preceding 12 months. 

Vulnerability Scanning vs Penetration Testing?

So what are the differences between vulnerability testing and pen testing? In a nutshell, vulnerability scanning is generally automated and focuses on identifying potential system weaknesses, while penetration testing involves active attempts to exploit vulnerabilities and provides a deeper understanding of a system's security posture. Vulnerability scanning and pen testing are both important cybersecurity practices, but they serve different purposes and involve distinct methodologies:

Vulnerability Scanning

  • Objective: The primary goal of vulnerability scanning is to identify and locate potential security vulnerabilities in a system or network.

  • Methodology: Automated tools are used to scan a network, system, or application for known vulnerabilities. These tools compare the system's configuration and software versions against a database of known vulnerabilities to identify potential weaknesses.

  • Depth: Vulnerability scanning is usually automated and provides a broad overview of potential vulnerabilities. It may not provide in-depth information on the exploitation of vulnerabilities or the impact of potential attacks.

  • Frequency: Vulnerability scanning can be performed regularly as part of a proactive security strategy.

Penetration Testing

  • Objective: Penetration testing involves simulating real-world cyberattacks to actively assess the security of a system or network.

  • Methodology: Skilled cybersecurity professionals use a variety of tools and techniques to exploit vulnerabilities identified in a system. The goal is to understand the extent to which unauthorised access or data breaches can occur and to provide recommendations for improving security.

  • Depth: Penetration testing goes beyond vulnerability scanning by actively attempting to exploit identified vulnerabilities. This includes assessing the impact of potential security breaches and evaluating the effectiveness of existing security controls.

  • Frequency: Penetration testing is typically conducted periodically, often after major system changes or as part of a comprehensive security assessment.

MPA Content Security Best Practices control requirements

Wisely's pen testing services are designed to conform with and meet the control requirements of the MPA Content Security Best Practices v5.2 on the proviso the controls are applicable and in scope:

  • PS-4.2 [Physical Security / Monitoring / Data Centres, Co-locations & Cloud Providers]
    Penetration testing to include all and any relevant networks and systems located in data centres, co-locations, and with cloud service providers

  • TS-2.9 [Technical Security / Network Security / Remote Access]
    Penetration testing to include all and any Work From Home / Remote Working environments from where remote access to systems and networks is initiated

  • TS-4.0 [Technical Security / Vulnerability Management / Vulnerability Management]
    Regular vulnerability scanning of internal and external networks, production networks, non-production networks, virtual machines, containers and APIs or after any major infrastructure or application change

  • TS-4.1 [Technical Security / Vulnerability Management / Penetration Testing]
    Annual penetration testing to cover all external IP ranges, hosts, web applications, and APIs incorporating unauthenticated and authenticated scanning across multiple network segments and locations or after any major infrastructure or application change.

Penetration Testing Service Pricing

Wisely's pen testing service package pricing is summarised below. Prices are in Australian Dollars (AUD) and exclusive of GST. The actual penetration testing is conducted by Radiant Security utilising Certified Ethical Hackers domiciled in Australia.

Pen Test

Price Estimate

$2,200-$4,000

Description

For facilities with a handful of public IPs, no DMZ, no VPN remote access, and no Internet-facing services.

Total IPs/Hosts
1-5

Delivery Timeframe
3 Business Days

Applicable Controls

TS-4.0, TS-4.1

Pen Test

Price Estimate

$4,000-$7,500

Description

For facilities with a small number of public IPs, optional DMZ and Internet-facing services, optional remote access (e.g. VPN, PCoIP).

Total IPs/Hosts

6-30

Delivery Timeframe

5-10 Business Days

Applicable Controls

TS-2.9, TS-4.0, TS-4.1

Pen Test

Price Estimate

$7,500-$10,000

Description

For facilities with a larger number of public IPs spread across multiple on-premises facilities, data centres, co-location centres, and cloud infrastructures.

Total IPs/Hosts

31-100

Delivery Timeframe

10+ Business Days

Applicable Controls

PS-4.2, TS-2.9, TS-4.0, TS-4.1

Pen Test

Price Estimate

$10,000+

Description

For facilities with a complex Internet-facing presence offering distributed remote access, and multiple Internet-facing services, on-premises facilities, data centres, co-locations, and cloud infrastructures.

Total IPs/Hosts

100+

Delivery Timeframe

10+ Business Days

Applicable Controls

PS-4.2, TS-2.9, TS-4.0, TS-4.1

Penetration Test Procedure

To complete a successful pen test, the following action items will need to occur:

  • Review and sign a mutual bi-directional NDA between your business and Wisely

  • Conduct a 30-minute discovery meeting with your business's stakeholders to confirm the scope and timeframe of the pen test

  • Wisely will submit an invoice for payment of the services. Payment and payment milestones are subject to the scope of work and delivery timeframe

  • Schedule when the penetration testing will occur

  • Conduct the pen testing. This typically involves a series of steps including planning, reconnaissance, scanning, enumeration, vulnerability analysis, exploitation, and post-exploitation assessment. Temporary configuration changes may need to be made to your infrastructure and systems to allow the testing to be conducted successfully. These changes will need to be rolled back once testing has concluded

  • Document findings and prepare recommendations in a report

  • Submission of the report to stakeholders for mutual review

  • Cleanup and remediation meeting.

Penetration Testing Deliverables

Wisely will deliver a comprehensive pen test report containing the following items at a minimum:

  • Scope and definitions

  • Testing methodology

  • Penetration testing results

  • Vulnerability testing results

  • A list of encountered vulnerabilities

  • Risk rating of each encountered vulnerability (CVE/CVSS)

  • Vulnerability exploitability

  • Remediation steps and recommendations.

9d3347_5f5df953b1934257b8b76d3503203caemv2.png

Have questions about Penetration Testing?

bottom of page