Penetration Testing

We offer comprehensive penetration testing to secure your information assets from attackers both inside and outside your Infrastructure. A critical complement to vulnerability scanning, penetration testing proves the extent to which vulnerabilities can be exploited by emulating what a hacker may do in a controlled and methodical manner. Our reports are manually written for a complete risk perspective. We offer:

-Black Box Testing (Zero Knowledge)
-White Box Testing (Complete Knowledge)
-Gray Box Testing (Combination of Both of the above)

An Example Assessment Model used:

1. EXTERNAL NETWORK SECURITY ASSESSMENT

This phase ensures the network devices protecting the Web servers are configured correctly including border facing routers, switches and firewalls.

This will involve the following:

-Network Discovery
-Network Configuration
-Vulnerability Identification

Exploitation Testing: This includes documentation and video footage to demonstrate the effectiveness of the attack.

Optional: Social Engineering and Physical Security Assessment

2. SECURITY ASSESSMENT SERVER OPERATING SYSTEMS AND WEB SERVERS

In order to assess the security of the server operating systems and web server software, the following phases of the Security Assessment methodology will be undertaken using CLIENT Policy and NSA Standards.

-Operating Security Controls
-Web Server Security Controls
-Vulnerability Identification

Exploitation Testing: This includes documentation and video footage to demonstrate the effectiveness of the attack.

3. SECURITY ASSESSMENT WEB APPLICATIONS

The final phase is where the majority of hacking attacks take place. Analysis of cookies, code inspection, encryption types, randomness, input validation will be carefully analyzed. These attacks are not stopped by firewalls and are now 70% of all hacker successful attacks.

-Code Inspection
-Administrative Interfaces
-Authentication and Access Control
-Configuration Management
-Input Validation
-Parameter Manipulation
-Session Management
-Business Logic -Determine whether business logic controls can be bypassed
-Links - Review of any links to other CLIENT Servers including middleware/database servers

4. INTERNAL ONSITE PENETRATION TEST

This uses the above model, to perform an in-depth internal assessment.

Ref: https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf

Penetration Testing

-Black Box Testing (Zero Knowledge)

-White Box Testing (Complete Knowledge)

-Gray Box Testing (Combination of Both of the above)

1. EXTERNAL NETWORK SECURITY ASSESSMENT

-Network Discovery

-Network Configuration

-Vulnerability Identification

2. SECURITY ASSESSMENT SERVER OPERATING SYSTEMS AND WEB SERVERS

-Operating Security Controls

-Web Server Security Controls

-Vulnerability Identification

3. SECURITY ASSESSMENT WEB APPLICATIONS

-Code Inspection

-Administrative Interfaces

-Authentication and Access Control

-Configuration Management

-Input Validation

-Parameter Manipulation

-Session Management

-Business Logic -Determine whether business logic controls can be bypassed

-Links - Review of any links to other CLIENT Servers including middleware/database servers

4. INTERNAL ONSITE PENETRATION TEST