Penetration Testing

Penetration testing, as required by an organization’s security audits, is an integral activity to gauge an organization’s level of resistance to security breaches. When performed by a contracted firm, or “Red Team,” penetration testing gives an organization’s security personnel real experience in dealing with intrusions. Similar to a fire drill, a penetration test forces them to develop an effective, working strategy in dealing with unexpected attacks.

Some engaged Pen Testing areas are:

  • Network Services
  • Web Application
  • Client Side
  • Physical
  • Wireless
  • Social Engineering
  • PLC/Alarm controls

The Types of Penetration Tests

We offer many types of pen testing services and also encourage crowdsourcing for application pen testing:

Black Box Testing

In a real world Cyber-attack, the hacker probably will not know all of the ins and outs of the IT infrastructure of a corporation. Because of this, he or she will launch an all-out, brute force attack against the IT infrastructure, in the hopes of trying to find a vulnerability or weakness on which they latch onto. In other words, in this type of Pen Test, there is no information given to the tester about the internal workings of the particular Web Application, nor about its source code or software architecture. As a result, this particular type of test can take a very long time to complete, so very often, the tester will rely upon the use of automated processes to completely uncover the weaknesses and vulnerabilities. This type of test is also referred to as the “trial and error” approach.

Example network based blackbox testing:

  • Firewall configuration testing
  • Stateful analysis testing
  • Firewall bypass testing
  • IPS evasion
  • DNS attacks
  • Secure Shell (SSH)
  • SQL Server
  • My SQL
  • File Transfer Protocol
  • Simple Mail Transfer Protocol (SMTP)
  • External login pages

White Box Testing

White Box Testing In this type of Pen test, also known as “Clear Box Testing,” the tester has full knowledge and access to both the source code and software architecture of the Web Application. Because of this, a White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. The other advantage of this is that a much more thorough Pen Test can be completed. But, this approach also has its set of disadvantages. First, since a tester has complete knowledge, it could take more time to decide on what to focus specifically on regarding system and component testing and analysis. Second, to conduct this type of test, more sophisticated tools are required such as that of software code analyzers and debuggers.

Gray Box Testing

As the name implies, this type of test is a combination of both the Black Box and the White Box Test. In other words, the penetration tester only has a partial knowledge of the internal workings of the Web Applications. This is often restricted to just getting access to the software code and system architecture diagrams. With the Gray Box Test, both manual and automated testing processes can be utilized. Because of this approach, a pen tester can focus their main efforts focus on those areas of the Web Application, which he or she knows the most about, and from there, and from there, exploit any weaknesses or vulnerabilities. With this particular method, there is a higher probability that more hard to find “security holes” will also be discovered as well.

The Penetration Testing Teams

Very often, when it comes, Pen Testing, the image of just one person doing the test is conjured up. But keep in mind, the best types of Pen Testing come into play when multiple testers are utilized and are broken down into three teams, which are as follows:

The Red Team

The Red Team can be considered as those individuals who are the actual Pen Testers. Their primary goal and objective are to mimic or emulate the mindset of an attacker, trying to break down through all of the weaknesses and vulnerabilities which are present. In other words, it is the Red Team which attacks all fronts possible.

The Blue Team

The Blue Team can be considered that personnel from within the infrastructure of the business itself. This can be the IT Security team, and their primary goal and objective are to thwart off and defend against any attacks from the Red Team. It is important that anybody participating on the Blue Team must possess the mindset of constant proactiveness and vigilance to defend the corporation against any and all attacks. If you think about it, both the Red Team and Blue Team can be viewed as the two sides of a particular coin, or the Ying and the Yang. The summation goal of these two teams is great to enhance the security posture of the corporation on a constant basis, by sharing feedback with another. However, this does not always happen. Thus there is the need for the Purple Team.

The Purple Team

The Purple Team can be viewed as the composite of both the Red Team and the Blue Team. In other words, the Purple Team adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team. This is then all translated into a one, single narrative which can be shared across all of the teams fully to implement a policy of continuous and constant security improvements for the corpora In other words, the Purple Team can be viewed as literally the “bridge” between the Red Team and the Blue Team, to help instill a sense of continuous integration amongst the two. To fully ensure that the Purple Team is providing the most robust lines of communication and information, it should remain as a separate entity and neutral of all views and circumstances, so there is no bias.

News & Events

Bringing together information security end-users, analysts, policy-makers, vendors and service provider, join us at our 2017 events. We would love to meet you in person. 

Stay Tuned...

Products

Products are tools that enable people to achieve goals. In order for products to be effective, the people managing them must implement and use them appropriately. This requires technical personnel and non-technical personnel to communicate effectively while working toward solving the same problem. Collaboration is key to mapping technical specifications to business functionality in an efficient manner.

The Open Group Architecture Framework (TOGAF)

TOGAF has its origins in the U.S. Department of Defense. It provides an approach on how to design, implement, and govern an enterprise information architecture.

TOGAF is a framework that can be used to develop the following architecture types:

Endpoint Technology (BYOD)
Security Cloud Integrations
Automation Cloud Integrations
IDS/IPS Integrations
Encryption
Load Balancing

Endpoint security is the process of securing the various endpoints connected within your network, often defined as end-user devices such as mobile devices, laptops, and desktop PCs, although hardware such as servers in a data center are also considered endpoints. This is best practice as defined by all Security Compliances Frameworks such as PCI DSS, ISO 27001, and SSAE 16.

Centrify

Centrify’s identity service improves end-user productivity and secures access to cloud, mobile and on-premises applications via single sign-on (SSO), user provisioning and multi-factor authentication (MFA). Centrify supports internal users (employees, contractors) and external users (partners, customers), and manages applications, mobile devices, and Macs via Active Directory and LDAP. It can be deployed in the cloud or on-premises.

OSSEC/WAZUH

OSSEC/WAZUH is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC/WAZUH has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.

WebRoot

WebRoot SecureAnywhere® BusinessEndpoint Protection provides security for servers, VMs, PCs, and Mac devices and protection against infections and data theft without sacrificing performance or productivity.

Sophos AV

Sophos Endpoint doesn’t rely on signatures to catch malware, which means it catches zero-day threats and provides security for servers, VMs, PCs, and Mac devices.

Ansible

Ansible is a free software platform for configuring and managing computers. It combines multi-node software deployment, ad hoc task execution, and configuration management. It manages Linux nodes over SSH or Windows nodes over PowerShell.

LabTech

LabTech can take care of any repetitive IT maintenance task or process, monitor mission critical network components, run auto-remediation programs, and much more.

Regardless of their longevity, any web application is vulnerable to security exploits. Robust IPS/IDS solutions such as those offered by Security Onion will detect and block attempted attacks, and should be incorporated into a larger and layered security approach. Security Onion is quickly evolving and adding many new tools on a regular basis, thanks to its very active and growing user base. It is a distributed tool that allows any security analyst to configure and run an intrusion  detection system with full monitoring and reporting capabilities in just a matter of minutes.

We provide Network Detection Systems Integrations with the features below

  • Full Network Analysis
  • PCI DSS Compliance Benchmarks
  • Security Hardening Benchmarks
  • Vulnerability Benchmarks
  • Full Packet Capture Analysis-Driven Network Intrusion Detection
  • Snort or Suricata Rule-Driven Intrusion Detection
  • Real-time, Event-Driven Intrusion Detection
  • Time-Based Alerting
  • Threat Intelligence Feeds

ZeroKit

ZeroKit is a zero knowledge auth + end-to-end encryption SDK: all your apps need to keep user data secure in the cloud.
 
User authentication, channel encryption (HTTPS) and at-rest encryption are the technologies to keep data secure in internet apps. At the beginning of every software project, developers build a custom solution to make these 3 technologies work together: the result is a software that’s vulnerable to many attacks, such as:
 
  • Typically, hash-based user authentication is used, which is vulnerable to "pass the hash” attacks to log in on behalf of the users, simply using the stored password hash
  • Password salts sometimes are stored with the hash in the user database, exposing the password database to brute force or dictionary attacks
  • The secure web traffic (HTTPS) decrypts on the web server, exposing sensitive data in log files or to zero day exploits
  • At-rest encryption stores the encryption key on disk or in a database, exposing sensitive data to hackers.
 
ZeroKit is web security reimagined: a technology that integrates user authentication, channel encryption and at-rest encryption into one SDK that can’t be taken apart. ZeroKit uses auth technology that doesn’t use hashes and thus, less vulnerable to attacks. For logged-in users, ZeroKit seamlessly encrypts user data on client devices (in mobile apps or in web browsers) at the time when data is created; it keeps data encrypted throughout transit and at-rest, until the data is displayed on another user’s device. No server code (unless specifically granted access) or cloud providers can see user data.
 
ZeroKit can be integrated into any mobile or web app, and can eliminate server-side hacks and password breaches. View ZeroKit's encryption documentation here.
 
In recent news, the ZeroKit team announced a collaboration with Apple, protecting patient data in healthcare apps.

NGINX

NGINX is a software based reverse proxy, web server, load balancer, SSL termination and media server.

NGINX is distributed with an “open core” model:

  • NGINX F/OSS is completely free and open source, with source code freely distributed
  • NGINX Plus adds additional features, is fully compiled for multiple platforms, with enterprise-level support

NGINX is featured in Gartner’s Magic Quadrant for Application Delivery Controllers. 

NGINX Use Cases:

  • Replace legacy hardware load balancers/application delivery controllers (such as F5 Big-IP or Citrix NetScaler).
  • NGINX WAF can deliver digital transformation. Moving infrastructure from on premise to Amazon AWS / Microsoft Azure / Google Compute Platform, and refactoring monolithic applications with microservices.
  • Load balancing AWS/Azure web applications.

For information on load balancing AWS applications, and a comparison with Amazon ELB, click here.

Contact

Talk to us to learn more about our philosophy, services and products.

* indicates required field

Regulatory Compliances

We facilitate audits, develop policies, and procedures to ensure full compliance.
We start with a baseline and a pre-assessment to gather information for a gap analysis. 
We develop key performance indicator (KPI) to ensure progress and get traction for compliance.

  • PCI DSS

  • ISO 27001

  • SSAE 16 SOC I and II Reporting

    • SOC 1 Type 1: A design of controls report used for evaluating and reporting on the design of controls put into operation as of a specific point in time.
    • SOC 1 Type 2: Includes the design and testing of controls to report on the operational effectiveness of controls over a defined period of time (typically six months).
    • SOC 3: A general use report that falls under the SysTrust and WebTrust seal programs, and does not contain a description of the service auditor’s test work and results.
  • Organizational policy
  • Acceptable use policy
  • Risk management policy
  • Vulnerability management policy
  • Data protection policy
  • Access control policy
  • Business continuity policy
  • Log aggregation and auditing policy
  • Personnel security policy
  • Physical security policy
  • Secure application development policy
  • Change control policy
  • E-mail policy
  • Incident response policy

Security DevSecOps

In many organizations today, the DevOps team and the InfoSec team work more closely and innovatively as peers. This is both an advantage and evolution over the traditional requestor/approver relationship between the two groups, allowing security professionals to bring a bigger presence. This new collaborative team has identified itself as DevSecOps, and is the alliance through which operations, engineering, and security are brought together in harmonious productivity.

DevSecOps allows forward-thinking organizations to align traditionally contradictory teams with disparate goals together. The resulting synergies accelerate security intelligence to keep pace with continuously changing security landscapes. Problems are detected sooner, resolutions are implemented faster, and resources are protected more effectively.

We provide Host-Based Intrusion Detection Integrations with the features below:

  • Comprehensive Log Analysis
  • PCI DSS Compliance Benchmarks
  • Security Hardening Benchmarks
  • Vulnerability Benchmarks
  • File Integrity Monitoring and Checking with Virustotal MD5
  • Windows Registry Monitoring
  • Rootkit Detection
  • Time-Based Alerting
  • Active Response
  • Integrated Threat Intelligence Feeds

Black Cat’s Principles

Confidentiality
  • Ensures that data or an information system is accessed by only an authorized person. User Id’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved
Integrity
  • Integrity assures that the data or information system can be trusted. Ensures that it is edited by only authorized persons and remains in its original state when at rest. Data encryption and hashing algorithms are key processes in providing integrity.
Availability
  • Data and information systems are available when required. Hardware maintenance, software patching/upgrading and network optimization ensures availability.

Risk Management

A Virtual CISO is flexibly designed to help meet the security requirements within your organization, and does so without the prohibitive costs of a salaried CISO. This is a strategically good approach for small/medium size businesses that simply don’t demand the extensive types of security operations of large enterprises.

Policy

A Virtual CISO helps to ensure your organization maintains a thorough and well-defined portfolio of security policies and Disaster Recovery plans, as well as updates those policies as your technology & strategic plans evolve and change.

Guidelines

A Virtual CISO can help your organization in developing a wide range of guidelines related to data security, use of information systems, and governance of access controls and rules regarding who, what, and when.

Standards and Compliance

As regulatory agencies continuously address new developments in the cybersecurity arena, the regulations for information security can change significantly in a short period of time. A Virtual CISO helps ensure your organization stays current and compliant with the latest requirements.

Reporting

Your organization is expected to report regularly on its practices for the management and mitigation of key information security concerns like GLBA or Vendor Management, as part and parcel of compliance efforts. With a Virtual CISO, your organization can work to guarantee that your reporting efforts are always thorough, compliant and reliable.

Services

Protect your data  from increasingly complex information security threats with our Information Security Services :

This is a test

Regulatory Compliances

We facilitate audits, develop policies, and procedures to ensure full compliance.

pexels-photo

Risk Management

A Virtual CISO is flexibly designed to help meet the security requirements within your organization, and does so without the prohibitive costs of a salaried CISO.

abstract-1278077_1920

Threat Intelligence

Signature based intrusion detection is one of the most commonly used methodologies of threat intelligence, but it is not effective on all types of threats, weaknesses, and vulnerabilities.

abstract-1278052_1920

Security Assessment

A proper assessment of an organization’s security posture must be performed at the network level and at the OS and application level.

computer-1591018_1280

Security DevSecOps

In many organizations today, the DevOps team and the InfoSec team work more closely and innovatively as peers.

1920

Penetration Testing

Penetration testing, as required by an organization’s security audits, is an integral activity to gauge an organization’s level of resistance to security breaches.

Threat Intelligence

Signature based intrusion detection is one of the most commonly used methodologies of threat intelligence, but it is not effective on all types of threats, weaknesses, and vulnerabilities.

Accidental data leakage

This is also called a Data Breach, when sensitive data is transmitted or viewed by an unauthorized individual.

Malware

Trojans, ransomware, office-gated malware, worms, viruses, etc.

Identity Theft

Falsely using someone else's private information for personal gain.

Malicious access of data

An employee's device ( personal devices) has been misplaced or stolen, exposing private data.

Insider Threat

Stealing sensitive corporate data for business advantage or personal gain.

Weak passwords

Single points of verification like passwords can easily be bypassed by savvy hackers.

Social engineering

Hackers manipulate employees into installing malware on their own systems.

Loss/corruption of data

The integrity of your data has been compromised somewhere in the writing, reading, storage, transmission, or processing cycle.

Misconfigured systems

A web server, app, or plug-in has been misconfigured in a way that inadvertently leaks info or allows hackers an entry point into your business's software or OS.

Outdated operating system

Operating systems advance annually to adapt to new security needs.

Lack of encryption

Not encrypting your data is the equivalent of leaving your wallet in an unlocked car with the windows down.

Equipment failures

Hackers locate a flaw, glitch, or weakness in your business's software or OS and create exploits to target those vulnerabilities.

Unpatched vulnerabilities

Vulnerabilities arise with every software addition to your environment.

Untrained employees

No security feature can account for human error.