Penetration Testing

Penetration testing, as required by an organization’s security audits, is an integral activity to gauge an organization’s level of resistance to security breaches. When performed by a contracted firm, or “Red Team,” penetration testing gives an organization’s security personnel real experience in dealing with intrusions. Similar to a fire drill, a penetration test forces them to develop an effective, working strategy in dealing with unexpected attacks.

Some engaged Pen Testing areas are:

  • Network Services
  • Web Application
  • Client Side
  • Physical
  • Wireless
  • Social Engineering
  • PLC/Alarm controls

The Types of Penetration Tests

We offer many types of pen testing services and also encourage crowdsourcing for application pen testing:

Black Box Testing

In a real world Cyber-attack, the hacker probably will not know all of the ins and outs of the IT infrastructure of a corporation. Because of this, he or she will launch an all-out, brute force attack against the IT infrastructure, in the hopes of trying to find a vulnerability or weakness on which they latch onto. In other words, in this type of Pen Test, there is no information given to the tester about the internal workings of the particular Web Application, nor about its source code or software architecture. As a result, this particular type of test can take a very long time to complete, so very often, the tester will rely upon the use of automated processes to completely uncover the weaknesses and vulnerabilities. This type of test is also referred to as the “trial and error” approach.

Example network based blackbox testing:

  • Firewall configuration testing
  • Stateful analysis testing
  • Firewall bypass testing
  • IPS evasion
  • DNS attacks
  • Secure Shell (SSH)
  • SQL Server
  • My SQL
  • File Transfer Protocol
  • Simple Mail Transfer Protocol (SMTP)
  • External login pages

White Box Testing

White Box Testing In this type of Pen test, also known as “Clear Box Testing,” the tester has full knowledge and access to both the source code and software architecture of the Web Application. Because of this, a White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. The other advantage of this is that a much more thorough Pen Test can be completed. But, this approach also has its set of disadvantages. First, since a tester has complete knowledge, it could take more time to decide on what to focus specifically on regarding system and component testing and analysis. Second, to conduct this type of test, more sophisticated tools are required such as that of software code analyzers and debuggers.

Gray Box Testing

As the name implies, this type of test is a combination of both the Black Box and the White Box Test. In other words, the penetration tester only has a partial knowledge of the internal workings of the Web Applications. This is often restricted to just getting access to the software code and system architecture diagrams. With the Gray Box Test, both manual and automated testing processes can be utilized. Because of this approach, a pen tester can focus their main efforts focus on those areas of the Web Application, which he or she knows the most about, and from there, and from there, exploit any weaknesses or vulnerabilities. With this particular method, there is a higher probability that more hard to find “security holes” will also be discovered as well.

The Penetration Testing Teams

Very often, when it comes, Pen Testing, the image of just one person doing the test is conjured up. But keep in mind, the best types of Pen Testing come into play when multiple testers are utilized and are broken down into three teams, which are as follows:

The Red Team

The Red Team can be considered as those individuals who are the actual Pen Testers. Their primary goal and objective are to mimic or emulate the mindset of an attacker, trying to break down through all of the weaknesses and vulnerabilities which are present. In other words, it is the Red Team which attacks all fronts possible.

The Blue Team

The Blue Team can be considered that personnel from within the infrastructure of the business itself. This can be the IT Security team, and their primary goal and objective are to thwart off and defend against any attacks from the Red Team. It is important that anybody participating on the Blue Team must possess the mindset of constant proactiveness and vigilance to defend the corporation against any and all attacks. If you think about it, both the Red Team and Blue Team can be viewed as the two sides of a particular coin, or the Ying and the Yang. The summation goal of these two teams is great to enhance the security posture of the corporation on a constant basis, by sharing feedback with another. However, this does not always happen. Thus there is the need for the Purple Team.

The Purple Team

The Purple Team can be viewed as the composite of both the Red Team and the Blue Team. In other words, the Purple Team adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team. This is then all translated into a one, single narrative which can be shared across all of the teams fully to implement a policy of continuous and constant security improvements for the corpora In other words, the Purple Team can be viewed as literally the “bridge” between the Red Team and the Blue Team, to help instill a sense of continuous integration amongst the two. To fully ensure that the Purple Team is providing the most robust lines of communication and information, it should remain as a separate entity and neutral of all views and circumstances, so there is no bias.

Regulatory Compliances

We facilitate audits, develop policies, and procedures to ensure full compliance.
We start with a baseline and a pre-assessment to gather information for a gap analysis. 
We develop key performance indicator (KPI) to ensure progress and get traction for compliance.

  • PCI DSS

  • ISO 27001

  • SSAE 16 SOC I and II Reporting

    • SOC 1 Type 1: A design of controls report used for evaluating and reporting on the design of controls put into operation as of a specific point in time.
    • SOC 1 Type 2: Includes the design and testing of controls to report on the operational effectiveness of controls over a defined period of time (typically six months).
    • SOC 3: A general use report that falls under the SysTrust and WebTrust seal programs, and does not contain a description of the service auditor’s test work and results.
  • Organizational policy
  • Acceptable use policy
  • Risk management policy
  • Vulnerability management policy
  • Data protection policy
  • Access control policy
  • Business continuity policy
  • Log aggregation and auditing policy
  • Personnel security policy
  • Physical security policy
  • Secure application development policy
  • Change control policy
  • E-mail policy
  • Incident response policy

Security DevSecOps

In many organizations today, the DevOps team and the InfoSec team work more closely and innovatively as peers. This is both an advantage and evolution over the traditional requestor/approver relationship between the two groups, allowing security professionals to bring a bigger presence. This new collaborative team has identified itself as DevSecOps, and is the alliance through which operations, engineering, and security are brought together in harmonious productivity.

DevSecOps allows forward-thinking organizations to align traditionally contradictory teams with disparate goals together. The resulting synergies accelerate security intelligence to keep pace with continuously changing security landscapes. Problems are detected sooner, resolutions are implemented faster, and resources are protected more effectively.

We provide Host-Based Intrusion Detection Integrations with the features below:

  • Comprehensive Log Analysis
  • PCI DSS Compliance Benchmarks
  • Security Hardening Benchmarks
  • Vulnerability Benchmarks
  • File Integrity Monitoring and Checking with Virustotal MD5
  • Windows Registry Monitoring
  • Rootkit Detection
  • Time-Based Alerting
  • Active Response
  • Integrated Threat Intelligence Feeds

Risk Management

A Virtual CISO is flexibly designed to help meet the security requirements within your organization, and does so without the prohibitive costs of a salaried CISO. This is a strategically good approach for small/medium size businesses that simply don’t demand the extensive types of security operations of large enterprises.

Policy

A Virtual CISO helps to ensure your organization maintains a thorough and well-defined portfolio of security policies and Disaster Recovery plans, as well as updates those policies as your technology & strategic plans evolve and change.

Guidelines

A Virtual CISO can help your organization in developing a wide range of guidelines related to data security, use of information systems, and governance of access controls and rules regarding who, what, and when.

Standards and Compliance

As regulatory agencies continuously address new developments in the cybersecurity arena, the regulations for information security can change significantly in a short period of time. A Virtual CISO helps ensure your organization stays current and compliant with the latest requirements.

Reporting

Your organization is expected to report regularly on its practices for the management and mitigation of key information security concerns like GLBA or Vendor Management, as part and parcel of compliance efforts. With a Virtual CISO, your organization can work to guarantee that your reporting efforts are always thorough, compliant and reliable.

Threat Intelligence

Signature based intrusion detection is one of the most commonly used methodologies of threat intelligence, but it is not effective on all types of threats, weaknesses, and vulnerabilities.

Accidental data leakage

This is also called a Data Breach, when sensitive data is transmitted or viewed by an unauthorized individual.

Malware

Trojans, ransomware, office-gated malware, worms, viruses, etc.

Identity Theft

Falsely using someone else's private information for personal gain.

Malicious access of data

An employee's device ( personal devices) has been misplaced or stolen, exposing private data.

Insider Threat

Stealing sensitive corporate data for business advantage or personal gain.

Weak passwords

Single points of verification like passwords can easily be bypassed by savvy hackers.

Social engineering

Hackers manipulate employees into installing malware on their own systems.

Loss/corruption of data

The integrity of your data has been compromised somewhere in the writing, reading, storage, transmission, or processing cycle.

Misconfigured systems

A web server, app, or plug-in has been misconfigured in a way that inadvertently leaks info or allows hackers an entry point into your business's software or OS.

Outdated operating system

Operating systems advance annually to adapt to new security needs.

Lack of encryption

Not encrypting your data is the equivalent of leaving your wallet in an unlocked car with the windows down.

Equipment failures

Hackers locate a flaw, glitch, or weakness in your business's software or OS and create exploits to target those vulnerabilities.

Unpatched vulnerabilities

Vulnerabilities arise with every software addition to your environment.

Untrained employees

No security feature can account for human error.

Security Assessment

A proper assessment of an organization’s security posture must be performed at the network level and at the OS and application level. Below are some sample questions that are asked and evaluated with a risk profile based from ALE (annual loss expectancy), or consequences as it relates to a (EF) exposure factor with Risk/Breach.  

abstract-1278060_1920

A countermeasure is a security control that is strategically designed to eliminate a vulnerability or at least reduce the likelihood of a vulnerability being exploited. The value of implementing countermeasures is the mitigation of potential risks. The costs of countermeasures involve more than just monetary allocations. There are several areas that need to be assessed and evaluated regarding countermeasure implementations, such as:

  • Product costs
  • Design/planning costs
  • Implementation costs
  • Environment modifications
  • Compatibility with other countermeasures
  • Maintenance requirements
  • Testing requirements
  • Repair, replacement, or update costs
  • Operating and support costs
  • Effects on productivity
  • Subscription costs
  • Testing requirements

We start with assessment for device management and inventory system based on:

  • Network Level Security
  • Cloud-based
  • Hosted-Based and OS
  • Application layer

Configuration Management Database (CMDB)

A Configuration Management Database (CMDB) is a repository that acts as a data warehouse for Information Technology (IT) installations. It holds data mapped to a collection of IT assets commonly referred to as Configuration Items (CI), as well as to descriptive relationships between the assets.

CIS Critical Security Controls (CIS Controls)

The CIS Critical Security Controls (CIS Controls) are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.

The CIS Controls embrace the Pareto 80/20 Principle, the idea that taking just a small portion of all the security actions you could possibly take, yields a very large percentage of the benefit of taking all those possible actions:

  • Inventory of Authorized and Unauthorized Software.
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, like OS Harding Images and shell scripts with automation system configuration management tools.
  • Continuous Vulnerability Assessment and Remediation.
  • Controlled Use of Administrative Privileges.