PENETRATION TESTING
Testing the Security Controls of your Corporate Infrastructure
What Is Penetration Testing
Penetration testing is an exercise of the team of testers ability to circumvent security controls in place. The process is not to find all exploitable opportunities but to exploit the most likely ones to gain access. Penetration testing can be long and tedious given the difficulty of executing an exploit or if trying to avoid a multitude of intrusion detection systems during the test.
What Is Penetration Testing
Penetration testing is the process of testing the security controls of an organization with the intent to exploit weaknesses and gain access to the system. A scope and boundary are defined to prevent the assessor from access systems outside the system owner’s responsibility. The Pen tester usually has their own set of specialized tools used to find and exploit vulnerabilities, gain and keep privileged access, and avoid current and future detection by hiding their activities from network security mechanisms.
Penetration testing is an exercise of the team of testers ability to circumvent security controls in place. The process is not to find all exploitable opportunities but to exploit the most likely ones to gain access. Penetration testing can be long and tedious given the difficulty of executing an exploit or if trying to avoid a multitude of intrusion detection systems during the test.
Our Methods
Our Penetration testing has 6 primary steps: Reconnaissance, Vulnerability Detection, Exploitation, Gaining Privileged Access, Keeping Access, and Covering your Tracks.
The Penetration testing deliverable is a report of the exercises attempted and their results. It also should have a set of remediation recommendation to help close the exploits that were successful. Additionally, there should be documentation of unsuccessful results such as screenshots, tool outputs, text files, spreadsheets, and other forms of notes and results discovered. This provides the tester with repeatability and re-examination information that can reduce costs for future tests.
Your organization’s Security is too important to risk
Benefits
Every system has vulnerabilities. Find your corporation’s weaknesses and fix them before the wrong people do.
We assist mid to large organization’s IT security groups look for and find the plausibility of exploitations from things such as defense-in-depth solutions.
Knowledge
Insight
Awareness of Exploitation
Penetration testing confirms the system is exploitable. It does not confirm the system is not exploitable because it is about the tester’s ability and not necessarily the security controls deployed by the organization.
Working Plan
Awareness of Vulnerability
Meet Regulatory Compliance Requirements
How we do it
Duffy Compliance Services’ (DCS) enterprise management application ensures compliance
How Service is Conducted
Penetration Testers should document everything they do especially on successful exploits where they will continue down the testing process.
Deliverables
- Scope of the Test (Goals, Objectives, limitations, restrictions)
- Type of Test (Black, White, Grey Hat)
- Boundaries of the Test (Net Ranges, Domains, Hosts, Applications, etc.)- Attack Surface
- Roles and Responsibilities (POCs, Support for device crash/locked)
- Schedule for testing (Dates and Times or unknown)
- Pen Tester – Reconnaissance (what to use before system touch)
System search for vulnerabilities - Creating exploits and payloads for stealth and improved probabilities
Exploit weaknesses for first access – repeat with new options or move on to next vulnerability if unsuccessful - Exploit systems for second level access (privileged access)
- Create backdoors or simpler access methods to return to the device
- Delete events and logs and other traces of original attack and suppress (hide) information about current access methods
Why Choose us?
Tests for:
Healthcare practices
Entertainment organizations
Government Contractors
Government Agencies
System Experience:
Security Architecture – Freddie Mac, NGMS, GD C4S, NCI, IBM Global Services
Security Products – Fortinet, Rapid7, Dell SonicWall, Shiva/Intel VPN, Tenable, SAINT, Qualys
Open Sourced – Kali, OWASP, Metasploit, Kismet, etc.
Wireless – Bluesocket, Fortress
Penetration Testing is a full spectrum, black to white box testing of your environment. You systems include the wired and wireless networks, applications, devices, and even personnel. The result is to find vulnerabilities an attacker could exploit and see how your security controls respond.