Penetration Testing

Penetration testing provides the “hacker’s” perspective inside and outside of the network perimeter. Security testing specialists attempt to infiltrate the client’s network, systems and applications using not only common technologies and techniques, but also specialized tools and some unexpected methods, such as social engineering and combined techniques (“multi-vector” attacks). The result is a detailed report identifying key vulnerabilities and suggested protection tactics – an action plan to improve the organization’s security posture.

Penetration Testing services provide absolute confirmation that a vulnerability does exist by exploiting the weakness to gain unauthorized access to the device or to create a denial of service condition by causing the device to fail. Penetration tests are generally performed after a vulnerability assessment to confirm identified vulnerabilities, but they can also be performed on their own using known exploits. Normally when penetration testing is required, we use the results of the preceding VA activities to identify, prioritize and select the most likely attack vectors for conducting a successful penetration test. Vulnerabilities are assembled into a set of attack vectors and ranked according to the likelihood of success and the level of access provided to the vulnerable system to produce an overall attack strategy.

 

Similar to VA testing, we follow a systematic methodology to conduct penetration testing, and work with our clients to ensure the proposed test approach and risks are understood prior to any testing being conducted, and that an exit criteria is negotiated and agreed upon (e.g. ability to read a specific file, ability to create or modify a database record, etc.).

Social engineering is intended to test the “human” aspect of security. Typical social engineering activities include targeted attacks against a list of people/email addresses as supplied by the client or derived from Open Source intelligence searching using public search engines and resources. The goal is to attempt to extract information from staff or gain remote access to workstation assets. Three examples of the manner in which this type of information can be solicited from a client’s personnel include:

  • Interactive. Telephone-based or interactive social engineering can be conducted by engaging in conversations with staff members on-site or via telephone to attempt to elicit information about the individual, their role, the organization or IT assets owned and used by the organization. Some information from Open Source intelligence gathering will be used in constructing the approach and legend behind the individual interacting with staff members.
  • USB-Based. If on-site, or if close access to an organization’s facilities is possible, then USB-based social engineering can be attempted by leaving USB memory sticks in key locations that can be picked up by the organization’s employees. Successful exploitation depends on the staff member inserting the USB memory stick into their workstation or laptop while connected to the organization’s network. At this point either an auto launch feature will be exploited or the contents of the USB stick will be socially engineered to elicit the user into double-clicking on the memory stick icon and viewing the contents. Through the auto launch or by opening the stick and viewing the contents, the user’s computer will be redirected to an Internet site under control of our security analyst that will be used to collect information about the user’s browser, operating system and possibly used to demonstrate controlled exploitation of the workstation.
  • Email-Based. Email-based social engineering (“phishing”) utilizes the results from Open Source intelligence gathering to tailor the attack to targeted individuals to increase the chance of successful exploitation. Informational messages, events and maintenance announcements from Internet sites will be spoofed in this form of attack to elicit targeted users to open the attack emails and also click on links embedded in the emails. The links will lead the victim to false networking sites under the control of our security analyst that will be used to collect information about the user’s browser, operating system and possibly use to demonstrate controlled exploitation of the workstation.

 

Please Contact Us for further information.