Penetration Testing Services. Demonstrate Real-World Risk

Transcription

1 Penetration Testing Services Demonstrate Real-World Risk

2 Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled conditions. This documents actual risks posed to your company from the perspective of a motivated attacker. Leverage offensive security experts to test defenses and uncover issues. Get an understanding of real-world risks from the attacker s perspective Go beyond the limitations of automated scanning to identify the root cause of underlying issues. Our penetration tests simulate real-world attack vectors to provide a point-in-time assessment of vulnerabilities and threats to your network infrastructure and applications. Quantify and prioritise findings using business-driven criteria Our post-assessment analysis presents logical groupings of one or more security issues with common causes and resolutions. We provide an actionable findings matrix that can be used as an over-arching workflow plan and tracked within your security organization. Enable your operations team in tracking the remediation effort Each finding is categorised according to the relative level of risk posed to your organization. The final deliverable also contains the amount of work and resources required to address each finding, hyperlinked references to resources, and detailed remediation information. s penetration testing services include: Internal and external network testing Web and mobile application testing Wireless network testing Social engineering (physical and electronic) Boutique engagments, e.g. DDoS, APT, embedded device testing, malware, etc. Vulnerability assessment services Full security audit services 2

3 Demonstrate Real-World Risk A recent study conducted by the Ponemon Institute (2014 Cost of Data Breach Study: Global Analysis) reported the average cost of a data breach for the affected company is now $3.5 million. Costs associated with the Target data breach that occurred in 2013 reached $148 million by the second quarter of 2014 s Penetration Testing Services team delivers network, application, wireless, social engineering and boutique engagements to demonstrate the security level of your organization s key systems and infrastructure. The purpose of penetration testing is to Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Test will provide an evidence of exploitation and potential damages which may caused by attackers. (eg. sensitive data breach, defacement, money fraud, resources steal) Why Penetration Testing? Uncover security weaknesses Learn whether and how your network is exposed to potential attacks. Check security controls Test if the security measures you ve put in place are working and effective. Test security of new applications Conduct a comprehensive security assessment before the roll-out. Compliance and best practices Some regulations such as Payment Card Industry Data Security Standard (PCI DSS) require regular penetration tests. Beyond compliance, many best practice frameworks recommend conducting penetration testing. Contractual obligations Larger enterprises require a penetration test as part of doing business with them. Proven penetration testing services and security expertise to meet unique business needs: Best practice methodology leverages the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), and for application testing, the Open Web Application Security Project (OWASP) as foundation for assessments. Prioritised responses Security assessment results contain detailed remediation information and prioritised recommendations aligned to business goals and objectives. Comprehensive tools and processes uses a combination of proprietary and public tools to gather the most accurate data efficiently. Customised services approach Support for boutique engagements aligned with specific objectives, technologies, platforms, or threats. Risk scoring using the DREAD framework Address the top threats that have the greatest potential impact by applying a structured approach. 3

4 Penetration Testing Services Testing Vantage Points Penetration tests can traditionally be run internally within an organisation or externally from the internet. The appropriate vantage point for the testing should be determined by organisations focus on risk. In addition, the two places for testing are not mutually exclusive. Organisations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective. Internal Penetration Testing This type of testing assesses security through the eye of an internal user, a temporary worker, or an individual that has physical access to the organisation s buildings. Internal penetration tests are conducted from within an organisation, over its Local Area Network (LAN) or through WIFI networks. The tests will observe whether it is possible to gain access to privileged company information from systems that are inside the corporate firewalls. Testers will assess the environment without credentials, and determine whether a user with physical access to the environment could extract credentials and then escalate privileges to that of an administrator or super user within the environment. During an internal penetration test, the tester will attempt to gain access to sensitive data including PII, PCI card data, R&D material and financial information. They will also assess whether it is possible to extract data from the corporate environment and bypass any DLP or logging devices so as to assess any countermeasures or controls that have been put in place. External Pen Testing This type of testing assesses an organisations infrastructure from outside of the perimeter firewall on the Internet. It assesses the environment from the vantage point of an internet hacker, a competitor or a supplier with limited information about the internet facing environment. External pen testing will assess the security controls configured on the access routers, firewalls, Intrusion Detection Systems (IDS) and Web Application Firewalls (WAFS), that protect the perimeter. External tests will also provide the ability to assess security controls for applications that are published through the internet. recognises that there is increasing logic being built into web services to deliver extranet, e-commerce and supply chain management functions into Internet users. As a consequence, pays particular attention to these resources, and performs granular assessments on their build and configuration, as well as interaction with other data sources that sit in your protected network segments. Testing Methodology has a robust testing methodology that extends across infrastructure and application testing engagements. Although every penetration test is tailored to our clients individual needs, we follow the same proven methodology so as to maintain a consistent and reproducible set of results. From a high level perspective, s infrastructure testing methodology is based around seven core phases. Phase 1 Scoping Phase 2 Reconnaissance and Enumeration Phase 3 Mapping and Service Identification Phase 4 Vulnerability Analysis Phase 5 Service Exploitation has a dedicated methodology associated to web application and web service assessments. This comprises six additional phases and operates at level 3 to 6 of a conventional penetration test. Phase 6 Pivoting Phase 7 Reporting and Debrief 4

5 Demonstrate Real-World Risk Let guide you through the differences between black, white and grey box penetration testing services. Black Box Testing In a black box test, the client does not provide with information about their infrastructure other than a URL or even just the company name. is tasked with assessing the environment as if they were an external attacker with no information about the infrastructure or application logic that they are testing. Black box penetration tests provide a simulation of how an attacker without any information, such as an internet hacker, organised crime or a nation a state could present risk to the environment. Grey Box Testing A grey box test is a blend of black box testing techniques and white box testing techniques. In grey box testing, clients provide with snippets of information to help with the testing procedures. This results in a more focused test than in black box testing as well as a reduced time line for the testing engagement. Grey box penetration tests provide an ideal approach for assessing web applications that allow users to login and access data that is specific to their user role, or their account. White Box Testing In a white box test, is provided with detailed information about the applications and infrastructure. It is common to provide access to architecture documents and to application source code. It is also usual for to be given access to a range of different credentials within the environment. This strategy will deliver stronger assurance of the application and infrastructure logic. It will provide a simulation of how an attacker with information (employee, etc) could present risk to the environment. Testing Reports & Deliverables prides itself on some of the strongest deliverables within the industry. We recognise that identifying vulnerabilities and areas for exploitation is critical. However, providing clear, concise and well informed documentation is also essential. places significant focus and effort on its documentation, reports and presentations. We ensure that quantifiable methodology is utilised all the way through an engagement. Testing Report & Documentation produces a high level management report and an indepth technical review document for each engagement. These documents will highlight security vulnerabilities and identify areas for exploitation. In addition, they will provide guidance on remediation, with a focus on preventative countermeasures. Test Debrief Pen testing is complex, however the reports, presentations and debriefs do not need to be. ensures that all tests have a full debrief at the end of the engagement. Where practical, delivers this debrief in a face to face manner. During this process we will provide a presentation of critical and high level vulnerabilities along with guidance on remediation and countermeasures. Post Test Guidance Clients that engage with for Pen Tests are provided with three months of complimentary access to our Security Support Desk. This provides a level of assurance through the remediation phase, ensuring that you can get all of your vulnerabilities fixed in a time sensitive manner. 5

6 Penetration Testing Services Penetration Test Team Edward Skraba Lead Penetration Tester, IBM Certified Security Specialist E: Frank Konya Head of IT, Penetration Tester, IBM Certified QRadar Specialist E: Christopher Galicki Project Manager, Cyber & Information Security E: 6

7 Demonstrate Real-World Risk Contact T: E: W: Cork Unit 11A, South Ring Business Park, Kinsale Road T12 W938 Cork, Ireland Dublin College Green Dublin 2, Ireland London 29 Harley Street London, United Kingdom 7