Penetration Testing Services. Demonstrate Real-World Risk



Similar documents
Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Penetration Testing Service. By Comsec Information Security Consulting

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Payment Card Industry (PCI) Penetration Testing Standard

Procuring Penetration Testing Services

PCI DSS Overview and Solutions. Anwar McEntee

External Supplier Control Requirements

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Rational AppScan & Ounce Products

Put into test the security of an environment and qualify its resistance to a certain level of attack.

Information Security Services

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Penetration Testing in Romania

InfoSec Academy Pen Testing & Hacking Track

Introduction to Penetration Testing Graham Weston

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Information Technology Security Review April 16, 2012

Protecting against cyber threats and security breaches

PENETRATION TESTING GUIDE. 1

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Aberdeen City Council IT Security (Network and perimeter)

Cisco Security Optimization Service

White Paper. Information Security -- Network Assessment

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Cyber Security Metrics Dashboards & Analytics

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Network Security Audit. Vulnerability Assessment (VA)

Goals. Understanding security testing

SANS Top 20 Critical Controls for Effective Cyber Defense

Penetration testing & Ethical Hacking. Security Week 2014

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

What is Penetration Testing?

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

Where every interaction matters.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Penetration Testing. Presented by

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

EC Council Certified Ethical Hacker V8

Ethical Hacking and Penetration Testing Presented by: Adam Baneth Managing director

IT Security Testing Services

Digital Pathways. Penetration Testing

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Security from a customer s perspective. Halogen s approach to security

Advanced Threat Protection with Dell SecureWorks Security Services

IoT & SCADA Cyber Security Services

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Italy. EY s Global Information Security Survey 2013

[CEH]: Ethical Hacking and Countermeasures

Bio-inspired cyber security for your enterprise

93% of large organisations and 76% of small businesses

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

A Penetration Testing Maturity and Scoring Model

The Top Web Application Attacks: Are you vulnerable?

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

PCI Solution for Retail: Addressing Compliance and Security Best Practices

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

Penetration Testing Services Procurement Guide VERSION 1.

ESKISP Manage security testing

PwC s Advanced Threat and Vulnerability Management Services

How To Test For Security On A Network Without Being Hacked

AUTOMATED PENETRATION TESTING PRODUCTS

!!!!!!!!!!!!!!!!!!!!!!

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

Information Technology Risk Management

Penetration Testing. Request for Proposal

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

IBM Security Intelligence Strategy

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

PCI Requirements Coverage Summary Table

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

2011 Forrester Research, Inc. Reproduction Prohibited

GFI White Paper PCI-DSS compliance and GFI Software products

Secure Web Applications. The front line defense

Professional Services Overview

Top 20 Critical Security Controls

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

CYBER SECURITY TRAINING SAFE AND SECURE

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Transcription:

Penetration Testing Services Demonstrate Real-World Risk

Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled conditions. This documents actual risks posed to your company from the perspective of a motivated attacker. Leverage offensive security experts to test defenses and uncover issues. Get an understanding of real-world risks from the attacker s perspective Go beyond the limitations of automated scanning to identify the root cause of underlying issues. Our penetration tests simulate real-world attack vectors to provide a point-in-time assessment of vulnerabilities and threats to your network infrastructure and applications. Quantify and prioritise findings using business-driven criteria Our post-assessment analysis presents logical groupings of one or more security issues with common causes and resolutions. We provide an actionable findings matrix that can be used as an over-arching workflow plan and tracked within your security organization. Enable your operations team in tracking the remediation effort Each finding is categorised according to the relative level of risk posed to your organization. The final deliverable also contains the amount of work and resources required to address each finding, hyperlinked references to resources, and detailed remediation information. s penetration testing services include: Internal and external network testing Web and mobile application testing Wireless network testing Social engineering (physical and electronic) Boutique engagments, e.g. DDoS, APT, embedded device testing, malware, etc. Vulnerability assessment services Full security audit services 2

Demonstrate Real-World Risk A recent study conducted by the Ponemon Institute (2014 Cost of Data Breach Study: Global Analysis) reported the average cost of a data breach for the affected company is now $3.5 million. Costs associated with the Target data breach that occurred in 2013 reached $148 million by the second quarter of 2014 s Penetration Testing Services team delivers network, application, wireless, social engineering and boutique engagements to demonstrate the security level of your organization s key systems and infrastructure. The purpose of penetration testing is to Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Test will provide an evidence of exploitation and potential damages which may caused by attackers. (eg. sensitive data breach, defacement, money fraud, resources steal) Why Penetration Testing? Uncover security weaknesses Learn whether and how your network is exposed to potential attacks. Check security controls Test if the security measures you ve put in place are working and effective. Test security of new applications Conduct a comprehensive security assessment before the roll-out. Compliance and best practices Some regulations such as Payment Card Industry Data Security Standard (PCI DSS) require regular penetration tests. Beyond compliance, many best practice frameworks recommend conducting penetration testing. Contractual obligations Larger enterprises require a penetration test as part of doing business with them. Proven penetration testing services and security expertise to meet unique business needs: Best practice methodology leverages the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), and for application testing, the Open Web Application Security Project (OWASP) as foundation for assessments. Prioritised responses Security assessment results contain detailed remediation information and prioritised recommendations aligned to business goals and objectives. Comprehensive tools and processes uses a combination of proprietary and public tools to gather the most accurate data efficiently. Customised services approach Support for boutique engagements aligned with specific objectives, technologies, platforms, or threats. Risk scoring using the DREAD framework Address the top threats that have the greatest potential impact by applying a structured approach. 3

Penetration Testing Services Testing Vantage Points Penetration tests can traditionally be run internally within an organisation or externally from the internet. The appropriate vantage point for the testing should be determined by organisations focus on risk. In addition, the two places for testing are not mutually exclusive. Organisations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective. Internal Penetration Testing This type of testing assesses security through the eye of an internal user, a temporary worker, or an individual that has physical access to the organisation s buildings. Internal penetration tests are conducted from within an organisation, over its Local Area Network (LAN) or through WIFI networks. The tests will observe whether it is possible to gain access to privileged company information from systems that are inside the corporate firewalls. Testers will assess the environment without credentials, and determine whether a user with physical access to the environment could extract credentials and then escalate privileges to that of an administrator or super user within the environment. During an internal penetration test, the tester will attempt to gain access to sensitive data including PII, PCI card data, R&D material and financial information. They will also assess whether it is possible to extract data from the corporate environment and bypass any DLP or logging devices so as to assess any countermeasures or controls that have been put in place. External Pen Testing This type of testing assesses an organisations infrastructure from outside of the perimeter firewall on the Internet. It assesses the environment from the vantage point of an internet hacker, a competitor or a supplier with limited information about the internet facing environment. External pen testing will assess the security controls configured on the access routers, firewalls, Intrusion Detection Systems (IDS) and Web Application Firewalls (WAFS), that protect the perimeter. External tests will also provide the ability to assess security controls for applications that are published through the internet. recognises that there is increasing logic being built into web services to deliver extranet, e-commerce and supply chain management functions into Internet users. As a consequence, pays particular attention to these resources, and performs granular assessments on their build and configuration, as well as interaction with other data sources that sit in your protected network segments. Testing Methodology has a robust testing methodology that extends across infrastructure and application testing engagements. Although every penetration test is tailored to our clients individual needs, we follow the same proven methodology so as to maintain a consistent and reproducible set of results. From a high level perspective, s infrastructure testing methodology is based around seven core phases. Phase 1 Scoping Phase 2 Reconnaissance and Enumeration Phase 3 Mapping and Service Identification Phase 4 Vulnerability Analysis Phase 5 Service Exploitation has a dedicated methodology associated to web application and web service assessments. This comprises six additional phases and operates at level 3 to 6 of a conventional penetration test. Phase 6 Pivoting Phase 7 Reporting and Debrief 4

Demonstrate Real-World Risk Let guide you through the differences between black, white and grey box penetration testing services. Black Box Testing In a black box test, the client does not provide with information about their infrastructure other than a URL or even just the company name. is tasked with assessing the environment as if they were an external attacker with no information about the infrastructure or application logic that they are testing. Black box penetration tests provide a simulation of how an attacker without any information, such as an internet hacker, organised crime or a nation a state could present risk to the environment. Grey Box Testing A grey box test is a blend of black box testing techniques and white box testing techniques. In grey box testing, clients provide with snippets of information to help with the testing procedures. This results in a more focused test than in black box testing as well as a reduced time line for the testing engagement. Grey box penetration tests provide an ideal approach for assessing web applications that allow users to login and access data that is specific to their user role, or their account. White Box Testing In a white box test, is provided with detailed information about the applications and infrastructure. It is common to provide access to architecture documents and to application source code. It is also usual for to be given access to a range of different credentials within the environment. This strategy will deliver stronger assurance of the application and infrastructure logic. It will provide a simulation of how an attacker with information (employee, etc) could present risk to the environment. Testing Reports & Deliverables prides itself on some of the strongest deliverables within the industry. We recognise that identifying vulnerabilities and areas for exploitation is critical. However, providing clear, concise and well informed documentation is also essential. places significant focus and effort on its documentation, reports and presentations. We ensure that quantifiable methodology is utilised all the way through an engagement. Testing Report & Documentation produces a high level management report and an indepth technical review document for each engagement. These documents will highlight security vulnerabilities and identify areas for exploitation. In addition, they will provide guidance on remediation, with a focus on preventative countermeasures. Test Debrief Pen testing is complex, however the reports, presentations and debriefs do not need to be. ensures that all tests have a full debrief at the end of the engagement. Where practical, delivers this debrief in a face to face manner. During this process we will provide a presentation of critical and high level vulnerabilities along with guidance on remediation and countermeasures. Post Test Guidance Clients that engage with for Pen Tests are provided with three months of complimentary access to our Security Support Desk. This provides a level of assurance through the remediation phase, ensuring that you can get all of your vulnerabilities fixed in a time sensitive manner. 5

Penetration Testing Services Penetration Test Team Edward Skraba Lead Penetration Tester, IBM Certified Security Specialist E: eskraba@smarttech.ie Frank Konya Head of IT, Penetration Tester, IBM Certified QRadar Specialist E: frank@smarttech.ie Christopher Galicki Project Manager, Cyber & Information Security E: cgalicki@smarttech.ie 6

Demonstrate Real-World Risk Contact T: 0818 27 27 27 E: info@smarttech.ie W: www.smarttech.ie Cork Unit 11A, South Ring Business Park, Kinsale Road T12 W938 Cork, Ireland Dublin 18-19 College Green Dublin 2, Ireland London 29 Harley Street London, United Kingdom 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information