Keeping Your Clients’ Information Safe
Security of data is paramount in building and maintaining customer trust. In an age where data is distributed among various cloud providers and other third parties, the need for protecting that data has never been greater.
Regardless of the testing driver, be it compliance (PCI, SOC2, Fedramp, etc.) or corporate governance, our tailored solution can meet your requirements.
To help you assess your security posture, we provide these penetration testing services:
We provide a custom approach based on various scenarios to mirror the largest threats to your network. We will employ a combination of both industry standard and customized developed solutions to perform the necessary reconnaissance, enumeration and scanning, testing and validation of security threats.
We can tailor our approach from simply vulnerability detection and validation all the way to full system compromise if possible. A balanced approach is often optimal and we work with you to adapt testing to meet your goals.
While the majority of our testing has been developed by our experienced team of seasoned pentesters over the course of many years, it is updated constantly to incorporate emerging threats, new configuration landscapes and modern organizational needs.
The basis of our testing procedures are also based on industry best practice including the following:
- • NIST SP800-115 Technical Guide to Information Security Testing and Assessment, available at: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
- • Penetration Testing Execution Standard (PTES), available at: http://www.pentest-standard.org
Web and Mobile Application Testing
We identify and exploit vulnerabilities at the web and application layer. As a baseline, we will generally assess your environment using the OWASP Top 10, but will also address other potential threats to your application environment.
Our standard testing procedure is based on current industry accepted methodologies blended with our own in-house developed test cases. This allows for the greatest coverage of your custom web or mobile application to ensure that as many vulnerabilities as possible are detected and reported.
At a minimum, application testing is comprised of the following, blended with our own in-house developed procedures:
- • OWASP Testing Guide, available at: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
- • OWASP Mobile Top 10, available at: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 and the OWASP Mobile Security Testing Guide, available at: https://github.com/OWASP/owasp-mstg
- • SANS/CWE Top 25 Most Dangerous Software Errors available at: https://www.sans.org/top25-software-errors
We will attempt to circumvent security controls through coercion, diversion, phishing and other methods.
Typically referred to as the weakest link in security, human error is often to blame for most security incidents. According the Verizon DBIR, 43% of security incidents for 2017 included an aspect of social engineering.
We have found, however, that when an organization invests in the element of human security, measures performance over time and implements an effective security awareness training program.
Our solution incorporates these elements. First we carry out a highly complex and legitimate seeming social engineering attack (phishing, phone support, chat support, physical intrusion) then provide detailed, actionable data as feedback. Second we work with you to deliver training or assist you in facilitating your own training. Third, this process is repeated on a regular basis (quarterly, annually, etc.).
This process allows your staff to protect against actual social engineering attacks and get into the habit of being wary of anything out of the ordinary. We teach a "trust, but verify" approach that is very effective.
- • Email phishing: we take a very customized and advanced approach in order to simulate the most skilled attackers in the wild. Because these attacks are difficult to detect by the casual user, they set the stage for discerning actual attacks that can often culminate in financial or operational losses.
- • Phone, chat exploitation: here we utilize public information (such as partner or client relationships) in an attempt to trick customer service or support representatives into giving up additional protected data.
- • Physical intrusion: a standard attack would include a business hours activity where we attempt to talk our way past gatekeepers or circumvent physical countermeasures. Attacks range from tailgating a staff member through an access controlled ingress point all the way to capturing electronic badge data off-premise to use in a cloned badge for unfettered access to the facility.