Vulnerability & Penetration Testing

The value of Network and Application testing:

There are many high profile cases where a well known company has suffered an information security breach, and the revelation of the breach has affected either the share price, consumer confidence, or brand image. There are other effects of information security breaches, for instance, the internal disruption caused, the cost of the resources needed to restore systems and information, and the amount of internal time needed to work out how the breach actually occurred.

With new regulations, such as GLB, HIPAA, SB 1386, etc., it even affects a company's legal and liability positions. Companies may also need to conform with new MasterCard (SDP) and Visa (CISP) Acquirer & Merchant security compliance programs to mitigate new penalties.

Hacker techniques and tools are constantly evolving, potentially providing the capabilities necessary to penetrate networks. Regardless of the technical aptitude of employees and adherence to security practices of an organization, the potential for unauthorized access remains a threat.

Read further and view a sample report.

 

A third-party security examination

will greatly help an organization identify where vulnerabilities exist, and what procedures or measures would need to be implemented to negate risk and comply with regulations and compliance programs.

 

Secure20's Vulnerability and Penetration Testing services provide you the opportunity to determine the actual effectiveness of your security measures by directly testing your network through acts of discovery and  exploitation. Secure20 security consultants utilize the latest tools and techniques to emulate Internet, intranet, wireless, and extranet based attacks. We then deliver results and develop comprehensive documentation and an action plan for mitigating the identified risks.

Secure20 is uniquely qualified to deliver this service because of the strength of our security and networking expertise. Our founding Principals all come from within the high-security Banking industry. Our engineers and consultants have developed a comprehensive set of proven methodologies and intellectual capital to produce fast and quantifiable results. From enterprises in every industry to the largest of Financial Institutions, we have performed hundreds of engagements planning, designing, implementing, and securing complex networks.

 

Test Features and Process

The Vulnerability and/or Penetration Testing service provides an external perspective on your organization's security posture and vulnerabilities. Assessing network vulnerabilities can be performed through many methods, and attack simulation is controlled and safe. Network access may be gained from four basic perspectives:

  1. External Internet based attacks with zero previous knowledge

  2. External Internet based attacks with full knowledge of the target network, possibly including information to gain depth into the network

  3. External Internet and internal Network based attacks with the option of sharing critical information

  4. Internal based attacks with common user knowledge and access to internal systems and network.

Features and Processes

  • We use a structured scanning process against perimeter devices using Secure20's  proven Testing Methodology.
  • We make use of a full suite of industry-leading, Licensed, Open Source, and proprietary scanning tools. We do not make use of one tool as do many vendors -- several tools are needed to check against each other for false positives and negatives.
  • We provide remediation recommendations based on Secure20's best-practices and Methodology.
  • We provide a very wide-range of access testing options, including but not limited to: firewalls, proxies, VOip, DNS, telnet, NetBIOS services, authentication mechanisms, VPNs, remote control, remote administration, spoofing, war-dialing for modems, denial of service techniques, and social engineering techniques.

Benefits

The Secure20 Testing service provides you with the opportunity to identify the effectiveness of your organization's security practices and programs. By performing these tests, you can clearly measure intrusion detection and response capabilities, as well as determine its level of exposure to hostile attacks. Assessing vulnerabilities is an essential element of risk assessments, it determines the relationship between information assets and the threats associated with them. Everything from technology and implementation practices to security behavior and social acceptance of security policies and procedures are tested and exposed to potential threats. This ensures your organization's security risks are identified and mitigated.

 

Deliverables

Upon completion of the engagement, you will receive a written final report and presentation of findings.

Specific deliverables include:

  • Comprehensive reports describing strengths and weaknesses found in the various intrusion test scenarios
  • Recommendations for immediate to long term improvements
  • Knowledge transfer during the life of the project via collaboration and review meetings

The objective of Penetration testing

is to measure the exposure of the

 network resources to attacks from the Internet, and evaluate the effectiveness

of network security devices,

(i.e. firewalls, routers, and servers)

to prevent such attacks.

A penetration test will determine if:

  • your data can be manipulated or stolen;
  • your network possesses design problems;
  • your systems or applications are inadequately configured;
  • your firewalls, web servers, or routers are inadequately configured;
  • your network can be compromised for further access.

While examining your company's exposure to the Internet, we take on the role of a "hacker" and attempt to access your network from the outside. We normally perform this work without prior knowledge of your network or its connection to the Internet (though the time-cost can be higher for you). The vulnerabilities we discover can be viewed as the same that any attacker might find while testing your  network and connected systems.

Secure20 uses several automated and manual tools to "break in" into your network. We do not simply rely on Web based scanning tools, your security posture and compliance needs are too important. The multi-step discovery process includes:

  • Discovery via Network Mapping
    Discover all Public or Internal IP addressable Nodes (Wired and Wireless)
  • Discovery of Network Node Vulnerabilities
    Routers, Switches, Modems, etc.
  • Discovery of Application Vulnerabilities
    Web Apps, Databases, etc.
  • Discovery of Host Vulnerabilities
    XP, Windows 2k, Unix, etc.
  • Discovery via Social Engineering
    People
    •

    The Penetration phase occurs in the second phase. In that phase we exploit the found vulnerabilities for access.

     

    Sample Reporting

    At 200+ pages long, the sample document below is a result of a comprehensive test of a 20 node site, with every flavor of Win32, Unix, and all variety of applications and databases one might test against. We think you will find this type of document will meet your requirements.

    Our reports are written to satisfy as both a working internal document and as a document can be used externally to show due diligence in protecting both company and client assets.

    Download a Sample Report (1.5MB PDF)

    Project Pricing

    See the Pricing page for more information.

    When applicable travel and living expenses are extra.

    Contact us now to get started

    Use the Project Scoping Form to make the process even quicker.