Software Penetration Testing
Penetration testing is a mandatory component of regulations such as PCI DSS and also considered essential practice for any business with a high degree of dependence on online operations. Testing empowers companies to identify and remediate security issues in their running web applications before hackers can exploit them. Using CHECK, CREST, SANS and OWASP trained resource, we provide:
- Web application penetration testing, across .net, Java and PHP platforms.
- Legacy application penetration testing of legacy client/server applications, AS/400 and mainframes.
- Standalone application testing, of compiled executables.
- External network penetration testing
- Internal network penetration testing
- Remote access and two-factor authentication testing
- Physical penetration testing
- Wireless penetration testing
- PCI DSS penetration testing
- Social engineering
- Phishing simulations
- Reputational analysis
In fact, we can test pretty much anything that involves people, processes and technology.
How to do conduct a penetration test
A penetration test should reflect a measured approach to address a specific set of risks to an organisation. Due to a very much compliance-driven market, penetration tests are being offered on a commodity basis from a number of security companies globally, whereby you provide details of how many URLs and IP addresses you have, and you get a quote in response. This is the wrong approach, and these companies are reaping the benefits of year on year renewals without really adding value to the security posture of tested entities. Following a risk assessment, a penetration test is a valuable instrument that helps validate controls are in place and acting as desired to protect important assets. Simple questions that should help guide you:
- What assets am I trying to protect?
- Who am I trying to protect them from?
- What are their likely routes into my organisation?
- How exposed are my assets?
- Are internal staff a risk?
A penetration test should provide reasonable assurance that your assets are protected. Following initial network/application baselining, automated testing can be setup to address these on an annual basis and manual focus put onto any changes to your environment, or other routes via which your assets might become compromised. As the threat landscape changes, your penetration test methodology must be kept up to date, and the spend appropriate to the risks that your company faces.
To test web, standalone and legacy applications, we conduct both dynamic and static analysis, to understand how an application works in a run-time environment and also how well it has been coded to defend against common threats.
Dynamic Analysis – By dynamically testing web applications, we inspect applications the same way a hacker would attack them – providing accurate and actionable vulnerability detection. This means testing applications in a run-time environment. This helps reduce false positives as not all insecure code leads to an exploitable vulnerability.
Static Analysis – Static analysis, also commonly called ”white-box” testing, looks at applications in a non-runtime environment. This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modelling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. Compiled binaries and source code would be required.
Network Penetration Testing
Network penetration testing aims to exploit flaws that can be discovered using a local or remote network connection. We carry out internal testing onsite, to simulate what an adversary with a local network connection might exploit. We also test from an external perspective, to ensure your network does not expose vulnerabilities to the outside world. In addition, we can test your network from a VPN perspective. Exactly what damage could an adversary with a VPN connection do to your business? What if a home based employee with a VPN connection was inadvertently infected with malware, which attempted to spread to your corporate network?
We take a three phase approach to network penetration testing:
The supplied range of IP addresses will be enumerated in order to discover what network, operating system and applications might be running on the supplied range. Publicly available information (DNS, RIPE, Support Forums and Social Networking sites) will be queried and put into context.
The IP address ranges will be scanned using a vulnerability scanner to ensure they are patched and up to date. The scanning will go to an authenticated level and will need domain administrator credentials in order to enumerate any locally installed applications and scan them. Both software application and configuration level vulnerabilities will be checked, to ensure systems are patched and configurations inline with industry standards, such as those from the Center of Internet Security and NIST.
Open ports will be tested using a range of testing tools (both commercial and in house) to ensure any TCP/IP level services or applications are protected against common attacks. This would include dictionary attacks on available login prompts and the use of default parameters to ensure that these have been changed. Where appropriate, firewall and IDS/IPS evasion techniques may also be implemented.
Testing concludes with a detailed report and any remediation steps required prior to re-test.
Physical Penetration Testing
It’s often a lot easier than people think to be able to walk through the front door of your offices, get past security guards and install nefarious equipment onto an organisation’s network, leave malicious software on accessible desktops or even steal confidential data. More often than not, this highlights the gap between your physical security and information security efforts, showing that security does need to be applied holistically and every member of your staff kept aware as to emerging threats. Fire alarms are also often misplaced – with health and safety legislation saying that all doors must fail open, it makes even more sense to maintain a clear desk policy and ensure confidential documents aren’t lying around.
We can also perform bug sweeping, searching for listening devices (GSM/GPRS/3G/802.1x/Radio) that have been deliberately left in sensitive areas, such as the board rooms. As spy devices get smaller and smaller they are very easy to conceal and the first choice of anyone planning industrial espionage against your organisation.
Wireless Penetration Testing
Just how robust are your wireless security controls? It is common knowledge that WEP can be easily defeated, and hacks also exist for WPA and WPA-2 that could be used to compromise your wireless network. The big risk with wireless is that it can be hacked from outside your building. Malicious wireless access points can also be introduced from outside your building to impersonate your own wireless access points and steal information.
we can test any wireless network and ensure it is correctly configured and common wireless vulnerabilities do not expose confidential information on your networks.
What level of penetration testing is right for me?
We can provide any level of testing from baseline PCI DSS Penetration Testing services through to deep level testing to protect against Advanced Persistent Threats in large corporates or government entities. The killer question has always been “how much do I spend on testing?”. Rather than providing an off the shelf penetration testing package, we work with you to understand your exposure to risk, and advise where security resource and budget should be best focused.
PCI DSS Penetration Testing
PCI DSS requires that an entity performs both network and application penetration testing on the defined PCI DSS Scope, or cardholder environment. Further guidance notes from the PCI SSC also recommend physical and social engineering tests are carried out. To “pass an audit” there is no strict criteria as to what defines an acceptable penetration test, other than that it correctly addresses the provided scope and doesn’t miss things out and that a best practice approach is adopted by somebody or a company that specialises in security testing, like us. PCI DSS penetration testing must be performed at least annually, or whenever there has been a major change in the environment (such as addition of a new application).
Social engineering tests can be as easy as phoning up your switchboard, enumerating a number of employees, using LinkedIN or Facebook to gain information and ultimately gain your employee’s trust. You wouldn’t think your employees would give up their username and password, but using highly experienced actors, it can be trivial to do. More so in larger companies with a centralised support function. our penetration testers take this to the next level and thoroughly test to see whether your security policies are being read, understood and adhered to.
Organisations go to great effort to ensure staff read and sign off information security policies when they start employment. However, just how effective are they? We often demonstrate using an accurate phishing simulation just how easy it is for an employee to be fooled into clicking what they think is a legitimate link. Even more so when the link or attachment is entitled “2012 Salary Details for Company X”.
Countless methods of training have been used to try and combat phishing, from security awareness workshops, posters, through to regular HR campaigns advising staff exactly what to look out for. But still out of human nature, they will click on links. Links want to be clicked!
Through our enterprise level phishing simulations,we change that. Highly realistic emails are constructed, often using real domain names and the names of real employees, and sent to groups of employees at various stages of our simulation. Those that click are either “measured” or taken to an educational page on your company intranet telling them they have just fallen victim to a phishing attack. This teaches employees to become vigilant and alert your helpdesk as to potential infiltration attempts.
Ready to take the next step?
Whatever your challenge is we can help, Feel free to send over a request by filling out our proposal form. We'll get back to you promptly with our analysis and a structured costing of your project.