Internal and External Network level security testing is a must have component in infosec for both security and compliance reasons. Using the latest methodologies and attack-vectors our team measures the thread exposure of your network.
Internal networks in organization are exposed to many vulnerabilities and threats at a network or application layer and coming from malicious employees or external intruders compromising the network by exploiting external issues or through social engineering, among many other means. An internal penetration test's objective is to reproduce or mimick what real attackers would do by finding and exploiting the vulnerabilities present on the network and securely compromising selected infrastructure componenents such as LDAP, CHD, DB, PII or many other sensitive servers.
On top of these, many compliance regulations such as SOX, PCI, HIPAA, etc require corporations to perform internal penetration tests as part of the information security programs in order to determine whether unauthorized access or other malicious activity is possible. These tests should be run at least once a year and/or as many times as it is required by the different compliance programs. Last, but not least. The scope of the assessment is usually determine in conjuction with the customer, depending on the objective of the exercise and/or when performing compliance related assessments it will be determined by the regularitory requirements.
External Penetration testing test the security posture of the network and applications exposed externally exposed to the internet or any other publicaly accessable network. Consultants tests the possible vulnerabilities and issues, once more reproducing or mimicking what real attackers or criminals would do, but with the correct safeguards in order to successfuly exploit vulnerabilities while keeping the infrastructure and customer's data safe.
Once more these type of testing is also mandatory by many of the security standards and compliance regulations in the information security industry. Scope and frequence of these assessment is determined by the same set of rules as internal penetration test are, but with some differences depending on the clients' needs and compliance mandates.
Our vision of a penetration testing methodology is to merge the classic phases of the assessment with latests threads and attacks from the real world. We do this in order bring not only the information security requires procedures and tests, but to also give the client the best possible actual security posture for his environment. Most companies concentrate in reporting lots of meaningless vulnerabilities any automated scanner can provide without given any insight into how they could be used, wether attackers even exploit these issues nowadays or if the issues could actually damage the organization in question. By mixing the classic methodology and introducing a refreshed view at security concentrating in mimicking real criminals intent we aim to bring more and better value into each reported vulnerability for each step of the assessment.
Having said this, we still organize ourselves around the following high-level testing phases, but as was abovementioned, always working hard to research and bring a perspective that could help the organizations identify real risks.
This process start by gathering any and all information about the corporate network and any other relevant data. In order to properly win you always need to know your oponenent. In these case it is key that good information gathering is performed in order to know who, how and what to attack. These phase is the responsible for creating a scope, if it was not provided by the customer, investigate which properties the company in question owns and are currently connected to the internet, etc.
Using automated, manual and custom build tools and scripts, consultants run multiple set of scans in order to detect possible vulnerabilities. While running these scanners, manual testing is also performed in order to detect issues, that due to complexity or sensitivity could only be tested manually in order to further detect vulnerabilities.
Unlike a vulnerability scan, once we found a vulnerability, the consultants will try to safely exploit and test the vulnerability on each of the detected systems in order to further and more properly assess the severity of the vulnerability and also to allow him/her to continue with the exercise as we will dicuss on the next phase.
Once we are able to sucessfully exploit vulnerabilities, it is time to assess what damage a real attacker would be able to cause using these vulnerabilities and how deep he could go into the corporate environment. This does not only allows yout detect the real thread of a vulnerability, but also allows the penetration testers to possibly find even more vulnerabilities that could not haven been discovered.
This phase as the title states, it is the time where the consultants cleanup any necesary exploitation and post-exploitation shells, payloads, and/or any possible issues that might come up while performing the penetration test.
Throughout all phases we conciusly take notes and about any issues, errors or vulnerabilities that we come across and once we are done with the assessment, these vulnerabilities and issues need to be assesed against the entire excersise and the corresponding severity, likelihood and other risk are calculated to match exactly what the vulnerability really means to the client. Last, but not least, a final report is generated and discussed with the client.