Application Vulnerability Test
This test determines whether an application is sufficiently secure from an application-layer perspective. Our consultant(s) will perform this test remotely. Upon completion of the test, Client will receive a detailed report on the Security state of the application and any identified remediation actions.
The application penetration test will evaluate the application’s vulnerability to the following area using manual testing (not automated scanners):
- Cross-site scripting (XSS)
- Injection flaws (particularly SQL injection)
- Malicious file execution
- Insecure direct object references
- Cross-site request forgery (CSRF)
- Information leakage and improper error handling
- Broken authentication and session management
- Insecure cryptographic storage
- Insecure cryptography storage
- Insecure communications
- Failure to restrict URL access
Penetration Test Service
This includes any internal network and system that stores, processes, or transmits data and/or information. The Internal Penetration Test Service follow the very same methodology applied by the External Penetration Test Service, but is performing from an internal perspective. A security consultant will visit up to one a location and perform penetration testing against a sample of systems per location. Upon completion of the testing, a report will be provided documenting the findings and include high-level recommendations to assist you in correcting any areas of deficiency.
All testing phases will be coordinated with Client to minimize any adverse impact that may occur because of the services. We strongly recommend full-disclosure of the testing to all individuals responsible for the network and related services and devices. Although we take precautions to minimize the negative impact on client systems, we do not guarantee against service interruptions due the inherent risk of such testing that could result from un-patched systems, unique system configurations and other such issues.
We also recommend the establishment of incident response procedures in the event of any adverse impact or disruption of network services. Client assumes full responsibility to backup and/or otherwise protect its data against loss, damage or destruction prior to and during all phases of the proposed services, and to respond appropriately to respond to any adverse impact of the systems or disruption of service.
Internal Penetration Testing Service
This includes any internal network and system that stores, processes, or transmits data/information. The objective of an internal network penetration test is to determine if the current network security controls are vulnerable to an actionable attack from an attacker that has gained access to the network either physically or virtually.
This level of testing validates corporate security policy and development standards by attempting to identify how resilient the internal network is to determined attackers. The product of an internal network penetration test is a report that documents the organization’s existing security posture, identifies specific weaknesses and vulnerabilities, provides purpose built exploit code examples that tell a compelling story of risk from any given vulnerability, and makes recommendations for their remediation.
Benefits of an internal penetration test include:
- Identification of the internal network’s exposure to security risks.
- Identification of specific vulnerabilities affecting the network.
- Validation and verification of existing network security controls, policies and procedures by impartial, third-party experts.
Remote Testing Option
You may choose to have the internal penetration testing performed remotely. The consultant will work with you to facilitate the remote access needed to conduct the penetration test. The consultant will first arrange a call to discuss the test parameters and gather all the needed technical information required. After testing is completed, there may be offsite data analysis, Q&A sessions with the concerned staff regarding findings. The final report will be presented for review.
The goal of social engineering is to obtain information from people or through non-technical means that will allow unauthorized access to a valued system and the information that resides on that system. The results of social engineering exercises can be far reaching and provide valuable information about Client’s security posture and controls.
The employees of the targeted organization base social engineering on un-trusted personnel posing as legitimate employees, business partners, vendors, suppliers, customers, technical support, facilities workers, etc. and attempting to gain proprietary or sensitive information about an organization that should not be readily available or provided. Social engineering exercises will not only expose vulnerabilities within the organization, but will also provide a roadmap to training and awareness requirements needed to improve these conditions.
The natural human tendency to accept people at their word leaves many organizations vulnerable to information attacks through social engineering. Persuading well-meaning individuals inside a company to volunteer information or assistance to the attacker conduct this type of attack. Since the security, controls that are in place at an organization are ultimately under the control of administrators, managers, and users, these individuals can become the weak link when protecting sensitive information.
Social engineering exercises test an organization’s resilience to attacks against the human component of security controls. Beyond Simple pretexts, technical methods can be used such as client and browser based attacks that are accomplished by convincing those with legitimate access to click on links that may execute developed test code. Social Engineering Exercises as described above will be included as part of testing at all tests locations.
Our team will prepare a formal report detailing the findings of the assessment. The report will detail any identified threat or vulnerability or potential vulnerability, as well as recommendations for countermeasures to eliminate or mitigate these risks. Wherever possible, the report will recommend specific security patches, and/or architectural configuration, or procedural changes that may be required.
Any vulnerability that our team uncovers will be ranked according to severity: High, Medium, Low, or Informational. Any files, passwords, or system information obtained during the assessment will be included as part of the report deliverable.
Once a final deliverable has been developed, it will be presented to Client in the form of an engagement closeout presentation. Separate presentations for both management and technical groups can be given at Client’s request.
Project, program and Profile Management
- Project management using PMP, Agile, EVM, and ISO 21500
- P3M (Portfolio, Program, and Project)