This test determines whether an application is sufficiently secure from an application-layer perspective. Our consultant(s) will perform this test remotely. Upon completion of the test, Client will receive a detailed report on the Security state of the application and any identified remediation actions.
The application penetration test will evaluate the application’s vulnerability to the following area using manual testing (not automated scanners):
- Cross-site scripting (XSS)
- Injection flaws (particularly SQL injection)
- Malicious file execution
- Insecure direct object references
- Cross-site request forgery (CSRF)
- Information leakage and improper error handling
- Broken authentication and session management
- Insecure cryptographic storage
- Insecure cryptography storage
- Insecure communications
- Failure to restrict URL access
This includes any internal network and system that stores, processes, or transmits data and/or information. The Internal Penetration Test Service follow the very same methodology applied by the External Penetration Test Service, but is performing from an internal perspective.
All testing phases will be coordinated with Client to minimize any adverse impact that may occur because of the services. We strongly recommend full-disclosure of the testing to all individuals responsible for the network and related services and devices.
Although we take precautions to minimize the negative impact on client systems, we do not guarantee against service interruptions due the inherent risk of such testing that could result from un-patched systems, unique system configurations and other such issues.
This includes any internal network and system that stores, processes, or transmits data/information. The objective of an internal network penetration test is to determine if the current network security controls are vulnerable to an actionable attack from an attacker that has gained access to the network either physically or virtually.
This level of testing validates corporate security policy and development standards by attempting to identify how resilient the internal network is to determined attackers. The product of an internal network penetration test is a report that documents the organization’s existing security posture, identifies specific weaknesses and vulnerabilities, provides purpose built exploit code examples that tell a compelling story of risk from any given vulnerability, and makes recommendations for their remediation.
Benefits of an internal penetration test include:
- Identification of the internal network’s exposure to security risks.
- Identification of specific vulnerabilities affecting the network.
- Validation and verification of existing network security controls, policies and procedures by impartial, third-party experts.
You may choose to have the internal penetration testing performed remotely. The consultant will work with you to facilitate the remote access needed to conduct the penetration test. The consultant will first arrange a call to discuss the test parameters and gather all the needed technical information required.
After testing is completed, there may be offsite data analysis, Q&A sessions with the concerned staff regarding findings. The final report will be presented for review.
The goal of social engineering is to obtain information from people or through non-technical means that will allow unauthorized access to a valued system and the information that resides on that system. The results of social engineering exercises can be far reaching and provide valuable information about Client’s security posture and controls.
The employees of the targeted organization base social engineering on un-trusted personnel posing as legitimate employees, business partners, vendors, suppliers, customers, technical support, facilities workers, etc. and attempting to gain proprietary or sensitive information about an organization that should not be readily available or provided.
Social engineering exercises will not only expose vulnerabilities within the organization, but will also provide a roadmap to training and awareness requirements needed to improve these conditions.
Social engineering exercises test an organization’s resilience to attacks against the human component of security controls. Beyond Simple pretexts, technical methods can be used such as client and browser based attacks that are accomplished by convincing those with legitimate access to click on links that may execute developed test code.
Social Engineering Exercises as described above will be included as part of testing at all tests locations.
Our team will prepare a formal report detailing the findings of the assessment. The report will detail any identified threat or vulnerability or potential vulnerability, as well as recommendations for countermeasures to eliminate or mitigate these risks. Wherever possible, the report will recommend specific security patches, and/or architectural configuration, or procedural changes that may be required.