Penetration Testing introduction:   Security Services
A Penetration Test is the process of actively evaluating your information security measures. The most common procedure is that the security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities; the results are then delivered comprehensively in a report, to Executive, Management and Technical audiences by knowledgeable Integracon staff.

The need for Penetration Testing:
There are several reasons why organizations choose to perform a penetration test; they range from technical to commercial but the most common are:

• Identify the threats facing your organization’s information assets so that you can quantify your information risk and provide adequate information security expenditure.
• Reduce your organization’s IT security costs and provide a better return on IT security investment (ROSI) by identifying and resolving vulnerabilities and weaknesses. These may be known vulnerabilities in the underlying technologies or weaknesses in the design or implementation.
• Provide your organization with assurance - a thorough and comprehensive assessment of organizational security covering policy, procedure, design and implementation.
• Gain and maintain certification to an industry regulation (BS7799, HIPAA etc).
• Adopt best practice by conforming to legal and industry regulations.

Which service(s) are right for you:
1. External Penetration Testing is the traditional approach to penetration testing. The testing is focused on the servers, infrastructure and the underlying software comprising the target. It may be performed with no prior knowledge of the site or with full disclosure of the topology and environment. This type of testing typically involves a comprehensive analysis of publicly available information about the target, a network enumeration phase where target hosts are identified and analyzed, and the behavior of security devices such as screening routers and firewalls are analyzed. Vulnerabilities within the target hosts are then identified, verified and the implications assessed.

2. Internal Security Assessment follows a similar methodology to external testing, but provides a more complete view of the site security. Testing will typically be performed from a number of network access points, representing each logical and physical segment. For example, this may include tiers and DMZ's within the environment, the corporate network or partner company connections.

3. Application Security Assessment is designed to identify and assess threats to the organization through bespoke, proprietary applications or systems. These applications may provide interactive access to potentially sensitive materials, for example. It is vital that they be assessed to ensure that, firstly, the application doesn't expose the underlying servers and software to attack, and secondly that a malicious user cannot access, modify or destroy data or services within the system. Even in a well-deployed and secured infrastructure, a weak application can expose the organization’s crown-jewels to unacceptable risk.

4. Wireless/Remote Access Assessment (RAS) Security Assessment addresses the security risks associated with an increasingly mobile workforce. Home-working, broadband always-on Internet access, 802.11 wireless networking and a plethora of emerging remote access technologies have greatly increased the exposure of companies by extended the traditional perimeter ever further. It is vital that the architecture, design and deployment of such solutions is secure and sound, to ensure the associated risks are managed effectively.

5. Telephony Security Assessment addresses security concerns relating to corporate voice technologies. This includes abuse of PBX's by outsiders to route calls at the targets expense, mailbox deployment and security, voice over IP (VoIP) integration, unauthorized modem use and associated risks.

6. Social Engineering addresses a non-technical kind of intrusion; it relies heavily on human interaction and often involves tricking other people into breaking normal security procedures. Social engineering usually involves a scam; trying to gain the confidence of a trusted source by relying on the natural helpfulness of people as well as their weaknesses, appealing to their vanity, their authority and eaves dropping are natural techniques used. Other techniques involve searching refuse bins for valuable information, memorizing access codes by looking over someone's shoulder, or taking advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed.

Project Deliverables:
A penetration test will involve the systematic analysis of all the security measures in place. A full project should include some or all of the following areas, with the exact requirements being agreed in a formal scoping document prior to project commencement:

Network Security
  • Network Surveying
  • Port Scanning
  • System Identification
  • Services Identification
  • Vulnerability Research & Verification
  • Application Testing & Code Review
  • Router Testing
  • Firewall Testing
  • Intrusion Detection System Testing
  • Trusted Systems Testing
  • Password Cracking
  • Denial of Service Testing
  • Containment Measures Testing
Information Security
  • Document Grinding
  • Competitive Intelligence Scouting
  • Privacy Review
Social Engineering
  • Request Testing
  • Guided Suggestion Testing
  • Trust Testing
Wireless Security
  • Wireless Networks Testing
  • Cordless Communications Testing
  • Privacy Review
  • Infrared Systems Testing
Communications Security
  • PBX Testing
  • Voicemail Testing
  • FAX review
  • Modem Testing
Physical Security
  • Access Controls Testing
  • Perimeter Review
  • Monitoring Review
  • Alarm Response Testing
  • Location Review
  • Environment Review
 
Penetration Testing
Net Admission Control
Intrusion Detection
VPN / Remote Access
Firewalls
Malware Prevention
Event Management
 
 
  © 2006 INTEGRACON TECHNOLOGIES info@integracon.com : 865.330.2323