A penetration test determines how well your organization's security policies protect your assets by trying to increase access to your network and information assets in the same way a hacker would. Tests can range from an overview of the security environment to attempted "hacking" with the intent of obtaining investigative information.
A penetration test subjects a system to real-world attacks selected and conducted by our security staff. The benefit of a penetration test is to identify the level to which a system can be compromised before an actual determined attack. Our test results will either show you where you to need enhance your security, or let you know that you should sleep better at night. Only a real penetration test can simulate what would happen if a determined hacker were to attack your organization.
Since we have deep expertise in attacks and exploits used against mission critical assets. In fact, the Our attack database contains just over one billion attacks that we have prevented. This means that when we conduct a penetration test on your network, we know what attacks are out there, and which are the most commonly used against institutions like yours. Our tests are finely tuned using this unique expertise and this translates into a more focused, cost effect penetration test.
Web Infomatrix will perform thorough searches of the various whois databases, scan tools, etc, to obtain as much information as possible about the target organization. These searches often reveal many more Internet connections than the organizations expect. It is also important to leverage Usenet postings and Social Engineering tactics (if in scope) - many organizations are amazed by how willing their employees are to divulge information that is useful to an attacker.
Once specific domain names, networks and systems have been identified through discovery, the penetration tester will gain as much information as possible about each one. The key difference between discovery and enumeration is the level of intrusiveness. Enumeration involves actively trying to obtain user names, network share information and application version information of running services, limited only by agreed-upon rules of engagement and scope.
Vulnerability mapping, one of the most important phases of penetration testing, occurs when security practitioners map the profile of the environment to publicly known, or, in some cases, unknown vulnerabilities. Web Infomatrix has a dedicated research department, which is constantly combing the blackhat community for new and emerging vulnerabilities. The tester's most critical work is performed during the discovery and enumeration phase.
The exploitation phase begins once the target system's vulnerabilities are mapped. The penetration tester will attempt to gain privileged access to a target system by exploiting the identified vulnerabilities. The key to this phase is manual And Automation testing. Our Automation Tools Included Indrusties Leading Commercial Tools Like Core Impact, Immunity Canvas..Etc,
Web Infomatrix's penetration testing helps safeguard your organisation against failure And Data-base Loss, through:
How You Can Benefit from Penetration Testing
Penetration testing provides detailed information on actual, exploitable security threats. By performing a penetration test, you can identify which vulnerabilities are critical, which are insignificant, and which are false positives. This allows you to intelligently apply patches and allocate security resources when and where they are needed most.
Recovering from a security breach can cost millions due to IT remediation efforts, lost employee productivity and lost revenue. Penetration testing allows you to prevent this financial drain by identifying and addressing risks before security breaches occur.
Penetration testing helps to satisfy the auditing/compliance aspects regulations such as GLBA, PCI, HIPAA and Sarbanes-Oxley. The detailed records that penetration tests provide can help to avoid significant fines for non-compliance.
Even a single incident of compromised customer data can be costly. Penetration testing helps you avoid data incidents that put your organization's goodwill and reputation at stake.
Penetration testing can both evaluate the effectiveness of existing security products and build the case for proposed investments.
Satisfy prerequisites for cybersecurity insurance
Penetration testing is fast becoming a requirement for obtaining cybersecurity insurance coverage.Technical Information
Web Infomatrix provides penetration testing services that scope and test your network using sophisticated testing software and methodology - A blend of best practice and proprietary process. This includes manual testing techniques, automated tools to discover vulnerabilities and the use of any existing compromised systems to gain further access in the network.
Due to the large number of varied components in an average corporate network, penetration testing needs to be carried out in a few different ways. Three such methods that are commonly used are, Light perimeter testing (External testing from a remote location), Full perimeter testing (External testing from within the DMZ) and Internal testing (On-site testing).
It is also known as external testing from a remote location, in which the tester has no knowledge of the internal infrastructure to be tested and starts the tests with the lowest level of access to the application servers.
The light perimeter penetration test is a full scope attack against client computing resources available via the internet. This includes systems such as web servers, mail servers, routers, firewalls, and other network assets. External penetration tests utilize multiple phases during the attack to determine the variety of information. The goal of the test is conclusive identification of those vulnerabilities that could allow an attacker to gain unauthorized access to components within the clients network. These vulnerabilities are then used as a toe hold to further compromise the network and gain as much access to the clients network as possible.
It is also known as external testing from inside the DMZ with accessible internal systems in which the tester has no knowledge of the internal infrastructure to be tested and starts the tests with the lowest level of access to the application / servers.
The full perimeter penetration test is a full scope attack against client computing resources available via the internet and intranet. This includes systems such as web servers, mail servers, routers, firewalls, and other network assets. Full perimeter penetration tests utilize multiple phases during the attack to determine the variety of information. The goal of the test is conclusive identification of those vulnerabilities that could allow an attacker with internal access to escalate privileges and gain access to components requiring higher authority within the clients network.
It is also known as On-site testing in which the tester has complete knowledge of the infrastructure to be tested. The tester also has physical access within the network to test the internal components of the network over the intranet.
Internal or on-site penetration testing is a fixed duration attack against client computing resources. The test examines those networks and computing assets that are accessible only from the inside of the organisation and may include various routers, firewalls, network devices, servers and workstations. The goal of the test is to use the internal access to the network to escalate privileges within the network.
The scoping process will define the target system(s) that will be considered during the penetration testing. This will define the boundaries, objectives and the validation of procedures. Defining the target system(s) is crucial in many ways - legally, resourcefully, and financially.
Web Infomatrix will perform thorough searches of various search engines, DNS records, WHOIS databases, scan tools and other sources to obtain as much information as possible about the target network. The aim of this process will be to try and identify as many internal systems, firewalls, mail servers, VOIP servers and other entry ways as possible including employee systems. Social engineering tactics, if within the scope will also be employed in an attempt to get employees to divulge information that is useful for the attack process.
Once specific domain names, networks and systems have been identified through scoping and target discovery the penetration testing team will gain as much information as possible about each part of the network. The process of enumeration will involve invasive discovery methods on each one of the systems with the aim to obtain usernames, application version information of services and applications and network share information limited only by the rules of engagement and scope agreed on.
The human firewall, sometimes becomes the weakest link in the most secure networks. Social engineering tests the human front by attempting to gain access to an organisation and its assets by tricking key personnel over communication mediums such as telephone, email, chat, bulletin boards etc. Some of the techniques used will be:
This process involves mapping the profile of the environment to publicly known, private and unknown vulnerabilities. The researchers at Security Brigade constantly work on discovering and cataloging new unknown vulnerabilities that could affect our clients. The mapping process allows the tester to short list the huge database of vulnerabilities to the most relevant ones for that particular network environment. This phase allows the creation of an agenda for the exploitation process.
The exploitation phase begins once the target systems vulnerabilities are mapped. The penetration tester will attempt to gain privileged access to a target system by using the exploits mapped for the identified vulnerabilities. The key to this phase is manual testing, which allows an attacker to ensure each exploit is applied accurately for that environment.
Once the exploitation process is complete, the tester uses the newly gained privileges as a platform for repeating the process of Target discovery, Enumeration, Social engineering, Vulnerability mapping and exploitation. This privileged platform allows the attacker to gain further access into the network that was not attainable from the outside. This step is repeated over and over again until the tester reaches a point where further compromise is not possible.
Web Infomatrix works with you to develop a report that will provide a clear and prioritized matrix of actions, work efforts and findings. A preliminary draft report will be provided to the technical point of contact for the purpose of review and clarification followed by a final report at the end of testing. The report will include the following
Along with the report Web Infomatrix will provide support for a year after the test to help the internal development team understand, fix and re-check the issues in the report.
Web Infomatrix's Penetration Testing service can meet the requirements of many standards and guidelines in relation to information security. Our Penetration Testing team has working knowledge of the following standards and attempt to exceedingly meet thier requirements.
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.
ISACA was established in 1967 and has become a pace-setting global organisation for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.
BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and after several revisions, was eventually adopted by ISO as ISO/IEC 17799. ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC 27002 in July 2007. The BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2, which later became ISO/IEC 27001. The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality assurance model), aligning it with quality standards such as ISO 9000. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005. BS7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Administrative Simplification (AS) provisions of HIPPA, require the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.