Penetration testing is a high-value security assessment used by commercial and non-commercial entities worldwide to measure the strength of various protection mechanisms. Without implanting any watertight external or internal network defences could raise a serious flag on confidential business information. Penetration testing is a widely accepted method for testing the network infrastructure and applications to identify security weaknesses which could be exploited by malicious adversary.
Cipher Storm testing methodology help the organizations to locate and correct the network centric threats at their defences and provide comprehensive advice and guidelines to reduce the chances of further vulnerabilities. Our unique set of test designs has a series of controlled attacks which emulate the real life threats and techniques in order to provide list of vulnerabilities, weaknesses and exposures based on the current network infrastructure. Threat modeling can be advantageous at this stage as it can identify priorities for penetration testing.
1. External Penetration Testing (Black-Box Testing)
External pen-testing is conducted from a remote location under multiple phases in order to determine variety of information. Our consultants apply the up-to-date techniques, technologies and information sources as those of used by genuine hackers to mitigate the identified risks and use remediation procedures. The results are properly assessed and interpreted into business risk context. An optional ‘social engineering’ could be chosen to add important human-factor security assessment.
2. Internal Penetration Testing (Focused Testing)
Internal assessment could be achieved by on-site penetration testing. This involves fixed duration to assess the client’s network resources. As most of today’s organizations assume that their workplace is completely legitimate and therefore their internal systems could not be perpetrated. But as per most statistics which has a proven record for two-third of network attacks which are only insider based. These attacks could lead some serious problems such as loss of trade secrets, reputational damage or even breach of legal obligations. Our qualified consultants are experienced in developing scenario-based testing to judge the internal security.
Scoping
The scoping process helps defining the systems or network boundaries, objectives and their validation procedures involved in the penetration testing.
Information Gathering
This process will gather detailed information about the target network from variety of publicly available sources, such as, newsgroups, search engines, forums and WHOIS database. The aim of this process is to learn more about target network design and implementation.
Target Identification
During this phase of engagement, Cipher Storm consultants will identify as many as possible internal systems, mail servers, firewalls, web servers, IDS/IPS(s) etc. This phase identifies the entry points which can be used as potential avenues to be exploited by malicious users and intruders.
Target Enumeration
Once the information gathering and target identification phase has been rectified. Target enumeration moves a step further in order to fully identify the exact network topology, operating systems with their patch levels, application versioning, open and close ports on target systems.
Vulnerability Mapping
This phase of engagement mainly deals with the profiling of target environment for known, private and unknown vulnerabilities. Technically, it is divided into two phases:
- Vulnerability Identification
Based on the comprehensive results from target enumeration process, Cipher Storm consultants will identify and assess the vulnerabilities for the target environment. These vulnerabilities may present due to improper application configuration, bad security practices or unresolved firmware or software issues. Our team holds specialized toolset, scripts and the practical experience of security vulnerabilities.
Prior to the real-world exploitation process, Cipher Storm consultants will seek thoroughly and carefully examine the vulnerabilities that may cause hazards to the production environment. Vulnerabilities discovered in client’s communication infrastructure enable our team to prepare and advice mitigation procedures.
Exploitation
At this final stage of penetration testing, client’s infrastructure will be assessed against severe security flaws by measuring the high-risk vulnerabilities and the consequences of exploitation. Penetration engineer will attempt to gain access using the set of exploits mapped with the vulnerabilities found before, to ensure that each exploit is suitable under target environment.
In-depth Privileges
Once the target has been exploited and acquired. We can use this privileged platform to launch further attacks into the network that was inaccessible from outside. Our consultant will repeat the process of target identification, enumeration, vulnerability mapping and exploitation again and again until the network-point where further compromise is not possible.
Social Engineering
As a crucial part of penetration testing process, it is sometimes important to measure the human factor as being the weakest link for any corporate security. Social engineering methods employed by Cipher Storm tricks the user through email, phone, forum or newsgroups to find the information about target organization.
Previous | Next
