Network Penetration Testing

Our Network Penetration Testing seeks to identify security weaknesses that could be exploited by motivated malicious individuals to gain unauthorized access to your systems, applications and network devices. Once vulnerabilities are identified we investigate further for issues that could then expose critical data or systems to an attack. 

Our goals for Network Penetration Testing are:

• Demonstrate the ability of an attacker to gain elevated access privileges on target applications or systems.
• Providing business impact by validating the ability of an attacker to gain access to confidential data.
• Providing actionable recommendations to alleviate or mitigate the issues identified.

Our Application Penetration Testing is focused on the application layer and may include other components (e.g., web server, application and database servers) depending upon the scope of the engagement. The types of applications that we specialize in are traditional web-based applications, web services, mobile applications and client-server applications. 

The Application Penetration Test reviews these major areas as well as using our extensive experience to identify vulnerabilities within an application:

• Fuzzing input and output validation controls
• Reviewing system and application component configurations 
• Assessing authentication and authorization components of the application

Our Wireless Penetration Testing assists in identifying security weaknesses exposed via your wireless clients and access points that could be exploited by motivated malicious individuals to gain unauthorized access to your internal systems, applications and network devices.  Areas reviewed are:

• Configuration of wireless access points and authorized clients
• Strength of encryption methods deployed
• Review the environment for rogue access points or wireless devices using the 802.11 wireless standards

Even without wireless access points deployed an attacker can target your mobile employees who have wireless enabled on their devices. This is due to the wireless client beacons for previously connected access points. We emulate the access point which they are attempting to connect and use this as a jump point into the network or use techniques to attempt to gather credentials from the wireless connected user.

For social engineering, we will obtain a list of telephone numbers and e-mail addresses from your designated point of contact. This list can be comprised of key targets such as HR and help desk personnel, application administrators and internal employees. Once this list is agreed upon we will seek to obtain sensitive information from these targets via direct calls or phishing styles of attacks. Other methods such as USB drops or carefully crafted malware web based attacks can be employed as well.

User Security Awareness Training

This class covers topics based on real world examples of compromise based on our in depth industry knowledge as well as techniques we use in our security assessments of people, systems, applications and networks. The goal of the training is to increase the attendees overall security awareness, empower the attendee with knowledge on detecting attacks and providing them with information on how to report suspicious activity.

Secure Application Development Training

To train your developers we use vulnerable applications that demonstrate the issues our consultants identify as common mistakes. Topics covered range from the OWASP Top Ten and other critical areas within application security. Through hands on exercises, attendees will gain an understanding of how to identify and remediate these issues in development code as well as applications that are currently in production.