Security Threat Advisory
Looking Glass
FireEye
Governance Risk and Compliance
Governance / Risk / Compliance
Strategic Consulting
ADSIC
FISMA
ISO 20000 ITSM
ISO 22301 BCMS
ISO 27001 ISMS
PCI DSS
Information Security Review

Data & App Security

Database Security & Protection Data Encryption & Control Enterprise Digital Rights Management Data Vulnerability Assessment Application Protection Vulnerability Assessment & Penetration Testing Web Application Firewall Data Governance

Network Security

Network Access Control Next Generation Firewall Email Security Network IPS Web Gateway Next Generation APT Next Generation DDoS Mitigation Smart DDI

Security Operation & Response

Governance Risk & Compliance Cyber Security Transaction Monitoring Compromised Card Monitoring Incident Response & Orchestration Encrypted Calls and Messaging Travel Risk Management & Crisis Avoidance Anti Phishing Services

User Security

Identity Management Single Sign On Two Factor Authentication Privileged User Password Management Insider Threat Management Endpoint Security Management Endpoint Detection & Remediation Employee Monitoring Tool

Infrastructure Security

Virtual Security SCADA Security Mobile Device Management Public Key Infrastructure Certificates

Policy & Compliance Management

NETconsent Compliance Suite File Integrity Monitoring, Network Configuration, and Compliance

Penetration Testing

During penetration testing (known as pentesting), auditors act like external attackers would: they try to bypass protection measures and break into a company’s network. They detect hidden system flaws and evaluate the potential impact on operations if those flaws were exploited by real attackers. In addition to a thorough technical analysis of the customer’s security tools, the assessment may also evaluate the level of IT security awareness among company staff.

The experts at Positive Technologies have conducted hundreds of penetration tests on a wide range of systems for clients ranging from banks and telecom companies to utilities and government agencies. Typical penetration testing activities carried out by our team include:

Attempting to hack the web interface of an e-banking system prior to full-scale deployment
Employing social engineering to test staff awareness following a security training program
Trying to gain unauthorized access to an internal corporate network by targeting vulnerabilities such as default system settings, misconfigurations, or weak passwords

External vs Internal Penetration Testing

Penetration testing can be conducted with or without the knowledge of key information security personnel, such as system and network administrators. Performing a simulated attack without warning these employees will give senior management a true picture of the effectiveness of their existing security measures. However, if server and network equipment has been poorly configured or security teams respond badly to the simulated attack, this kind of "unannounced" testing could cause disruption to normal network operations.

For this reason, penetration tests are often subdivided into external and internal stages. First, our experts try to hack the perimeter, for example, by installing malware on workstations. If this external stage is successful, then they will coordinate with system administrators before beginning an assessment of measures to counteract an internal attack.

Technical Penetration Testing

A technical penetration test identifies existing vulnerabilities in your IT infrastructure and provides practical evidence of whether they can be exploited. The following are typical steps performed by Positive Technologies experts during this testing:

Gather information about your network using the same sources of information available to attackers (Internet, news, conferences)
Map your network and determine the types of devices, operating systems, and applications by their reaction to an external stimulus
Identify vulnerabilities in your network services and applications
Analyze web-client applications to detect vulnerabilities using automated tools and manual methods including SQL injection, cross-site scripting, content spoofing, OS commanding, incorrect configuration authentication, authorization mechanisms, etc.
Attempt to exploit found vulnerabilities using relevant methods and tools

With permission, attempt to gain security control of wireless networks
With permission, check the safety of the outer perimeter and open resources against attacks such as denial of service
Assess the degree of security of network elements and possible damage during the most intrusive attack scenarios
Check the strength of the network against attacks on the link layer; perform simulated attacks on the STP, VTP, CDP, and ARP link-layer protocols
Analyze network traffic to obtain sensitive information (passwords, confidential data, etc.)
Check stability of routing; model and rig routes for Denial of Service attacks against the routing protocol
Verify ability to gain unauthorized access to confidential information
Verify ability to access permissions to various information resources with the privileges obtained at various stages of testing

Sociotechnical Penetration Testing

In many networks, ordinary users are the weakest link. Attackers who can manipulate your employees may be able to gain control of workstations from which they might access confidential documents, data, or customer accounts; post malicious content on your websites; conduct spam or phishing activities using your customer contacts; use your network resources to launch attacks on other companies’ systems or restrict your ability to do everyday business.

Positive Technologies can use social engineering techniques to identify your staff’s level of security awareness and gauge their reactions to hacking techniques such as phishing and pharming. As well as identifying areas of security that need immediate attention at your organization, this service can be especially useful for testing the effectiveness of recent awareness training. Our testing is typically targeted at selected user groups, with different test scenarios applied to different groups. These may include:

Sending email/instant messages (IM) from anonymous users and employees of your company with links to web resources or containing executable code such as a request to change passwords, send passwords or personal information
Conduct random inspections of "clean desk" policies (such as workstations left unlocked and unattended, sticky notes with passwords, and confidential documents in a work area available to unattended visitors)

A Comprehensive Approach

To truly act like external attackers, our testers combine the information gathered in both technical and sociotechnical penetration tests to demonstrate how hackers can piece together weaknesses to circumvent your existing security mechanisms, escalate network privileges, gain access to confidential information, modify your DBMS, or persuade users to sidestep compliance with existing security policies.

Results

The key deliverable from our penetration testing services is a report detailing:

Test methodology
Weaknesses identified within your information security systems
Explanations for all identified vulnerabilities
Conclusions regarding the level of security awareness among users and overall network protection
Descriptions of the main areas of concern, including information regarding the activities of users in each target group
Recommendations to mitigate identified vulnerabilities