Cyber Law Consulting >> Audit >> Penetration Testing

Penetration testing is a non-cooperative effort to introduce security failure. Side-effects can be severe, including downtime and corruption or loss of data. These tests have the shortest shelf-life by far, providing a list of successfully-executed attacks into the system, but being unable to assess such issues as policy, procedure, or practice -- all critical components of overall information assurance. Penetration testing teams are known as "Red Teams" in military jargon.

Cyber Law Consulting's penetration tests involve several major steps. First, we get clear identification of the target and secure proper authorization from an executive sponsor of the organization involved. Next, the sponsor identifies areas of concern for providing priority to the testing within the defined scope. A set of tests is then constructed and performed, collecting data indicating success of penetration. Depending on the scope of the project, the testing phase is repeated, going a level deeper into the system with each successive pass. An initial report is then released to the sponsor, showing findings, and providing opportunity to raise questions or concerns. Last, a final report is issued, identifying which attacks were most successful against the areas of greatest concern to the sponsor, as well as the effectiveness of any defenses against the attack.

Being the ultimate test of whether the policy and technology are effectively addressing the needs of the organization, penetration tests are the final step of a comprehensive information assurance program. Information assurance is a process, the result of policy, technology, and procedure. Just as a runner cannot achieve success by skipping to the last mile of a marathon, an organization cannot test information security by skipping to the last step of an information assurance program.

The key benefit of penetration testing is that after the policy has been defined and assessed and after the systems have been evaluated, the sponsoring organization can evaluate its detection and response capability, ensuring that all of the components of the information security program are doing their parts in protection of the organization's assets.

Cyber Law Consulting consultants put their hacker hats on, work remotely from our offices and attempt to breach your internal and external network security via remote connectivity.

Findings of a Penetration Test

1. Can a hacker get to your internal and systems data from the Internet?
2. Can we simulate real-world tactics and identify what an automatic vulnerability scan misses?
3. Is your web-hosting site and service providers connected to your network as securely as they say they     are?
4. Is your email traffic available for others to see?
5. Other Findings as per Requirement and Quotation.

How do we do the Penetration Testing Process?

Reconnaissance
Identification of system assets, data and network components.

Enumeration
Determine the application and network level services in operation for all identified assets.

Research and Evaluation
Here we determine the vulnerabilities, bugs and configuration concerns with all systems. Flaws identified in any of these three areas can lead to system compromise.
Vulnerability Testing
Manual Service Analysis
Password Testing  e.t.c

Any other such method depending upon the Network Site

Reporting of a Penetration Test?

1. Provide management with an understanding of the current level of security risk from Internet-accessible     services.
2. Provide recommendations and enough detail to facilitate a cost-effective and targeted mitigation     approach.
3. Create a basis for future decisions regarding IT strategy, requirements, and resource allocation.
4. Other Detail reports based on quotation and requirement