Tasks we can do, and the ways we will do them to give you the right confidence in the security of your system.
Tailoring the Tests
Your requirements – your business needs and acceptable risks – will of course shape what tests we apply and how deeply. Your end goals might include:
- Securing vital systems: identifying vulnerabilities and how they should be protected
- Understanding the risks against the costs of mitigating them
- Demonstrating compliance with specific standards or regulations such as PCI DSS
From these we will define and agree the testing scope
- Based on established checklists such as OSSTMM and/or compliance requirements
- Network extent (e.g. project subnets, enterprise-owned networks, external carriers & VPNs, overlaid protocols such as DDS, external repositories and registries.
- Device types (e.g. PCs, firewalls, telephones, SCADA)
- Applications (e.g. locally installed apps, web servers, remotely accessed, bespoke,
development libraries, etc) - Staff users (e.g. general & targeted phishing, USB trojans, browsing access, etc)
- Depth of penetration, to avoid breaking systems
Results should be useful to you; we endeavour to communicate findings in business terms rather than just technical jargon, while ensuring they have enough technical detail that your system administrators can deal with them.
Executing Tests
Tests should not break systems inadvertently! We therefore take care to:
- Coordinate with your systems administrators and users to limit effects on operational systems, for example by running tests out of office hours
- Test representative systems, where possible, in suitable sandboxes which we can supply
- Review, inspect, discover and report instead where tests are risky
- Record and audit tests for reference against your own logs
- Comply with legal requirements, e.g. GDPR and Computer Misuse Acts
Tests are documented and, where suitable, automated, so that they can be repeated under controlled conditions and provide your administrators with the information they need to secure or mitigate the vulnerability.
As experienced programmers we can script or code bespoke tools to discover and test your particular situation, for example any bespoke service APIs, and to confirm mitigations work as expected when put in place.
We look not just for direct vulnerabilities but for messages and side channels – such as overly informative error messages – that expose details useful to an attacker.
The following sections describe some of the activities would carry out for different aspects of your systems. They are by no means exhaustive – test programmes will be based on established rigorous checklists – but give you a quick summary of the salient issues.
External Network Tests
- Work with your administrators to identify known access points: public IP points, web sites, cloud services, and wireless access points that leak off-site.
- Discover unexpected access points by reconnaissance and review.
- Scan ports and externally facing services and run standard pen tests (e.g. Nessus)
- Review and test VPNs and associated encryptions for remote access
- Apply both standard ‘scripted’ attacks (e.g. Metasploit) and bespoke crafted attacks as suitable
- Review and test ‘poison’ attacks through, for example, DNS and code/update repositories
- Review and test DOS defences
- Review and test for side-channel leaks (e.g. company information that could be useful in an attack, or identifying company traffic on a public wireless)
Internal Network Tests
To test in-depth defences and identify supernet/subnet interface vulnerabilities, we can:
- Work with your administrators to map the actual network topology against the expected one: identifying gateways, actual data paths, service traffic, etc
- Check compliance with expected legal and security requirements
- Review password rules and test that they are enforced and passwords
- Verify monitoring is in place to scan network traffic and successfully raises alerts when triggered
- Review compartmentalisation practices; can application/system accounts access unauthorised storage, devices or applications. Spot checks for representative test accounts
- Review air gapped processes for sneaker-net failures (viz Stuxnet)
Web Service Tests
To test vulnerabilities of web servers and web applications, we can:
- Review and test standard vulnerabilities for the server and any content management apps
- Check default admin passwords/logins have been changed
- Test login failures lock access appropriately
- Verify only suitable http methods (eg GET, not PUT) are available
- Check cookies do not contain sensitive information
- Test against SQL injections, special characters, buffer overflows using standard tools
User Tests
To test user behaviour that creates vulnerabilities to attacks, we can:
- Craft standard or ‘spam’ emails to be sent to mailing lists that can be company-wide, limited to departments or projects, randomly selected samples, or dummy addresses to test automatic defences
- Check that such email traffic is blocked, marked or alerts generated as appropriate
- Record and alert inappropriate responses
- Craft targeted ‘spear phishing’ email using real details to check staff response behaviour: recognising the attack, reporting it, and appropriate timely SOC response
- Organise ‘spam’ and targeted telephone calls as above
- Lay out USB drives and other tempting devices
- Check on-site pass visibility and challenge frequency
Sundry Checks
- Review discarded equipment process
- Staff car and personal pass displays in public
- Public systems poisoning
- Fallback failures to less secure systems (viz GPS)
Establish Routine Tests
The effectiveness of penetration tests can fade over time as staff changes and project priorities override security concerns. We can help you set up:
- Automated penetration tests
- Regular phishing emails to check and educate staff
- Physical protocols to encourage challenges and discourage, e.g. tailgating