Increase Your Defense with an Offense Approach

Understanding your weakness before you’re attacked is an important step in defending your network and data. During a penetration test we’ll simulate authorized attacks against your systems to uncover and identity weaknesses within your organization. We considered this a proactive approach for organizations to deal with the threats in their environment. These tests can be used to fulfill compliance, like NYS DFS or PCI, or as a method to increase your organizations security posture on a one-time or scheduled basis. Penetration tests are an integral part in establishing a cybersecurity program and an important function in protecting your critical assets.

A Strong Defense
is Tested by a
Good Offense

Key Benefits

  • Determine if you have critical assets at risk
  • Evaluate your exposed risk to internal and external assets
  • Remediation and clean-up efforts available if needed

Options

Our penetration tests come in different options to assist clients with a wide variety of services and granularity. This allows our customers the freedom to select the asset and location they’re looking to have tested within their defined scope.

Internal Penetration Test

Acting as an attacker or insider threat who’s gained access to your LAN we’ll attempt to compromise systems, move laterally within the network and determine if data can be exfiltrated. By doing so we’ll determine vulnerabilities on the LAN and attempt to access critical systems and applications while emulating as an attacker.

External Penetration Test

Mimicking an attacker from the internet this test attempts to review external applications and systems to determine if there’s exploitable weaknesses on your perimeter. This includes reconnaissance and discovery on assets exposed to the internet to identity any exploitable vulnerabilities and risks to your public presence.

Cloud Penetration Test

Many organizations are moving to the cloud and this can bring unique challenges to your organization from a security standpoint. Working with our clients we’re able to perform a comprehensive penetration test on cloud assets that focus on the shared responsibility of the cloud. Depending on the cloud deployment and service model we’ll work with your cloud service provider to evaluate the risks to your cloud infrastructure and data.

Our Approach

We take a phased and methodical approach when performing a penetration test. At CCSI we’re looking to uncover risks in your assets and information systems that leave your organization open to attack. In doing so we follow a six step approach:

1

Confirmation of Scope

The first phase of the test consists of validating the scope of work and rules of engagement during the test. This includes identifying internal stakeholders, in scope assets, timeframes, approved contacts and expectations.

2

Reconnaissance

During the initial phase we collect data on the targets and gather information about your environment. This can include anything from IP addresses, email, hostnames, groups, and other organizational information.

3

Vulnerability Analysis

Based off our reconnaissance we attempt to identify vulnerabilities on your systems and determine the best method of exploitation and use this access for our benefit during the penetration test.

4

Penetration

During the penetration phase we’ll determine the best method to exploit the vulnerabilities and weaknesses found in your organization. This includes using open source techniques, commercial products and customized tools to gain access.

5

Post Exploitation

After a system has been penetrated we’ll determine if faux data could have been exfiltrated, take screen shots of the access/data found, move laterally throughout the network, use these systems as jump/cache boxes. This phase can be tailored to the client.

6

Reporting

A report of the penetration test is created that gives clients a detailed assessment of what occurred and the risks that were found that allowed us to gain access throughout that network. This includes the identified risks with a rating and recommended remediation efforts.

Purchase from Our OGS Contract

Visit our State Contract Page for more information

Target Assets

  • Network/Systems

    By gaining access to all systems residing in your environment, including network devices, operating systems and IoT systems, we show. By gaining access to these systems we identify the risks to your business by determining the control and sensitive data we’re able to access.

  • Applications

    Perform a full application/web penetration test that looks to identify vulnerabilities and weaknesses within your applications. We’ll attempt to determine risks and areas of the application we’re able to access sensitive information. We review all the weaknesses in the current OWASP top 10 and dig deeper into custom exploits and business logic abuse

  • Mobile

    During a Mobile Application Penetration Test, experienced testers will review the application’s source code, threat models, and design documentation before performing a series of robust tests designed to emulate an attack. Once weaknesses have been revealed, you can take action to reduce some of the biggest risks associated with mobile computing and encourage good security practices across all devices.

  • Wireless

    Wireless technology is in most environments and can pose a serious threat to organizations if not secured properly. Due to the borderless options of wireless we attempt to determine how secure your data in transit is using WiFi. During the test we’ll do a scope of the wireless network, locate access points, perform a risk assessment and attempt to gain access to the wireless networks and endpoints on the network.

What Deliverables do I receive?

  • Summary of findings utilizing a risk based approach and priority
  • Recommendations on remediating findings and weaknesses
  • Architecture reviews on improving infrastructure

To find out more, contact us today.