Penetration Testing Services

IT Security Services

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.

What is the difference between a Pen Tester and a Hacker?

@

• Pen Tester's have prior approval from Senior Management Hackers have prior approval from themselves.
• Pen Tester's social engineering attacks are there to raise awareness Hackers social engineering attacks are there to trick the DMV into divulging sensitive information about the whereabouts of their estranged ex-spouse.
• Pen Tester's war driving = geeks driving cars with really long antennas, license plate reading "r00t3d" while dying their hair green looking to discover the hidden, unapproved networks your users thought it would be OK to install for you.
  Hackers wireless war driving doesn't happen so often because 14 year olds typically don't have their license yet.
• Pen-testers have pink mohawks and wear trenchcoats in July.
  Hackers have pink mohawks and wear trenchcoats.... that they bought with your bank account info.

Vulnerability Assessmen:

Typically is general in scope and includes a large assessment. Predictable. ( I know when those darn Security guys scan us.) Unreliable at times and high rate of false positives. (I've got a banner) Vulnerability assessment invites debate among System Admins. Produces a report with mitigation guidelines and action items.

Penetration Testing:

Focused in scope and may include targeted attempts to exploit specific vectors (Both IT and Physical) Unpredictable by the recipient. (Don't know the "how?" and "when?") Highly accurate and reliable. (I've got root!) Penetration Testing = Proof of Concept against vulnerabilities. Produces a binary result: Either the team owned you, or they didn't.

Scope of Penetration Testing

• Targeted Recon.
• Social Engineering
• Physical facilities audit
• Wireless War Driving
• Dumpster Diving

Why Bother?

• Active pen-testing teaches you things that security planning will not
• • What are the vulnerability scanners missing?
  • Are your users and system administrators actually following their own policies?
  • host that claims one thing in security plan but it totally different in reality
  • Audit Physical Security
  • Just what is in that building no one ever goes in?
  • The strongest network based protections are useless if there is a accessible unlocked terminal, unlocked tape vault, etc.
• Raises security awareness
• • I better not leave my terminal unlocked because I know that those security guys are lurking around somewhere.
• Helps identify weakness that may be leveraged by insider threat or accidental exposure.
• Provides Senior Management a realistic view of their security posture
• Great tool to advocate for more funding to mitigate flaws discovered
• If I can break into it, so could someone else!