If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals. For this reason, the Payment Card Industry Data Security Standard (PCI DDS) requires that your IT network undergo a penetration test. Because the network penetration test is, at minimum, an annual event and because it involves a human resource, you want to be sure that the vendor you’re hiring is well worth its salt.

Selecting the appropriate penetration testing vendor involves asking the right questions to properly vet the security testing tools, methods and experts they employ:

Question 1

1. How does the penetration test differ from other types of security testing – such as a vulnerability assessment? Although you will already know the answer to this question, it should still be asked to ensure that the prospective vendor can articulate the differences which make penetration testing unique. Beware of any vendor that uses the words “penetration” and “scans” interchangeably, or claims that their penetration testing process is fully automated.

Question 2

2. What is your process for performing the penetration test? Penetration testing methods and techniques often differ slightly from organization to organization, but some core activities are common across all penetration tests. Even if they do not use a defined methodology, the vendor should be able to provide a straightforward outline of the steps involved and which tools are used at each step in the process.

Question 3

3. Do your testers hold industry standard certifications? It’s important to know that the individuals conducting your test are knowledgeable and remain up-to-date on security trends. Find out which certifications are held by the team. There are a variety of certifications which demonstrate knowledge in information security and technology in general, but penetration testers often hold certifications such as CEH, CISSP, GPEN and GWAPT. Keep an eye out for skills-based certifications such as the OSCP, which are becoming highly prized in the information security community.

Question 4

4. How will you protect my data during and after testing? Find out how the tester will secure your data during the test and throughout delivery. If devices will be shipped to your location or testers will be visiting with laptops, ensure that disk-based encryption is being used to protect data obtained during the test. When it’s time to deliver the final report, your tester should also offer a secure method for its delivery. Confidential data, including test reports, should never be sent via email; secure FTPs or secure file-sharing sites that use SSL should be employed.

Question 5

5. How will you ensure the availability of my systems and services while the test is taking place? Because penetration tests are actual attacks against your systems, it is impossible to guarantee uptime or availability of services throughout the test. However, most testers have some idea of whether or not a particular attack will bring down your system or “hang” a service. (You can also assist your tester by alerting them to any legacy or otherwise less-than-robust systems on your network.) The ideal penetration testing vendor will work closely with you to address operational concerns and monitor progress throughout the process.

Share

January 31, 2016

Any experienced Pentester will tell you that the enumeration and reconnaissance phases of a Penetration Test are probably the most important parts of any Security Assessment. The problems many Pentesters face these days is the sheer volume of different tools available and which one(s) to use.

Thankfully there is an answer for the Enumeration Phase. A great tool with a nice GUI has been developed and best of all it’s absolutely free and has been integrated into Kali Linux 2.0. Of course it can also be downloaded as a standalone on Github.

It’s called Sparta: https://github.com/SECFORCE/sparta 

An extremely powerful tool which goes beyond NMAP, SMTP, SNMP, NetBIOS, FTP etc. but also includes fancy tools like dirbuster and other nice Web Assessment tools all through 1 single user interface.

Enjoy!

Share

January 28, 2016

Today we would like to introduce a website which offers a neat collection of very useful Penetration Testing Tools. From Web Shells and reverse shells to useful scripts and enumeration tools. We highly recommend Penetration Testers and Ethical Hackers to add them to their portfolio.

http://pentestmonkey.net

Share

5 most scary Pentests of 2015

Author: Martin Voelk
December 18, 2015

2015 was a great year with a lot of new customers and exciting projects. We often get asked, what sort of information are you able to retrieve in typical Penetration Testing engagement with customers. The answer is: Scary stuff! We have compiled a small list of the top 5 Ethical breaches on our 2015 engagements.

Customer 1

This customer is an airport and asked us to do a full scale Penetration Test. The scariest part was being able to control all CCTV, alarm systems and sprinkling systems. It was challenging but through pivoting through a lot of different networks we were able to gain full control. Needless to say the management was impressed and scared at the same time.

Customer 2

This customer from the retail space already had hardened defenses in place, so we turned attention towards individual board members. Social engineering allowed us to receive very sensitive information from top ranking CXOs. The customer was speechless and have since employed new strategies to tackle social engineering attacks.

Customer 3

A customer who had a suspicion of being hacked engaged us for forensic analysis. We discovered a full scale breach where attackers had set up RSPAN sessions to mirror almost all traffic out to an attacking server via a VPN. We don’t often see such sophisticated attacks but all their traffic had been eavesdropped for almost 2 months.

Customer 4

Ransomware. Crypto Wall. Nothing special really except that it was the laptop of a high net worth CEO. We always recommend NOT to pay ransom. Fortunately enough he had a lost of Microsoft restore points and we were able to recover a clean point with only a few days of lost data.

Customer 5

A financial client who runs a high profile subscription service to clients. They noticed that subscription rates have dwindled over the months and were suspecting a breach. They engaged us to investigate. We found username and login pairs for the expensive service on the Dark Web and pastebin.com. Client since moved to a 2 factor authentication mechanism.

Share