NETWORK PENETRATION TESTING

Service Description

Penetration testing involves the enumeration of vulnerabilities and risks that are accessible from the Internet – from the “hacker’s perspective” – and includes expert manual validation and penetration testing. CAG starts by using a variety of best-of-breed scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data), identified vulnerabilities are exploited to assess their real severity, the level of exposure they may allow and the potential impact of a breach. 

Our Methodology

Targets of this assessment include servers, applications (without credentials – see note), firewalls, routers, load balancers, VPNs, and any other perimeter or Internet-facing information assets. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications and data. As part of the PSA, penetration testing (without credentials) is performed on critical applications. 

The types of security issues identified during the PSA include SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, insecure direct object references, security misconfigurations, sensitive data exposure, missing function level access controls, buffer overflows, missing patches, vulnerable versions, insecure credentials, and many others. Goals for the exercise include unauthorized access and privilege escalation as well as an analysis of availability (DOS) risks. 

Note: For in-depth, credentialed and uncredentialed testing of applications see our Web Application Security Assessment. 

Scope: The PSA will typically target two externally addressable systems. 

Our Deliverables

In addition to the usual status updates and meetings, CAG will deliver written drafts of the following material:
  • Penetration Testing Report complete with findings and recommendations

REQUEST MEETING