According to the Wiki page for Information Security, it's definition is "the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, or destruction."
OK cool, but what exactly does that mean? How do we know if we are defending our information? And if not, what can we do to fix our defenses or improve them? I will answer that, but first know that cyber criminals are continually inventing new ways to gain access to your vital business information. And if you think you are safe because you aren't a "Home Depot" or a "Sony", think again. The average hack lasts 8-10 months and is performed against small businesses for the purpose of gaining sustained access to data, such as SSN#'s, credit cards, or medical records, that can be sold on what's known as the Dark Web. Our job is to make sure you are doing everything you can reasonably due to protect against these threats.
We will subject your computing environment to a multi-phase targeted penetration test and security audit. We will use industry standard tools to employ attacks against your systems to see if they hold up. And yes, these are the same tools the bad guys use! You will sleep better at night knowing your system withstood the barrage of assaults we can throw at your I.T. infrastructure.
Phase one is knowing where and what to defend. We call this your attack surface and it usually starts with simply your company name and website. Your attack surface is anything that a possible attacker can find on you by either directly targeting you, or just happening across your systems presence, such as a firewall, wireless access point, website, etc. From the attack surface a specific attack can be planned and implemented. We will take on the role of an attacker, find this information, then attempt to exploit it.
Phase two is analyzing in detail your public facing and internal systems from the perspective of an attacker that has gained a certain level of access to your network via phase one. This phase involves a series of "discovery" scans to map out a network, expose vulnerabilities, and attempt to exploit them.
Phase three - the report. This is arguably the most important part and the one we take the most pride in. We will give you a detailed document outlining what was found, if and how it makes you vulnerable, and what you can do to fix it. They say information is power, well that's especially true regarding the protection of your data.
Phase four will follow up the report with assistance in remediation of the issues found, whether it be working side by side with your I.T. staff to resolve problems found or fully taking on that role ourselves and securing your network the way it should be, or recommending hardware and services you can implement to better protect your infrastructure. In addition, we can provide employee awareness training, which is especially useful after a successful social engineering campaign.
Each phase will involve one or more of the techniques listed below, but are not limited to those and every audit can be customized to only include certain facets of a penetration test. For example, performing only a social engineering campaign or only a recon of your public facing systems and what's exposed to the world via the Internet.
- Mapping your attack surface. Showing you what an attacker can find by determining number of publicly exposed assets.
- Attempting to gain access via any publicly facing services found.
- Perform social engineering campaigns that will employ cloned emails/websites from YOUR company and also common 3rd party companies that attackers employ to distribute malware.
- Drop Key hacks, which involve leaving USB thumb drives in various locations that employees may find them, which contain code that will alert us to their use.
- Physical penetration of your facilities. The old "see how far we can get in your building unnoticed test". If we can get in and take a picture of your server room, that would need to be addressed.
- Network vulnerability scans and mappings to determine what you have, and what services are running on your network, what operating systems you have as well as patch level and security configuration.
- Exploit vulnerable systems.
- Public facing information that may contain confidential or proprietary information.
- Vulnerable social media accounts.
- Exposed DNS name servers.
- Vulnerable web servers.
- Wi-Fi strength testing. Is your wireless device/key strong enough to withstand a direct brute force attack?
- Analyze your current system security, including password policies, firewall polices, intrusion detection systems, content filters, etc.
- Mobile security, BYOD, and the Internet of Things.