J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics
Read MoreWhy is penetration testing important? You can’t fix what you don’t know is broken.
Discovering a leak only when some unauthorized visitor has taken advantage of it stinks.
Ask anyone who’s gone through it. Hackers might have slipped into your network to snoop around, nab confidential information, and/or cause havoc. Whatever the case, this is most definitely a situation that is better avoided.
At USENIX Enigma 2016, NSA TAO Chief Rob Joyce presented Disrupting Nation State Hackers. In this talk, he underlines the importance of knowing your network:
“You‘d be surprised…about the things that are running on a network versus the things you think are supposed to be there. So what can you do to understand that exposure surface? RED team that network. Bring in pen testers. Poke and prod it, just like an adversary will do to find out what’s inside that space.”
In the same way that even the finest authors have copywriters and editors, external penetration testing gurus not only bring fresh eyes to a project, they are also completely unburdened by the many complexities that can exist within an organization. Combined with a dedicated expertise with the latest tools and approaches to really see under the hood, reputed penetration testing experts can much more easily identify and rectify those seemingly invisible problems lurking in your network.
Sadly, there is no one-size-fits-all approach when it comes to penetration testing.
Sure, adopting a hacker’s perspective when reviewing your infrastructure is vital, but so is the employed methodology. At the most general level, it should include target identification, foot printing, and server and service identification.
Once detailed port and vulnerability scans are conducted, a good penetration testing team would select specific tools for the job, depending on the network setup, IT use cases, and the aforementioned business goals.
In other words, a good penetration tester needs many years of experience and an up-to-date toolbox to tailor an approach befitting a specific organization, so make sure they have the credentials for the job before you hire by asking for recommendations, testimonials, and use cases.
It is best to use a phased approach to vulnerability management and penetration testing. We have perfected our methodology over many years and have come up with this approach, which is flexible yet comprehensive.
It is started by identifying hosts to be included in the target of evaluation. Sometimes this information is provided up front. Other times, we must use technical means to discern the addresses of live hosts to test.
Once a detailed list of targets is obtained, they are port scanned to identify available services on each target.
Results are then fed from the enumeration step into our commercial vulnerability scanner and an automated vulnerability assessment is performed with no impact to the operating environment where the targets are housed.
At this point, we perform automated and manual penetration testing, leveraging information already gleaned through the vulnerability scans, our operational knowledge of the environment we are working in, common manual hacking techniques, and the use of many additional tools (both open source and commercial) to attempt actual exploitation of known or perceived vulnerabilities.
Depending on the findings, the network configuration, and the business, an expert consultant may recommend a deep-dive penetration test against individual applications where added diligence is warranted or required. An application penetration test takes a more detailed look at the systems, architecture, and workflow of the application being tested.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....
To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....