Castleforce Penetration Testing can help identify all areas of vulnerability within your network.

Penetration Testing

Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology (one man's penetration test is another's vulnerability audit or technical risk assessment).

At its simplest, a penetration-test is the process of actively evaluating your information security measures. Note the emphasis on 'active' assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.

The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.

Why conduct a penetration test?

From a business perspective, penetration testing helps safeguard your organisation against failure, through:

Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
Protecting your brand by avoiding loss of consumer confidence and business reputation.

What can be tested?

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:

Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)
Bespoke development (dynamic web sites, in-house applications etc.)
Telephony (war-dialling, remote access etc.)
Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
Personnel (screening process, social engineering etc.)
Physical (access controls, dumpster diving etc.)

From an operational perspective, penetration testing helps shape information security strategy through:

Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

Potential areas covered during our Penetration testing include the following;

Perimeter and Internal Penetration Testing: Please review the Internet Technology Security Testing Module details shown below.
Network security testing: We analyse the security of your networks, considering the potential for both an internal and external attack. Important for all organisations, it is essential for high profile or Internet businesses where breaches of customer confidentiality or fraud could result in bad publicity, loss of reputation and business
Remote access and remote worker security: We ensure your organisation is equipped to manage the security risks that arise from remote and home working. Issues such as laptop security, home and remote worker security, VPN security and access to remote servers are considered
Application security testing: We rigorously test your applications to ensure they are secure enough to cope with the transactions they are required to undertake (e.g. online banking and order processing)
Payment Card Industry Data Security Standard (PCI DSS): Our testers are Approved Scanning Vendors (ASV) that help organisations who sell or take donations or payments by credit card to become and stay compliant with the PCI DSS, ensuring they do not risk fines or being permanently barred from the card acceptance programme in the event of a security breach.
Forensics (Incident Response & Investigation Services): If your systems have been attacked or if you require forensically sound investigation of suspected computer abuse our Computer Forensic Incident Response & Investigation Services deliver a professional service based on real technical expertise and investigation experience.

Perimeter & Internal Penetration Testing

The first stage is a reconnaissance scan, before which, critical and sensitive devices will be identified and tools will be configured so as not to interfere with business operations. During the test Castleforce will examine the topology of the network looking for potential security weaknesses.

After active IP addresses, services and protocols have been identified Castleforce will present the initial results back to the client for the opportunity to highlight areas Castleforce would recommend concentrating testing activities and for the client to confirm areas of critical interest from a business perspective.

At this stage Castleforce will perform the Internet Technology Security Testing Module against the active IP addresses discovered during the reconnaissance scanning phase. This module includes the following tasks:

Logistics and Controls: 100% Manual 0% Automated - Adjusts the configuration of tools used in the rest of the internet technology security tests to reduce false negatives and positives.
Network Surveying: 100% Manual 0% Automated - Finds reachable systems to be tested without exceeding the legal limits of what may be tested. It is used as a starting point for other internet security tests and may be used in conjunction with network information already provided by the organisation.
System Services Identification: 75% Manual 25% Automated - Networks identified in previous tests are scanned for services including IP Protocols and UDP/TCP services - once identified these services are added to the network map for further investigation.
Competitive Intelligence Scouting: 100% Manual 0% Automated - Measures the buzz (feedback) of the organization based on newsgroups, web boards, and industry feedback sites and gives an estimate of the cost of the organisations Internet and support infrastructure. Competitive intelligence scouting also gives an indication of the number and types of products being sold electronically as well as cracked products found in P2P sources.
Internet Document Grinding: 90% Manual 10% Automated - Recursively examines documents available on the internet for useful information, providing profiles of employees, back and front end technologies as well as external, trusted entities.
Exploit Research and Verification: 75% Manual 25% Automated - Identification and verification of weaknesses, misconfigurations and vulnerabilities within hosts and networks under control of the organisation or its external trusted entities.
Routing: 100% Manual 0% Automated - Tests routing configurations, the ability of routing equipment to handle malicious packet streams as well as routing/control protocol testing. Also tests the access lists and general routing equipment to different attacks across OSI layers.
Trusted Systems Testing: 100% Manual 0% Automated - Maps and tests the organisations infrastructure and trusted systems superstructure by launching attacks posing as trusted internal and external entities identified in the network surveying stage.
Access Control Testing: 100% Manual 0% Automated - Tests firewalls access control lists for DMZs and Private networks, other utility/security mechanisms (NAT, anti-spoofing, etc) for effectiveness and resilience to attack, as well as mapping services tunnelled through and provided by firewalls protecting the organisation.
Password Cracking: 50% Manual 50% Automated - Validates password strength through the use of automated password recovery tools that expose either the application of weak cryptographic algorithms, incorrect implementation of cryptographic logarithms, or weak passwords.
Containment Measures Testing: 100% Manual 0% Automated - Examines the handling of traversable, malicious programs and egressions, as well as testing containment mechanisms and response policies

Tests are carried out both remotely and locally to best simulate the types of attacks that a customer may experience from a determined attacker.

Castleforce Penetration Testing Project Description

Castleforce will conduct a series of network penetration tests specifically targeting clients systems via their Public IP Addresses provided. The phases to the ethical penetration test will be as follows.

Reconnaissance
Scanning
Gaining Access
Maintaining Access
Clearing Tracks
Documentation of all processes and results

Reconnaissance

Information gathering on the ISP and its clients via public valuable information
Passive reconnaissance – monitoring the network data for vulnerabilities, data identification.
Active reconnaissance – Port scanning, accessible hosts, location of routers, identifying operating systems and possible configurations.
Foot printing – Castleforce will prepare a security profile on the client’s network.

Scanning

Scanning of open ports and capture of network traffic
Sniffers refer to monitoring of data

Network data
Operating system data
Spoofing
Man in the Middle
Passive Sniffers
Through compromising physical security
Active Sniffing
ARP spoofing
DNS spoofing

Full capture of operating systems, services and versions
Full identification of vulnerabilities and confirm known exploits

Gaining Access

Castleforce will use an array of tools and skills in attempting to gain access via the Social Investment Business Public IP Addresses, below is a list of some of these methods.

System Hacking
Remote password guessing
Privilege escalation
Password cracking
Dictionary and Brute force attack
Key loggers
Hiding files
Denial of Service
Session Hijacking
Buffer Overflows
Root kits
Hacking Web servers
Web application vulnerabilities
Web based password cracking
SQL injection
Evading IDS, firewalls

Maintaining Access

Once we have been successful in penetrating the system we will then attempt to deploy known tools, backdoors, Trojans, root kits that will enable us undetected access to the system at speed and from multiple locations.

Covering Tracks

To simulate a full “Black Box / Black Hat” attack we will also attempt to remove any evidence of our attack that would raise alerts or suspicions by IT staff that there system had been compromised. Techniques include:

Tunnelling
Altering/Clearing log files
Disabling auditing

Reporting

Castleforce will prepare and submit a confidential report and will review this report with you and ICT staff. Castleforce will provide information and solutions on how to mitigate the risks from the assessment report, but it will be the decision and responsibility of the client to implement these solutions. Castleforce are more than happy to work with the client to implement the necessary steps in securing your enterprise.

Review of the confidential report usually takes 2-3 hours depending upon the contents of the report.

Gap Analysis Workshops (PCI DSS & GCSx CoCo)

Workshops to rapidly take the organisation through the relevant security standards. Key stakeholders are requested to come armed with information regarding the network, security and policies the organisation currently has in place. A security and networking specialist will guide the stakeholders through the standards, analysing current status with what is required, identifying areas of compliance and non-compliance, whilst providing multiple options to help the organisation achieve the requited levels for compliance.

Compliance Standards

Requirement 11 Regularly test security systems and processes

Requirement 12 Maintain a policy that addresses information security for employees and contractors

GCSX No 5 Compliance Checking

A.12.6 Technical Vulnerability Management

Additional Testing Areas that Castleforce provide

Web Application Testing focuses only on evaluating the security of a web application

Database Security Testing We are offering audits of Oracle, SQL, DB2, Sybase and MySQL databases and Application Servers, a review of your database architecture and source code review of your database applications

Wireless Security Testing Contrary to popular belief the 802.11 signals can travel large distances from the access point, often hundreds of meters, often allowing the signal to radiate outside corporate boundaries. This combined with poor or non-existent security measures gives an attacker any easy opportunity to gain access to company data and networks.

Social Engineering Performed by our consultants in order to give a clear assessment of the security posture of the organisation when faced with attacks aimed at tricking human beings into divulging sensitive information, or performing actions on the attacker’s behalf.

Computer Forensics Our service base ranges from IT Security through to in depth stringent data forensics of all electronic data storage equipment.

VoIP Security Testing

VoIP testing is a specialist area of testing, which not every company is equipped to perform. It is important to test that transmission encryption levels are as expected and that there are no weak points where malicious users could intercept traffic.

POTS Telephony Testing

POTS testing is a specialist area of testing, which not every company is equipped to perform. It is important that there are no weak points where malicious users could intercept or interfere with traffic.

Penetration Testing Training

If you're interested in finding out more about Penetration Testing and Security Audits we can offer the following security courses

Certified Ethical Hacker (CEH)
Certified Information Systems Manager (CISM)
Certified Information Systems Auditor (CISA)
Secure Coding Training