Penetration Testing

penetration test

In today's ever-changing business communications world, new technologies enable enhanced performance and efficiency at every turn.

Yet, with advancements in new network systems and functionality comes the increased risk of exposure to unexpected security threats external to the organization. The ability to test for such vulnerabilities has long been a concern for companies seeking maximum protection for key company assets, from intellectual property to personnel.

A "penetration test" offers an invaluable and compelling way to establish a baseline assessment of security as seen from outside the boundaries of the organization's network. Properly executed penetration tests provide evidence that vulnerabilities do exist and that network penetrations are possible. More importantly, they provide a blueprint for remediation in order to start or enhance a comprehensive information protection strategy. Finally, a penetration assessment is a powerful tool for verifying that your organization's network is in fact running clean, providing the third-party reporting required of government agencies, auditors or other entities to demonstrate compliance.

The origins of penetration testing can be traced back to the earliest data networks when more informal means were used to assess system vulnerability. More formal processes were established around 1985, when the US Department of Defense first defined computer security standards. Penetration testing was isolated from more holistic security auditing in the early 1990's, and has evolved rapidly since the mid 1990's. The current state of penetration testing focuses on automation and development of new tools to improve the assessment.

A Better Sense of Safety

penetration test

NCC's Penetration Assessment is a proprietary test for measuring the vulnerability of your company's various data systems. This authorized and systematic process attempts to hack in to your organizations most valued and sensitive target systems, which include key company assets: information, software, hardware, systems and people.

The primary objectives of NCC's Penetration Assessment are to identify unknown points of entry to these targets and to verify the functionality of security controls included in the assessment scope. Secondary objectives of the Penetration Assessment are to provide mitigation to identified threats and to correlate identified flaws with

penetration test

Six Steps to Network Protection

NCC's Penetration Assessment follows a unique six-step methodology that leverages an arsenal of industry-leading security tools that include publicly available applications, commercial resources, custom-written tools and manual analysis. The methodology is further bolstered by a built-in improvement process that draws on continues research into tools and techniques and an ever-expanding vulnerability database and security resources.

  1. Scouting The first step of the Penetration Assessment, Scouting, is a passive collection of information about the designated targets. This includes the validation of targets and verification of the client's ability to request and authorize their assessment.
  2. Probing The second, or Attack, phase of the Penetration Assessment introduces progressively more invasive attacks to identify potential weaknesses in the target. Information gathered at this stage is pulled forward throughout the assessment.
  3. Correlation In the Analysis/Correlation step, information from the Scouting and Probing stages is compared with known target profiles to determine viability of the threats. The end goal of this stage is to avoid assessing and targeting threats which are not possible.
  4. Review The fourth stage, or Testing Review stage, offers the opportunity for the client to review the findings at a high level. The focus of this stage is to develop awareness and understanding for the target profiles, not the threats themselves.
  5. Analysis The Analysis stage offers an in-depth examination of the various threats identified and their correlation to threats currently recorded in the National Vulnerability Database (NVDB) and other resources, including ISO-17799, HIPAA and SOX among others. At this point, an impact analysis of identified threats is developed and threat mitigation plans are documented. Any additional probing that may be necessary is performed at this juncture.
  6. Reporting The Penetration Assessment's final step is the compilation of a comprehensive report with a detailed analysis of the vulnerabilities identified in the target systems and a high level mitigation plan to address each. The final report also includes supporting documents that outline the discovery process and support the overall findings. Information presented is incorporated into the Vulnerability Database for use in future assessments.

While delivery of the final report concludes the formal Penetration Assessment, NCC is committed to helping your organization complete the mitigation plans identified in the findings and evaluate the possible need for a full blown risk assessment to better define threats to the company data systems. At the same time, should the Penetration Assessment yield no security threats, you now have a comprehensive audit of your company network demonstrating compliance with security standards for government agencies, auditors or other entities to which your organization is accountable.

Considering the Penetration Assessment

penetration test

Simply put, any organization that invests money in security software, appliances or services is a candidate for a Penetration Assessment. However, organizations motivated by one of four primary drivers offer a greater likelihood for consideration. These drivers may include GOVERNMENT/NATIONAL SECURITY, LEGISLATIVE/ REGULATORY, COMPETITIVE BUSINESS PRACTICE or BEST BUSINESS PRACTICE. GOVERNMENT entities or organizations directly servicing NATIONAL SECURITY interests. Subject to regulatory requirements that may includes Federal Information Processing Standards (FIPS) and Common Criteria (CC) or other internal requirements.

LEGISLATIVELY REGULATED GROUPS may be bound by either international treaties, federal, or state legislative requirements which govern their IT operations. Some examples may include:

  • Publicly-traded firms: Sarbanes-Oxley
  • Healthcare providers, and payers: HIPAA
  • Financial firms: Gramm-Leach-Bliley Act
  • Utilities providers: variable by state
  • Communications: TRA, TA 96, and TA 05
  • Transportation firms (airlines, airports, shipping firms, sea-ports, hazardous transport services, etc.): variable by industry