Services
The IT Security Team (ITSec) assesses organizations to find vulnerabilities before malicious attackers have the chance. Because the ITSec Team is well versed in the methods used by malicious hackers, they are able to identify avenues for attack. Whether you suspect that your organization is vulnerable, or you are required to have attack and penetration assessments performed due to the requirements of regulations and standards such as SoX, Critical Infrastructure Protection (CIP), Payment Card Industry Data Security Standard (PCI DSS), Health Information Technology for Economic and Clinical Health Act (HITECH), SACorp's ITSec Team is ready to provide your organization their expertise.
Internal Attack & Penetration
Internal Attack & Penetration
Internal Penetration Testing examines the security surrounding internally connected systems; typically, within a corporate network. Internal Attack & Penetration tests the security of internally connected systems from various vantage points, such as posing as normal users within the office building, remote users, third party service providers, and business partners. Internal Penetration Testing involves including and exploitation of actual known and unknown vulnerabilities from the perspective of an inside attacker. Such testing usually includes attempts to breach the target both an authorized user with varying levels of access or as an unauthorized individual with physical access. The test demonstrates if there are weaknesses in traditional access control mechanism, network segmentation is effective, and whether network monitoring services and responses are timely and decisive. The test report designed for both executive/board level to show the high-level risk and technical staff/IT teams to show issue details and options for remediation.
Internal Penetration Test follows documented security testing methodologies which can include:
Internal Penetration Test follows documented security testing methodologies which can include:
- Port Scanning and System Fingerprinting
- Services Probing and Vulnerability Identification
- Manual Vulnerability Testing and Verification of Identified Vulnerabilities
- Exploit Research and Service Exploitation
- Application Layer Testing
- Firewall and ACL Testing (Data Exfiltration testing)
- Lateral Movement
- Administrator Privileges Escalation Testing
- Password Strength Testing
External Attack & Penetration
External Attack & Penetration
External Penetration Testing tests the security surrounding externally connected systems from the Internet, as well as within a Corporate Network. Controlled tests are used to gain access to the DMZ and ultimately to the internal resources; by bypassing the firewalls from the Internet. External Penetration Testing involves the finding and exploitation of known and unknown vulnerabilities from the perspective of an outside attacker. The test also shows if any weakness traditional firewall or other third-party monitoring services and their response. The report generated as the output of this work is designed for both the executive to show the high-level risk and technical staff/IT teams to show issue details and options for remediation.
External Penetration Test follows the penetration testing execution standard (PTES) which includes:
External Penetration Test follows the penetration testing execution standard (PTES) which includes:
- Pre-engagement Interactions
- Intelligence Gathering using Open-source intelligence (OSINT)
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Compliance Gap Assessment
Compliance Gap Assessment
A compliance gap assessment will measure a company’s existing policies and processes against applicable industry compliance needs (PCI, HIPAA, ISO 27002), local, state and federal regulations (FFIEC, FISMA, NIST 800-53). The results will indicate gaps or deficiencies in a company’s compliance program, such as potential regulatory violations and incomplete data security requirements. Our consultants provide expertise in interpreting, evaluating, and validating control against a standard or framework. They will also recommend how to mitigate the risk. The final Gap Assessment report not only outline all of the gaps that need to be filled but also recommends action items your team can start on for your path to successful certification.
Web Application Security Assessment
Web Application Security Assessment
Our Web Application Security Assessment will help to identify the weaknesses and potential threats to your web application. Our professionals simulate hacker's actions to seek security holes in your web application, helping your web application to defend against OWASP Top 10 vulnerabilities. The ultimate of this type of assessment/ penetration testing goal is to gain as much unrestricted access to sensitive information as possible, including administrator level rights, fully enable access over routers and switches and access to sensitive data residing on the internal systems. The test also shows if any weakness in Web Application firewall or other third-party web filtering services and their response. The report generated as the output of this work is designed for both the executive/board level to show the high-level risk and technical staff/IT teams to show issue details and options for remediation.
Web Application Testing methodology is based on the Open Web Application Security Project (OWASP) methodology which includes:
Web Application Testing methodology is based on the Open Web Application Security Project (OWASP) methodology which includes:
- Input Validation Attacks
- Cross-Site Scripting Attacks
- Script Injection Attacks (SQL Injection)
- Authentication
- Authorization
- Session Management
- Transport Security
- Error Handling
- Business Logic Testing
- Client-side testing
- Mobile Application Testing
Wireless Attack & Penetration
Wireless Attack & Penetration
Wireless Penetration Tests are strategic and isolated attacks against the client's systems. Our consultants will simulate a hacker and attempt to identify, exploit, and further penetrate weaknesses within wireless systems. Wireless Penetration Tests will evaluate risk related to potential access to your wireless network. We will detect access points and devices from various areas located outside and within the facilities. A concept called "war-driving" allows attackers to use automobiles to collect sensitive information from far distances and attack critical systems. Simulations utilizing war-driving, as well as performing an on-site Internal Attack and Penetration Test if the wireless network is breached, will be conducted. The report generated as the output of this work is designed for both the executive to show the high-level risk and technical staff/IT teams to show issue details and options for remediation.
Wireless Penetration Test follows best practice in penetration testing methodologies which includes:
Wireless Penetration Test follows best practice in penetration testing methodologies which includes:
- Identity theft (MAC spoofing)
- Caffe Latte attack (Fake Wi-Fi Access Points)
Social Engineering Attacks
Social Engineering Attacks
Social Engineering is a technique that relies on weaknesses in human nature, rather than vulnerability in hardware, software, or network design. Attacks are successful because they target basic human nature. The test also shows if any deficiency in the service provider’s email filtering services and their response. The report generated as the output of this work is designed for both executive/board level, and technical staff/IT teams to show the importance of the Security Awareness program.
We offer three core Social Engineering assessments to test human weakness:
We offer three core Social Engineering assessments to test human weakness:
- Email Phishing
- Telephone Social Engineering
- CD/USB Thumb Drive Drops