| Penetration
Test and Analysis
A Penetration Test and Analysis, performed by Cerzán,
will identify security concerns specific to your network.
An attempt is made to penetrate your security defenses using
methods similar to that of a real electronic intruder (hacker).
In most cases, we can and will utilize tools that are downloadable
from the Internet, in addition the to state-of–the-art
tools and procedures.
We look for the “path of least resistance" to
penetrate an organization' network. Examples would be misconfigured
systems, easily guessed passwords on systems, or guest accounts
on remote access servers.
Our Consultants and Engineers posses a high degree of technical
skills and follow a defined methodology when conducting a
hacker study. Several of our Consultants carry and maintain
high-level Security Clearances, and have been trained to infiltrate
systems and networks. We try to simulate an exact hacker scenario,
therefore, providing a realistic approach to the network security
your organization needs to employ.
After attempting to penetrate the security perimeter of your
organization, the information obtained will be analyzed to
provide recommendations that apply directly to your specific
security and network implementations. In addition, a detailed
description of the vulnerabilities found (and recommendations
to address the vulnerabilities) will be included in a full
report, which could total 50-100 pages.
The following section describes the approach Cerzán
uses for a Penetration Test and Analysis:
Scope of Penetration Testing
Cerzán will work with your organization to determine
the scope of the penetration test, operational requirements,
availability of support staff, and "rules of engagement,"
prior to the start of testing.
The objective of penetration testing is to demonstrate
that exploitable vulnerabilities exist within your network
infrastructure - not to demonstrate that your network is
free of vulnerabilities.
It is important to note that Cerzán staff will not
perform illegal activities on systems external or internal
to your network, during the penetration test. Information
obtained will be treated as confidential and proprietary,
and release documents and liability forms are covered and
signed, prior to any penetration test engagement.
Test Methodology
The methodology for an Internet-based penetration test
follows a procedure that duplicates the method an attacker
might take, when attempting to breach a Company's security
perimeter. This procedure starts with gathering information
regarding the Company' systems and configurations, utilizing
various tools and utilities. The information obtained is
then used to launch progressively more advanced attacks
against the systems.
Security Concerns
Cerzán describes-in detail-all the identified areas
of concern, along with recommendations for corrective. Each
security concern will be labeled with an indication of the
level of risk associated with a particular vulnerability
posed to the company's network. Included will be a table
listing of the hosts, and the potential vulnerabilities
found on each one of those hosts.
Summary of Vulnerabilities
The summary section is a review of the kinds of vulnerabilities
found on your organization's systems.
Conclusion
The conclusion will give your organization a snapshot of
the overall security of your network infrastructure. Cerzán
will point out the security concerns that need to be addressed
immediately and give specific recommendations regarding
how to address these particular vulnerabilities. Cerzán
will also point out good practices that were taken by your
organization in protecting your network, to continue that
practice in the future.
Appendices
These sections contain information gathered by tools and
exploits. They may also contain information liberated from
servers, such as cracked passwords.
Deliverable
A report, complete with a detailed description of the vulnerabilities
found and recommendations to address the vulnerabilities,
will be developed. A full report could total 50-100 pages.
The report will be delivered as a bound hard copy, in addition
to electronic format that will be transferred to your organization
in a secure fashion.
|
