It is evident today that security has become more robust. Hackers experience a very difficult effort using traditional methods of penetrating your network externally. When a hacker or intruder attempts to exploit targets from inside your network, the results can be devastating and hard to repair. This review will focus on the use of commercial tools and methods that a hacker or internal disgruntled employee can use to attack potential targets. Companies will benefit by knowing their internal vulnerabilities, target risks, and be provided with reasonable responses to the threats. This review can be combined with the Social Engineering Vulnerability Assessment as an attacker could bypass external network security measures and access the network from the inside through social engineering techniques. See Social Engineering Vulnerability Assessment for more information.
The Cadence Value
Proposition
With The Cadence
Group, you will
work with knowledgeable information security professionals.
We are experienced in performing internal network penetration testing and all of our information security professionals hold CISSP certifcations (Certified Information Systems Security Professional).
Cadence works with
organizations seeking to capitalize on this
opportunity to truly affect change within their
organization's culture and support mechanisms.
Change requires real acceptance of
responsibility by business units for continued,
proactive assessment of information security risk and protection of information. To
deliver true change, we not only identify information security vulnerabilities, but
also focus cost effective countermeasures.
We further believe the keys to any
such initiative are management ownership and
flexibility. Ownership will help create
long-term success for the project and allow for
understanding and accountability within the
organization. Our flexibility allows you to
depend on us at any time during the project for
any needed assistance and to obtain the benefits
you require.
To provide
flexibility, we can perform the related tasks
necessary to complete each phase of the project
(outsourcing), we can coach you and your staff
on information security (advisory), or perform a
combination of each. We will work with you to
understand your business and information assetts you want to protect, timing
restrictions, budgetary constraints and desired
results to develop a solution that is right for
you.
Methodology
External Penetration Testing projects
projects are typically divided into five phases.
1.
Initial Consultation - The Cadence Group will meet with management to determine the assets the company is trying to protect. Based on this information, The Cadence Group will provide some initial information on which vulnerability assessments will provide the most value to achieving those goals
2.
Project Initiation - Once management has determined the most effective way to assess their information security vulnerabilities, The Cadence Group will compose an engagement letter with a full disclosure agreement specifically detailing out the services to be provided and Cadence’s commitment to providing a full disclosure of all findings in the final report. Related Fees and a project budget will be provided.
3. Project Scoping and Planning - When management decides to initiate the project, Cadence will meet with management to map out a project plan which will include dates and times the penetration testing will take place, the method of testing. The methods will also include a detailed description of each test that will be conducted and the tools to be used. This will enable management to have full disclosure of the times and dates that Cadence will attempt to perform the penetration testing and complete knowledge of all tests to be performed. Management will have complete final say of the plan to ensure the safety and security of their network.
4.
Field Work - After management is comfortable with the approach, Cadence will begin field work testing. This will include a replication of the methods used by today’s internal hackers:
a.Reconnaissance: Gathering background information on the target’s systems/infrastructure, IP address Ranges, Company Officers/Managers, etc. Also known as foot printing.
b.Scanning: Using information gathered during the reconnaissance phase to scan for vulnerabilities and identify critical network information.
c.Gaining Access: Having identified potential vulnerabilities in the scanning phase, attacks are carried out on those vulnerabilities in an effort to gain access to systems.
d.Maintaining Access: Once access is gained to systems, attackers will ensure that they can retain access for future and later attacks. This involves enumeration to identify user IDs and passwords and create powerful/hidden accounts the attacker can use to maintain their access.
e.Attacking: Once the above steps have been maintained, the attacker will now go after their target. Here, if the review makes it this far, we will certainly not perform and attack, but rather identify the types of attacks and potential targets that may be compromised and provide full disclosure.
f.Cover Tracks: Remove all evidence of the attacker’s presence. This includes deleting security logs and evidence of entry and evidence of the attack. Again, Cadence will not delete logs, but will provide disclosure if we had the ability to remove/delete security logs to cover tracks.
5.
Reporting - At the conclusion of field work, Cadence will provide a full disclosure report on the results of each test that was initially approved by management. The second section of the report will include a detailed listing of all vulnerabilities identified during the review and the potential targets that could be compromised. This will also include a cost effective and reasonable approach to remediation of the vulnerabilities noted. A closing meeting will be held to discuss full disclosure of all the tests, findings, vulnerabilities and remediation recommendations.
 top
| 
