0
Shopping cart
There are no products in your cart.
Log in

Register

Penetration Testing Services

 

Mile2 offers comprehensive penetration testing and vulnerability assessments to secure your information assets against attacks both inside and outside your infrastructure. A critical complement to vulnerability scanning, penetration testing proves the extent to which vulnerabilities can be exploited by emulating what a hacker may do in a controlled and methodical manner.

Our reports are manually written for a complete risk perspective.

Mile2 offers:

• Black Box Testing (Zero Knowledge)
• White Box Testing (Complete Knowledge)
• Gray Box Testing (Combination of Both of the above)

Mile2 is partnered with both Saint and Core Impact, both leaders in IT Security Software.  Using PCI ASV (Approved Scanning Vendor) tools and state of the art custom security tools and processes, Mile2 exceeds industry standards by implementing a 4-Phase PCI Penetration Testing Process.  Testing is performed by qualified industry professionals, holding major information technology security certifications such as C)ISSO-Certified Information Systems Security Professional, CCIE (Cisco Certified Internetwork Expert), CISA (Certified Information Systems Auditor) and C)PTE (Certified Penetration Testing Engineer).

Why would you need a penetration test? Compliance or Need?

Some companies are required to meet standards such as PCI or SOX, while other companies want to secure their data infrustructure. It's worth noting that a recent study that was released by the Ponemon Institute, found that information losses cost U. S. companies an average of $182 per compromised record - an amount that increases each year. That amounts to hundreds of billions of dollars industry wide each year - http://www.ponemon.org/about.html

Benefits of a Mile2 Penetration Test & Vulnerability Assessment:

Mile2’s penetration testing follows standards such as the OSSTMM (The Open Source Security Testing Methodology Manual). The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. In doing so, Mile2 can help your orginization do the following:

• Intelligently manage vulnerabilities
• Avoid the cost of network downtime
• Meet regulatory requirements and avoid fines
• Preserve corporate image and customer loyalty
• Justify security investments
• Satisfy prerequisites for cyber security insurance.

The Mile2 Approach

PHASE 1 –NETWORK SECURITY ASSESSMENT
This phase ensures the network devices protecting the Web servers are configured correctly, including border facing routers, switches and firewalls. This will involve the following:

•  Network Discovery - Using a combination of public and proprietary network mapping tools, network sweepers and port scanning tools, Mile2 will gather accessible information about the physical network structure and identify available network services.
•  Network Configuration – The configuration of firewalls, routers and switches will be examined for any anomalies against your company’s procedures and standards. The configuration will be compared to that of National Security Agency standards (NSA) and any gaps will be documented. SNMP strings and encrypted passwords will be examined as well as ACL’s and open ports.
•  Vulnerability Identification – After confirming the system’s indentification, Mile2 will conduct vulnerability assessment activities with open source tools and our proprietary vulnerability database in order to identify potential vulnerabilities in all network devices.
•  Exploitation Testing – After gaining express approval for the nature and time of testing, Mile2 will attempt to confirm vulnerabilities using exploit code developed and tested for the task. This includes documentation and video footage to demonstrate the effectiveness of the attack.

PHASE 2 –SECURITY ASSESSMENT OF SERVER OPERATING SYSTEMS AND WEB SERVERS
In order to assess the security of the server operating systems and web server software, the following phases of the Security Assessment methodology will be undertaken using your Policy and NSA Standards.

•  Operating Security Controls – Mile2 conducts a full review of your company’s servers platform housing the web server.  This includes but is not limited to: patch levels, registry lockdown, user accounts, service accounts, file permissions, enumeration settings and SNMP configuration. Open source and commercial tools will be utilized.
•  Web Server Security Controls – A full review of your IIS/Apache configuration including but not limited to lockdown, removal of default configuration, modules selected, log file security, patching, consoles and retention. Open source and commercial tools will be utilized.
•  Vulnerability Identification – After confirming the system’s indentification, Mile2 will conduct vulnerability assessment activities with open source tools and our proprietary vulnerability database in order to identify potential vulnerabilities in all services.
•  Exploitation Testing – After gaining express approval for the nature and time of testing, Mile2 will attempt to confirm vulnerabilities using exploit code developed and tested for the task. This includes documentation and video footage to demonstrate the effectiveness of the attack.

PHASE 3 –SECURITY ASSESSMENT OF WEB APPLICATIONS
The final phase is where the majority of hacking attacks take place. Analysis of cookies, code inspection,
encryption types, randomness and input validation will be carefully analyzed. These attacks are not stopped by firewalls and are now 70% of all hacker successful attacks.

•  Code Inspection – All web server code, including PHP, JAVA, C# (.NET) and HTTP will be inspected
for potential buffer overflows.
•  Administrative Interfaces -To determine the extent of any administrative interfaces used and whether or not they are secure.
•  Authentication and Access Control - To determine the adequacy of the authentication and access control configurations.
•  Configuration Management - To determine the adequacy of change management procedures.
•  Input Validation - To determine whether the web application can be manipulated by inserting invalid input in order to extract sensitive information or perform unauthorized functions.
•  Parameter Manipulation - Determine whether parameters in the web applications can be manipulated to extract sensitive information or perform unauthorized functions.
•  Session Management - To identify the session management mechanism used and to determine any security control weaknesses.
•  Business Logic - Determine whether business logic controls can be bypassed.
•  Links - Review of any links to other connected servers including middleware/database servers.

Project Deliverables

The results of the project will be documented in a Security Assessment Report, which will include the following:

•  Executive Summary with a matrix of high priority issues identified and “layman’s” description of impact suitable for senior management
•  Comments on common areas of security weaknesses.
•  Technical Overview of issues identified including:

         •  Name of web application
         •  Security weakness (e.g. Input Validation flaw allows Denial of Service Condition);
         •  Potential Impact (eg. High, Medium, Low);
         •  Description of impact (eg. An authorized user can insert invalid input into the application causing a denial of service condition requiring full system reset);
         •  Evidence of impact (e.g. screen shot, system log extract, system code
         extract); and
         •  Technical Description of Suggested Fix (e.g. perform known good input
         validation of the following form fields in the web application).
         •  Videos of the successful attack patterns to be used to highlight to management