Penetration Testing

Physical Penetration Test

Physical penetration testing consists of covert social engineering attempts to exploit human nature by persuading or deceiving employees to provide access to non-public facilities and information.

Work Area: Physical Penetration Test

Focus: Physical penetration tests help determine the type and amount of sensitive or non-public information accessible to an intruder after a successful social engineering attempt.

Scope: We attempt to persuade or deceive employees to provide sensitive or non-public information about the organization and its clients through impersonation and persuasion using the telephone, email, and by personal visits to the organization. We attempted to gain unaccompanied physical access to restricted areas of the organization by posing as utility workers, vendors, employees from another department, or technical and delivery personnel.

Results: The results of the physical penetration test is a report of the types of attempted social engineering techniques to which the organization was susceptible, the type and amount of sensitive or non-public data obtained and recommendations for additional controls and training to mitigate the social engineering threat.

Logical Penetration Test

The primary objective of logical penetration testing is to exploit discovered vulnerabilities to demonstrate that specific vulnerabilities, present in the organization’s network, can be used to compromise network security, data availability confidentiality and integrity. It uses intrusion techniques, identical or similar to methods used by attackers to breach network security, collect data and elevate the attacker’s privileges within the network. It determines the degree of control the organization can expect an attacker to achieve after successful penetration using a specific attack scenario. It can also reveal the extent to which an organization’s security incident response capability is alerted by observing the organization’s response to attack methodologies.

Work Area: Logical Penetration Test

Focus: Logical Penetration Tests exploit specific vulnerabilities authorized by the organization to determine the degree of control or amount of sensitive data exposed after successfully exploiting that specific vulnerability on that specific host.

Scope: We submit a list of potential vulnerabilities to the organization’s designated Point of Contact for exploitation authorization. We exploit only vulnerabilities authorized by the organization and only after discussing with the organization the risk and impact of exploitation.

Results: A report of successfully exploited authorized vulnerabilities, the degree of control or amount of sensitive data exposed as a result of that successful exploitation, repeatability information, and mitigation strategies for each successfully exploited vulnerability.