PENETRATION TESTING
See your assets and vulnerabilities from the perspective of a skilled attacker
Menu
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
Pen testing includes both automated and manual tools and techniques that allow the assessor to simulate an attack on asset(s) as defined within the scope of the assessment.
Standards such as the PCI DSS note that penetration tests must be conducted at least annually and after any significant infrastructure or application upgrade or modification.
DotSec’s assessors have various certifications including both OSCP and OSWE, and perform penetration testing on targets including web applications, corporate networks, mobile applications, APIs and WiFi networks, to name but a few.
DotSec is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) company. This means that DotSec is qualified to assess entities (including on-line merchants, payment processors and service providers) for compliance with the PCI Data Security Standard (DSS).
We have built systems that are compliant with the PCI DSS and we can assist with the preparation of all your PCI DSS compliance and reporting requirements, from gap-analysis and remediation work, through to Attestations of Compliance (AOCs) and Reports on Compliance (ROCs).
DotSec can also assist with the preparation of Self Assessment Questionnaires (SAQs).
DotSec’s QSAs have many years of implementation experience, and so provide practical and reasonable advice.
DotSec can conduct organisational reviews that are undertaken with reference to the control objectives listed in Annex A of the ISO/IEC 27001:2013 standard.
An organisation review will provide a range of benefits to the client and, in particular, will provide the organisation an overview of it’s current level of information security maturity.
The level of maturity will refer to one of five maturity stages, and will be measured qualitatively for each of the 14 clauses (which can be thought of as security domains) listed in Annex A of ISO/IEC 27001:2013.
All reviews include practical recommendations as to how the organisation’s level of maturity can be improved.
Responsibility for the security and compliance of any cloud environment (both infrastructure and controls) is shared between the cloud service provider, and the customer.
In general, the cloud service provider is responsible for the infrastructure and the customer is responsible for the services and applications that run on that infrastructure, but the lines can become blurred on occasion.
DotSec conducts security assessments of cloud computing environments including AWS and Azure. Once-off reviews or continuous assessment as part of our fully managed SIEM/SOAR service; the choice is yours.
Criminal groups (as well as others) use phishing as a means to infiltrate organisations, undertake ransomware attacks, gather credentials for subsequent impersonation attacks, or simply to destroy target assets.
DotSec conducts phishing (and more generally, social engineering) tests in order to demonstrate to your users how phishing attacks work, and how to reduce the associated risks.
Phishing tests are most effective when combined with security awareness training, providing both testing and improvement metrics. Ask about our packaged testing and education services to understand more.
The CIS Controls are a set of internationally-recognised, best-practice security recommendations developed by a community of information security experts.
The controls are organised into 18 control categories, or security domains (listed in Annex A) and are ranked in terms of priority by their allocation to one of three implementation groups. Implementation groups (or IGs) provide a way for organisations to assess and improve on their security maturity over time.
To help your organisation align with the CIS Controls, DotSec can provide you with specific, actionable recommendations that are practical to implement.
The Essential Eight is a set of eight controls developed by the ASD which are designed to protect (primarily) Microsoft Windows-based internet-connected networks. Organisations who want to protect themselves against various cyber threats should aim to meet a target maturity level that is suitable for their environment.
DotSec can conduct an assessment of your computing environment with reference to the requirements of an appropriate ASD Essential 8 maturity level. We can then help you to create and/or update and improve appropriate policy, procedure, standards and planning documentation to reflect the improvements that you have made while meeting your target ASD Essential 8 maturity level.
DotSec assessors have over 22 years of experience, not just in penetration tests and security reviews but also in secure-systems design, development, deployment and maintenance. Our understanding of what it takes to develop and maintain secure systems allows our assessors to deliver unique and valuable results.
An assessment report that focusses on shortcomings and vulnerabilities is pointless! DotSec has 20 years of experience in building secure systems so our assessment reports include detailed descriptions of how vulnerabilities and short-comings may be addressed, in a practical and reasonable manner.
When it comes to assessment and testing, DotSec works with you to understand your business processes, identify your assets, and assess and then manage your risks. You can be certain of receiving a complete and concise report that will provide you with clear and realistic risk-mitigation strategies and actions.
DotSec can provide a range of testing and assessment services including PCI DSS and IRAP security audits, Cloud (Azure and AWS) security reviews, CPS 234 audits, organisational reviews, blind and informed penetration pests (pen tests), social engineering (including phishing) tests, code reviews and design reviews.
Major compliance frameworks and guidelines (such as the PCI DSS, ISO 27001, CPS 234, and the ISM) recommend or demand that testing is done on a regular basis, and/or after a major system change. New systems should be tested early in order to reduce risks and costs associated with late-stage system redevelopment.
We recently delivered a presso that described how DotSec has used Splunk for a number of interesting projects. (In preparing the presso, I was a bit shocked to discover that we’ve actually been using Splunk now for over 12 years! Fun times!) Anyhow, our presentation was quite interactive, and it covered off four projects which pretty-well summarise work that we do at DotSec on a fairly regular basis:
so that it’s possible to detect and respond quickly to anomalous and/or threatening activities. Without this kind of proactive approach, an organisation will only know that its been hosed once the damage has already been done. And of course, this part of the presso shows how DotSec has used Splunk assist with this kind of incident prevention work. All in all, it was good presso, and we received lots of interesting questions. The slides from the presso are available here; please have a look through and let us know if you have any questions or comments.
Until next time!