The Reliant Penetration Testing service takes vulnerability testing an additional step by exploiting any found vulnerabilities and attempting to gain access to systems. Penetration testing can be conducted on either internal or external tests as an add-on service. Testing can be conducted with (whitebox) or without (blackbox) the knowledge of key staff. Testing can also be conducted blind so that Reliant staff does not have any advance information other than the name of the organization. Penetration testing attempts to prove that a vulnerability is exploitable and that multiple mitigating controls have failed to protect the organization from the attack.
Process
Reliant’s Social Engineering Testing service follows the basic process outlined below:
- Determine scenarios, scope, and approach with relevant staff
- Conduct vulnerability test
- Conduct penetration test phases (gain access, privilege escalation, system review, install additional tools)
- Conduct Social engineer tests, if authorized (onsite, telephone, and email)
- Review results with staff
- Write report of all vulnerabilities and results of penetration including remediation steps
- Review report with internal staff
Items Reviewed
Reliant will test the following items during the penetration testing (these items are in addition to the internal and external vulnerability tests)
- Brute force password cracking – Reliant will attempt to break in to any system that displays a log in prompt (examples include: FTP, Telnet, SSH, etc)
- Sniffing network traffic – Reliant will attempt to sniff network traffic using widely available means
- SQL Injection – Where possible, SQL injection techniques will be used to gain access to database systems
- Cross Site Scripting – For vulnerable systems, Reliant will attempt to use XSS techniques to exploit vulnerable systems
- Denial of Service – When applicable, Reliant will attempt to perform denial of service techniques to crash applications and servers.
- Buffer Over Flows – For vulnerable systems, Reliant will use a variety of tools to attempt buffer overflow attacks
- Social Engineering – When authorized, Social Engineering may be used to gain additional information such as usernames and passwords
- Access Control – Once access is gained, network shares and accessible folders will be checked to determine if sensitive data is available
- War Dial – After determining numbers that auto answer, Reliant will attempt to hack into system by brute forcing user names and passwords