Penetration Testing

Penetration testing, as required by an organization’s security audits, is an integral activity to gauge an organization’s level of resistance to security breaches. When performed by a contracted firm, or “Red Team,” penetration testing gives an organization’s security personnel real experience in dealing with intrusions. Similar to a fire drill, a penetration test forces them to develop an effective, working strategy in dealing with unexpected attacks.

Some engaged Pen Testing areas are:

The Types of Penetration Tests

We offer many types of pen testing services and also encourage crowdsourcing for application pen testing:

Black Box Testing

In a real world Cyber-attack, the hacker probably will not know all of the ins and outs of the IT infrastructure of a corporation. Because of this, he or she will launch an all-out, brute force attack against the IT infrastructure, in the hopes of trying to find a vulnerability or weakness on which they latch onto. In other words, in this type of Pen Test, there is no information given to the tester about the internal workings of the particular Web Application, nor about its source code or software architecture. As a result, this particular type of test can take a very long time to complete, so very often, the tester will rely upon the use of automated processes to completely uncover the weaknesses and vulnerabilities. This type of test is also referred to as the “trial and error” approach.

Example network based blackbox testing:

White Box Testing

White Box Testing In this type of Pen test, also known as “Clear Box Testing,” the tester has full knowledge and access to both the source code and software architecture of the Web Application. Because of this, a White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. The other advantage of this is that a much more thorough Pen Test can be completed. But, this approach also has its set of disadvantages. First, since a tester has complete knowledge, it could take more time to decide on what to focus specifically on regarding system and component testing and analysis. Second, to conduct this type of test, more sophisticated tools are required such as that of software code analyzers and debuggers.

Gray Box Testing

As the name implies, this type of test is a combination of both the Black Box and the White Box Test. In other words, the penetration tester only has a partial knowledge of the internal workings of the Web Applications. This is often restricted to just getting access to the software code and system architecture diagrams. With the Gray Box Test, both manual and automated testing processes can be utilized. Because of this approach, a pen tester can focus their main efforts focus on those areas of the Web Application, which he or she knows the most about, and from there, and from there, exploit any weaknesses or vulnerabilities. With this particular method, there is a higher probability that more hard to find “security holes” will also be discovered as well.

The Penetration Testing Teams

Very often, when it comes, Pen Testing, the image of just one person doing the test is conjured up. But keep in mind, the best types of Pen Testing come into play when multiple testers are utilized and are broken down into three teams, which are as follows:

The Red Team

The Red Team can be considered as those individuals who are the actual Pen Testers. Their primary goal and objective are to mimic or emulate the mindset of an attacker, trying to break down through all of the weaknesses and vulnerabilities which are present. In other words, it is the Red Team which attacks all fronts possible.

The Blue Team

The Blue Team can be considered that personnel from within the infrastructure of the business itself. This can be the IT Security team, and their primary goal and objective are to thwart off and defend against any attacks from the Red Team. It is important that anybody participating on the Blue Team must possess the mindset of constant proactiveness and vigilance to defend the corporation against any and all attacks. If you think about it, both the Red Team and Blue Team can be viewed as the two sides of a particular coin, or the Ying and the Yang. The summation goal of these two teams is great to enhance the security posture of the corporation on a constant basis, by sharing feedback with another. However, this does not always happen. Thus there is the need for the Purple Team.

The Purple Team

The Purple Team can be viewed as the composite of both the Red Team and the Blue Team. In other words, the Purple Team adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team. This is then all translated into a one, single narrative which can be shared across all of the teams fully to implement a policy of continuous and constant security improvements for the corpora In other words, the Purple Team can be viewed as literally the “bridge” between the Red Team and the Blue Team, to help instill a sense of continuous integration amongst the two. To fully ensure that the Purple Team is providing the most robust lines of communication and information, it should remain as a separate entity and neutral of all views and circumstances, so there is no bias.

News & Events

Bringing together information security end-users, analysts, policy-makers, vendors and service provider, join us at our 2017 events. We would love to meet you in person. 

Stay Tuned...

Products

Products are tools that enable people to achieve goals. In order for products to be effective, the people managing them must implement and use them appropriately. This requires technical personnel and non-technical personnel to communicate effectively while working toward solving the same problem. Collaboration is key to mapping technical specifications to business functionality in an efficient manner.

The Open Group Architecture Framework (TOGAF)

TOGAF has its origins in the U.S. Department of Defense. It provides an approach on how to design, implement, and govern an enterprise information architecture.

TOGAF is a framework that can be used to develop the following architecture types:

Contact



    Regulatory Compliances

    We facilitate audits, develop policies, and procedures to ensure full compliance.
    We start with a baseline and a pre-assessment to gather information for a gap analysis. 
    We develop key performance indicator (KPI) to ensure progress and get traction for compliance.

    • PCI DSS

    • ISO 27001

    • SSAE 16 SOC I and II Reporting

      • SOC 1 Type 1: A design of controls report used for evaluating and reporting on the design of controls put into operation as of a specific point in time.
      • SOC 1 Type 2: Includes the design and testing of controls to report on the operational effectiveness of controls over a defined period of time (typically six months).
      • SOC 3: A general use report that falls under the SysTrust and WebTrust seal programs, and does not contain a description of the service auditor’s test work and results.

    Security DevSecOps

    In many organizations today, the DevOps team and the InfoSec team work more closely and innovatively as peers. This is both an advantage and evolution over the traditional requestor/approver relationship between the two groups, allowing security professionals to bring a bigger presence. This new collaborative team has identified itself as DevSecOps, and is the alliance through which operations, engineering, and security are brought together in harmonious productivity.

    DevSecOps allows forward-thinking organizations to align traditionally contradictory teams with disparate goals together. The resulting synergies accelerate security intelligence to keep pace with continuously changing security landscapes. Problems are detected sooner, resolutions are implemented faster, and resources are protected more effectively.

    We provide Host-Based Intrusion Detection Integrations with the features below:

    Black Cat’s Principles

    Confidentiality
    • Ensures that data or an information system is accessed by only an authorized person. User Id’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved
    Integrity
    • Integrity assures that the data or information system can be trusted. Ensures that it is edited by only authorized persons and remains in its original state when at rest. Data encryption and hashing algorithms are key processes in providing integrity.
    Availability
    • Data and information systems are available when required. Hardware maintenance, software patching/upgrading and network optimization ensures availability.

    Risk Management

    A Virtual CISO is flexibly designed to help meet the security requirements within your organization, and does so without the prohibitive costs of a salaried CISO. This is a strategically good approach for small/medium size businesses that simply don’t demand the extensive types of security operations of large enterprises.

    Policy

    A Virtual CISO helps to ensure your organization maintains a thorough and well-defined portfolio of security policies and Disaster Recovery plans, as well as updates those policies as your technology & strategic plans evolve and change.

    Guidelines

    A Virtual CISO can help your organization in developing a wide range of guidelines related to data security, use of information systems, and governance of access controls and rules regarding who, what, and when.

    Standards and Compliance

    As regulatory agencies continuously address new developments in the cybersecurity arena, the regulations for information security can change significantly in a short period of time. A Virtual CISO helps ensure your organization stays current and compliant with the latest requirements.

    Reporting

    Your organization is expected to report regularly on its practices for the management and mitigation of key information security concerns like GLBA or Vendor Management, as part and parcel of compliance efforts. With a Virtual CISO, your organization can work to guarantee that your reporting efforts are always thorough, compliant and reliable.

    Threat Intelligence

    Signature based intrusion detection is one of the most commonly used methodologies of threat intelligence, but it is not effective on all types of threats, weaknesses, and vulnerabilities.

    Accidental data leakage

    This is also called a Data Breach, when sensitive data is transmitted or viewed by an unauthorized individual.

    Malware

    Trojans, ransomware, office-gated malware, worms, viruses, etc.

    Identity Theft

    Falsely using someone else's private information for personal gain.

    Malicious access of data

    An employee's device ( personal devices) has been misplaced or stolen, exposing private data.

    Insider Threat

    Stealing sensitive corporate data for business advantage or personal gain.

    Weak passwords

    Single points of verification like passwords can easily be bypassed by savvy hackers.

    Social engineering

    Hackers manipulate employees into installing malware on their own systems.

    Loss/corruption of data

    The integrity of your data has been compromised somewhere in the writing, reading, storage, transmission, or processing cycle.

    Misconfigured systems

    A web server, app, or plug-in has been misconfigured in a way that inadvertently leaks info or allows hackers an entry point into your business's software or OS.

    Outdated operating system

    Operating systems advance annually to adapt to new security needs.

    Lack of encryption

    Not encrypting your data is the equivalent of leaving your wallet in an unlocked car with the windows down.

    Equipment failures

    Hackers locate a flaw, glitch, or weakness in your business's software or OS and create exploits to target those vulnerabilities.

    Unpatched vulnerabilities

    Vulnerabilities arise with every software addition to your environment.

    Untrained employees

    No security feature can account for human error.