According to the 2019 Application Security Risk Report by MicroFocus, unpatched vulnerabilities are still the leading cause of data breaches and are increasing yearly.1 Security Compass works with you to proactively assess your networks to identify vulnerabilities before they can be exploited. Understanding your required Threat Perspective and Assessment Depth will drive your customized Network Penetration Assessment.
Network penetration testing is broken down into Internal and External networks. Both threat perspectives offer unique challenges due to differing probable threat actors and a completely different attack surface. According to the Verizon 2020 Data Breach Incident Report,2 70% of breaches were from external threat actors, and 30% from internal threat actors. Both threat perspectives should be assessed to ensure no gaps are apparent
The Shift to Cloud
Recently, there has been a major shift of computing resources from on-premise to cloud platforms such as AWS, Azure, and GCP. This shift has changed how the network is secured. It isn’t uncommon to have private or internal resources hosted entirely in public cloud platforms, such as S3 buckets or Azure Active Directory.
Security Compass has many consultants and subject matter experts (SMEs) who can audit and review cloud network solutions. Our consultants apply our cloud knowledge to review networks, such as Virtual Private Clouds (VPCs,) to ensure appropriate ACLs as well as Security Groups to keep them private or public. Beyond the standard services such as web applications, our consultants review
platform specific services such as S3 buckets, managed containers, and API endpoints to ensure that the network assets are secure.
Internal Network Landscape
- Knowledgeable Insider Threats
- Generally Weak Network Controls
- Flat Topologies
- Exposed Vulnerable Services
External Network Landscape
- Virtually “Limitless” Threat Actions
- Stronger Network Controls
- Repudiation Issues
- Constantly Under Threat
Security Compass has over a decade of experience in conducting a wide range of network penetration tests. Our experienced team offers a customized scoping service to fulfill the needs of your business. We offer a tiered methodology to conducting a network penetration test.
Security Compass can customize the depth of analysis on your network assets to suit your needs. A Vulnerability Assessment focuses
on identifying vulnerabilities with non-intrusive methods such as auditing version levels and service banners. Going deeper, a Penetration Test will dive into vulnerabilities by exploiting them to understand Business Impact. A penetration test builds on the
vulnerability assessment to provide more value by executing tactics, techniques, and procedures (TTPs) to exploit and perform
post-exploitation activities. Enumerating sensitive data, gathering credentials, and eventually pivoting to other hosts can provide
context and identify gaps in security controls to deliver the true value in a Penetration Test.
Security Compass’s approach focuses on value by maximizing coverage and eliminating false positives. The general timeline is outlined below.
Scoping: Identify assets that need to be assessed. Set engagement parameters to ensure we are assessing the required resources
and the most impactful.
Recon: Leveraging tooling to perform host and service enumeration to build a footprint of the network resources.
Scanning: Identified assets are scanned to discover listening and available services. Services are catalogued and checked for known
security vulnerabilities. Custom and commercial tooling is leveraged to perform scanning.
Verification: The bulk of the assessment time is spent manually reviewing output from the scanning and investigating components that
are overlooked by automation. Security Compass’s experience and human analysis give you insight into where risks and security control
Exploitation: Beyond verification, exploitation can be performed to remove more false positives and to verify the true exploitability of the
Analysis: Once exploitation has occurred, analysis of the true business impact occurs. Determining business impact involves understanding what a successful exploitation could mean to that individual asset. Examples are gaining specific sensitive
information, or gaining privileges through compromised credentials. Security Compass’s experience contextualizes the impact to provide a more accurate depiction of the risk to your business.
Industry Leaders in Network Penetration Testing
Put our cutting-edge offensive security experience to work for you and learn how prepared your company is to defend against real-world attackers.