Our Approach and Methodology
The SecureState Profiling Team are well known and highly regarded as
experts in Penetration Testing. Our approach follows industry accepted
testing methodologies such as
OWASP and OSSTMM.
By following these methodologies, our clients can accurately replicate the
testing SecureState has performed in their own environment to accurately
mitigate identified vulnerabilities. The SecureState Profiling Team also
helps identify strategic “root cause” issues through our Penetration Tests.
Our Risk Management Team is uniquely positioned to work closely with the
Profiling Team in order to assist clients with mitigating these strategic
“root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules
of engagement as well as the scope; and exchange contact information for
both parties. SecureState provides a detailed Project Charter which contains
information on scope and everything that will be required to conduct the
testing. The Project Charter is discussed during the kickoff call prior to
the beginning of the engagement.
Phase II – Discovery Analysis / “Footprint” Creation:
An internal profile or “footprint” is created of computer addresses and
other information regarding the client’s internal connected systems, taking
an “unknown presence” and reducing it to a specific range of IP network
ranges and host systems.
Phase III - Service Enumeration:
Specialty tools are used to programmatically “ping” or map a client’s
existing Internet presence. A “service scan” is initiated to identify
listening service ports, in order to determine the type of operating systems
and applications in use. Detailed configuration and user information is
obtained for each system, and the computer addresses acquired during Phase
II are programmatically scanned.
Phase IV – Application Layer Testing:
A limited manual testing of any web applications encountered, looking for
common web application vulnerabilities such as SQL injection.
Phase V – Exploitation:
All identified vulnerabilities will be assessed as to the likelihood of
exploitation; and we actually do exploit the vulnerabilities.
Phase VI – Post Exploitation:
The Post Exploitation Phase includes pillaging, penetrating further into
the network, documentation and erasing any remains from we may have left
Phase VII – Reporting:
As part of the deliverable, SecureState provides a report which contains
a short graphical summary aimed at senior management, a narrative body which
details major findings and a detailed findings section aimed at technical
staff. Additionally, SecureState provides a closing call and high level
executive presentation to summarize the penetration test as well as provide
an opportunity to ask questions about the engagement.