The SecureState Profiling Team is well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The SecureState Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.
Phase I – Vulnerability Analysis:
Providing SecureState with internal vulnerability scan results removes the Discovery (Footprint) and Service Identification Phases of a typical Penetration Test and allows SecureState to immediately begin the Exploitation Phase. This process results in a more focused attack and a quicker turnaround of results. SecureState will use the most recent internal vulnerability scan results provided by the client to conduct this Vulnerability Analysis.
The internal vulnerability scan results provide not only vulnerability information, but also the ports and services that are exposed. SecureState will assess open ports and services from the vulnerability scans to look for potential targets, such as accessible HTTP, Telnet, RDP, and other ports that allow remote access or web server functionality.
Vulnerability scanners are notorious for outputting numerous false positives that are not applicable to a given environment. Engineers manually review scanner outputs to ensure verified vulnerabilities are applicable to only your PCI environment.
Phase II - Application Layer Testing:
During Internal Attack and Penetration Testing, SecureState often encounters web applications within the scope of testing. When this occurs, SecureState will perform limited manual testing of the web application in an attempt to identify common web application vulnerabilities such as SQL injection, file upload or command injection. While a Web Application Security (WAS) Assessment attempts to identify a breadth of vulnerabilities in a web application, application layer testing focuses on depth and on identifying vulnerabilities which ultimately will lead to complete access to critical systems and data.
SecureState will not test the business logic of the web application or attempt to understand how vulnerabilities may affect users of the system. Additionally, SecureState will not use credentials to test the application, truly making application layer testing a “blind test.”
Phase III – Exploitation:
SecureState first will manually validate the results from the scan. Next, all identified vulnerabilities will be assessed as to the likelihood of exploitation. The client’s Project Lead will be notified prior to any type of intrusive activity that potentially could impact network performance or system stability.
Phase IV – Locate Card Holder Data:
Upon discovering an exploitable vulnerability which allows the ability to gain elevated access to card holder data, SecureState will communicate the issue to the client within a mutually agreed upon timeframe.