Our Approach and
Methodology
The SecureState Profiling Team are well known and highly regarded as
experts in Penetration Testing. Our approach follows industry accepted
testing methodologies such as
PTES,
NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately
replicate the testing SecureState has performed in their own environment
to accurately mitigate identified vulnerabilities. The SecureState
Profiling Team also helps identify strategic “root cause” issues through
our Penetration Tests. Our Risk Management Team is uniquely positioned
to work closely with the Profiling Team in order to assist clients with
mitigating these strategic “root cause” issues.
Phase I – Pre-engagement Interactions:
In this phase, SecureState works with the client to establish the rules
of engagement as well as the scope; and exchange contact information for
both parties. SecureState provides a detailed Project Charter which contains
information on scope and everything that will be required to conduct the
testing. The Project Charter is discussed during the kickoff call prior to
the beginning of the engagement.
Vulnerability scanners are notorious for outputting numerous false
positives that are not applicable to a given environment. SecureState
consultants manually review scanner outputs to ensure verified
vulnerabilities are applicable to only your PCI environment.
Phase III – ¬ Web Application Black Box Testing:
During PCI Attack and Penetration Testing, SecureState uses a limited
Black Box level approach to test web applications encountered. Black-Box
test design treats the system as a “black-box,” so it does not explicitly
use knowledge of the internal structure. Black Box test design is usually
described as focusing on testing functional requirements. Black Box testing
will also help to identify many of the OWASP Top Ten vulnerabilities that
are common to web applications. All tests will be made against the web
applications identified. This phase meets the PCI-DSS requirement for
application layer testing.
Phase IV ¬ – Exploitation:
First, SecureState will manually validate the results from the scan.
Next, all identified vulnerabilities will be assessed as to the likelihood
of exploitation. Communication will be made with the client’s Project Lead
prior to any type of intrusive activity that potentially could impact the
network performance or system stability. Any high or critical risk exploit
also will be communicated to the client upon discovery, in order for the
client to initiate corrective actions.
Phase V – Locate Card Holder Data:
Once vulnerabilities have been exploited, SecureState will use any access
obtained to locate card holder data. During this phase, SecureState also
utilizes multiple vulnerabilities and attack vectors to achieve a greater
attack. This is called the SecureState Vulnerability Linkage Theory (VLT)
and is provided to clients though visual representation in our report.
Communication will be made with the client’s Project Lead once card holder
data is accessed; so that corrective action may be implemented.
Phase VI – Post Exploitation:
The Post Exploitation Phase includes pillaging, penetrating further into
the network, documentation and cleaning up any remains from SecureState’s
testing on the client’s systems.
Phase VII – Reporting:
As part of the deliverable, SecureState provides a report which contains
a short graphical summary aimed at senior management, a narrative body which
details major findings; and a detailed findings section aimed at technical
staff. Additionally, SecureState provides a closing call and high level
executive presentation to summarize the penetration test as well as provide
an opportunity to ask questions about the engagement.