How penetration testing is proposed and conducted is a critical part of overall vulnerability assessment.

The expertise of the assessors is essential to determining what combination of factors or vulnerabilities across systems might result in a successful exploit.

ecfirst works with customers on an individual basis to determine the testing most beneficial to their goals.

A primary goal for external penetration testing is to gain unauthorized, elevated access to an externally-accessible system.

Unauthorized access to other systems is pursued from this initial point, simulating real-world attack strategies.

Gaining Domain Administrator level access is a goal of internal network penetration testing, and how this may be used for unauthorized access to sensitive data.

Penetration testing provides proof of gaps in system configurations, network infrastructure, IT processes or applications.

Penetration Testing can also identify ineffective practices by staff that might lead to breaches and data exposure.

Methodology—External Testing

Reconnaissance - discover publicly available information about the organization to assist with furthering or focusing an attack

  • Client personnel & cultural information
  • Client business terminology
  • Technical infrastructure information

Scanning – identify systems, services, applications and vulnerabilities that may be exploited for access

  • Network Discovery
  • Network Port & Service Identification
  • Vulnerability Identification
  • Wireless LAN Discovery/Scanning
  • Enumeration

Methodology—Internal Testing

Scanning - identify systems, services, applications and vulnerabilities that may be exploited for access

  • Network Discovery
  • Network Port & Service Identification
  • Vulnerability Identification
  • Wireless LAN Discovery/Scanning
  • Enumeration

Exploitation - utilizing discovered information, vulnerabilities and/or deficiencies to obtain the goal

  • Password cracking
  • Discovered credential usage
  • Manual & Automated vulnerability validation
  • Privilege escalation
  • Additional tool installation
  • Data discovery
imgfluid