Penetration testing, also known as pen testing or ethical hacking, is one of the best ways to assess the real-world effectiveness of your technical controls, policies, and procedures. In many cases, it is also a mandatory requirement to meet compliance regulations or industry standards such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), and others.
Gray Tier offers a selection of penetration testing services to meet your specific needs and budget, including:
When conducting a pen test, Gray Tier information security experts simulate the thought processes and actions of a malicious external or internal actor to get unauthorized access to systems or to extract sensitive information. Using a flexible methodology, rather than a fixed set of tools, we employ every resource at our disposal to reveal issues that could leave your organization at risk – before a malicious hacker exploits them.
Internal penetration testing (also known as internal assessments) applies these techniques to systems, servers, and applications within the boundaries of your internal network, typically within the public-private boundary created by an external-facing firewall. While most organizations initially think of defending their sensitive data and systems from external attacks, many successful attacks against an organization come from within the network boundary, making internal network penetration testing all the more critical. These attacks can take the form of viruses brought in on mobile devices or removable media, an internal employee committing fraud by exceeding their assigned privileges, or a full attack from a malicious visitor (such as a hacker compromising an internal wireless network or a rogue consultant). Internal penetration tests typically include the following systems and services:
In today’s business environment, protecting information, complying with legal and regulatory requirements, and operating in alignment with commonly accepted security best practices are integral parts of success and service delivery. External penetration testing (also referred to as external assessments) is performed from outside your infrastructure, and is designed to replicate the tools and techniques that malicious hackers would use to compromise your organization. External pen tests typically include the following systems and services:
Unless otherwise specified, Gray Tier follows a risk-based approach attempting to exploit systems that are suspected to contain high-value information as well as any “targets of opportunity” you identify. During testing, it may be sufficient to identify vulnerabilities and use a limited exploit to confirm their existence. However, whether for proof or confirmation, many times exploits will be used to gain access and show system weaknesses. Gray Tier follows a “Do No Harm” approach to testing and will not conduct tests or exploits that would purposely take down a system or cause other operational harm to a system or data.
Gray Tier approaches wireless security from three different perspectives:
We determine the level of security of your organization’s wireless environment by having skilled penetration testers perform a rogue device detection sweep and attempt to compromise your wireless infrastructure. This approach provides very quantifiable results and can identify weaknesses in any of these areas. Our wireless penetration testing practices (also known as wireless network assessments) leverage a combination of techniques and attacks appropriate to your wireless configuration, as different security scenarios require different attack methodologies. Our testing approach includes wireless node discovery, configuration mapping, and/or cryptographic cracking. As an additional service, Gray Tier can also take a more white-box approach to conduct interviews and performance reviews with the IT staff managing the wireless environment. This full-knowledge approach complements the penetration testing to identify other potential improvements which could further harden the wireless infrastructure (such as network segregation, intrusion detection, and simultaneous connections).
Information security follows a continuous cycle of design, deploy, test, and improve. Policies and guidelines, implementation processes and procedures, and testing form the basis for this process. While policies and procedures may be formalized and well-understood, breakdowns in processes or simple human error can lead to unknown vulnerabilities that can only be discovered through testing.
Not all penetration tests are created equal. Many firms that claim to offer pen testing rely on a single automated tool with little penetration testing experience or knowledge beyond what the tool can do for them (and just as importantly, what it does not do). Gray Tier employs a multifaceted approach—one that integrates research along with in-depth technical analysis and “manual” testing. Our approach looks at publicly leaked or available information, missing controls, system misconfigurations, and system vulnerabilities just like a malicious hacker would.
Based on your objectives, this multifaceted approach to testing your organization’s security posture can also leverage Gray Tier’s social engineering and physical security testing expertise to create a simulation of complex, real-world “blended” threats. Such tests may be designated as “black-box,” “white-box,” or “crystal-box” depending on how much information you care to share with us prior to the test, or how interactive or adaptive you want the test to be during the execution. We also offer custom solutions such as wireless network and remote access testing, as well as email and telephone “phishing” tests.
Our penetration testing reports are very comprehensive, giving you a clear understanding of the testing methodology; the extent of the work performed; extensive documentation of findings; and prioritized remediation advice.