Internal and External Penetration Testing

Network and application penetration tests are different from vulnerability scans in that penetration tests are more focused. Rather than providing a laundry list of potential vulnerabilities, the PSC Penetration Tests simulate an attack, using the methods and tools favored by script-kiddies and determined hackers. PSC evaluates the protection of Client information technology assets (people, process and systems), with a special emphasis on the effectiveness of logical access and system software controls. The objectives of these tests are to obtain command and control of the targets systems or extract the sensitive data they are intended to protect. PSC evaluates the protection of Client information technology assets (i.e., data, systems, and processes), with a special emphasis on the effectiveness of logical access and system software controls as they relate to PCI DSS. PSC tests to determine that:

• Unauthorized access to cardholder data can not be achieved
• Unauthorized access to source code can not be achieved
• Guests cannot obtain unauthorized access to the corporate network
• No cardholder data exists on any system outside of the cardholder environment

While performing all tests, it is PSC's goal to go beyond PCI and provide value to the Client's security initiatives by identifying opportunities to increase due diligence in areas such as brand integrity, physical security, intellectual property and fraud.

It is important to note, that the only procedures required for compliance with PCI 11.3 are the application layer and network layer assessments.

The goal of Web Application Security Testing is to provide a thorough review of web-based software applications or web services for any security defects that may exist within the software and could lead to a breach or compromise. PSC will utilize both automated and manual tests that are customized for the specific application. The test will examine communications between the client (browser) and the server to first understand how the application was designed.  With this information, PSC will analyze the design for components of the application that will be targeted during the testing. Targets will be tested for their resilience to unexpected or malicious input, boundary cases, and the ability to recover when the application has reached an unexpected state. Internet-facing applications can be tested remotely from PSC’s Security Lab. Applications that are not available to the general public are tested onsite. Testing is based on the Open Web Application Security Project (OWASP), CWE Top 25, and supplemented by information from various industry sources such as whitepaper and conference presentations. Our assessors stay abreast of new developments in the web application security field in order to ensure that the tests meet the highest standards.

Once the results of the testing have been presented to the Client, PSC will be available to offer assistance to your development and security teams in order to find appropriate solutions for any security defects that may have been discovered during the testing.  PSC understands that solutions need to be practical and compatible with the Client's business needs while still maintaining a high level of security.

PSC will also be available to test the solutions that have been implemented in order to ensure that they effectively remediate any security issues and do not expose the application to any additional risk.

PCI DSS

PCI DSS Requirement 6.6 is intended to address common threats to cardholder data and ensure that web applications are included within the security assessment.

The PSC FIRST (Flexible Internal Remote Systems Testing) Key is a lightweight penetration testing solution that combines the best of on-site and remote testing capabilities. Self-configuring with built-in diagnostic tools, FISRT Key is delivered on a USB flash drive and provides the client the ability to spot check and understand their environment’s vulnerabilities.

Designed with security built-in, the FIRST Key converts any user workstation to the platform for penetration testing, without touching the system’s hard drive. It uses full disk encryption to secure all test results and communicates to the PSC Operation Center over an encrypted SSH tunnel over a single outbound port. Because it is based on Ubuntu Linux, it’s unaffected by the malware common to Microsoft Windows solutions, protecting the security of the network.

PSC's Vulnerability Scanning service is designed to identify critical flaws in an organization’s external and internal networks that an attacker could exploit. Vulnerability Scanning are designed to deliver a prioritized list of potential risks. PSC offers services for scanning external infrastructure and can help develop an effective program for vulnerability management of internal assets.

Wireless networks pose a greater risk as hackers refine the techniques for cracking the security controls of Wi-Fi security and encryption. As a compliment to Application and Network Layer Penetration Tests, PSC conducts WLAN Penetration Testing to determine the vulnerabilities posed by the poorly secured WLAN. PSC's Wireless Penetration Testing may include:

• WEP/WPA/WPA2 Preshared Key brute force attacks
• Man in the Middle attacks against wireless end-users
• Discovery of rogue Wi-Fi networks and access points

The goal of PSC's Wireless Penetration Testing is to identify security gaps or flaws in the design, implementation or operation of your organization’s wireless network and assist you in remediating and defending your network.

Social engineering refers to techniques of exploiting your employee's better nature and willingness to be helpful. In a social engineering attack, an attacker uses direct interaction with your staff to access information about your organization or critical computer systems. An attacker may seem unassuming, respectable, even charming; the may claim to be the new employee, a repair person, or delivery person. Testing techniques include:

• Remote: Posing as a representative of the IT department’s help desk and asking users to divulge their user account and password information
• On site: Posing as an employee and gaining physical access to restricted areas that may house sensitive information; intercepting mail, FedEx/UPS packages or even dumpster diving to search for sensitive information about your organization.

Social engineering activities test the ability of the organization’s people to prevent unauthorized access to information and information systems. These tests can dramatically increase the level of security awareness among your employees.