Products & Solutions
In today’s increasingly interconnected business world, the threat horizon expands at an alarming rate and vulnerabilities are continuously exploited in more sophisticated, focussed and unobtrusive manners, than before.
These vulnerabilities, present in an organisation’s Information Technology technical architecture increasingly exposes and jeopardises its most valuable asset, its information. It is commonly known that organised crime syndicates target companies and their information for monetary rewards and purposes and partakes, often on behalf of competitors, in industrial espionage or sabotage related activities.
These activities then generally lead to either a loss of information or disclosure of sensitive, confidential or business critical information, ranging from financial to operational to strategic information, resulting in reputational damage that can sometimes never be recovered from. In addition to reputational damage, breach of legal obligations can face an organisation, due to it not having taken an appropriate precautionary strategy to protect their information assets.
A penetration test / resilience test, also occasionally referred to as a pentest, is a method of evaluating the security of a network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization’s systems) and malicious insiders (who have some level of authorized access). Penetration tests are valuable for several reasons:
The essence of a resilience test is to determine how resilient an organisation is against a defined attack scenario and the generally known and also the unknown attack vectors. The methodology generally consists of the following steps, but often needs to be varied depending on individual client requirements:
Network Mapping and Target Discovery
Exactech will gather information about the deployment of the target network, identifying systems present and any intermediate network devices that might be of interest.
Target Identification and Service Discovery
Operating systems and services are enumerated to form a picture of the functionality available that might be abused by an attacker.
Vulnerability Identification and Analysis
Identified hosts and services will be assessed for the presence of both known software vulnerabilities and incidences of poor configuration. Both automated tools and manual techniques will be used to ensure maximum coverage.
Exploitation and Further Access
Exactech will attempt to exploit any vulnerabilities or weaknesses uncovered, both to verify their presence and to gain an understanding of the business impact a particular issue might have for the organisation. At this stage, our consultants will attempt to access any information or systems specified by the client as ultimate targets for the penetration test (such as critical servers or company confidential data). We will however, where we deem it to be necessary, first consult you before any significant exploitation commences, as this could result in operational impacts, if not performed in a knowledgeable and controlled manner.
Deliverables and Reporting
Exactech consultants will, depending on the nature of the engagement, regularly provide feedback to management on the progress of the assessment and testing exercise.
We will also deliver a formal report including an executive summary for management, a risks and recommendations table detailing the high level results of the assessment and a detailed description of each issue discovered including remediation advice.
Our vulnerability assessment methodology follows a four step process that aims to identify potential vulnerabilities and weaknesses that could be leveraged by intruders to obtain unauthorised access to information systems:
Network service discovery
During this step we will perform port scans of the agreed scope in order to identify key network services to be included in the vulnerability scan. This is to ensure the vulnerability scanning tools is optimised to only focus on active network services.
Vulnerability Scanning and Identification
During this step, we will carry out assessments on the agreed scope to identify any known vulnerabilities that may exist on the hosts and their respective network services. We will utilise various automated software scanning and manual interrogation techniques to identify the vulnerabilities.
During this step, we will review and interpreted the vulnerabilities identified and considered its impact on your environment. It is also during this step that we eliminate false-positives that may arise from the vulnerability assessment scan results.
Deliverables and Reporting
As per the external assessment during this step we will compile a formal report including an executive summary for management, a risks and recommendations table detailing the high level results of the assessment and a detailed description of each issue discovered including remediation advice.
For more information, send us an email or call our office closes to you. See Contacts page.
Our primary mission is to help organizations improve their fraud resistance levels and thus become more profitable. Secondary to that is to make a positive contribution in business ethics at our clients and society in general. Read More