Penetration Tests, or ethical hacking, are an important part of any security program. Our methodology, based largely on the Open Source Security Testing Methodology (OSSTM), is designed to validate the security surrounding externally connected systems from the Internet, as well as within a Corporate Network, depending on your needs.
Both External and Internal Penetration Tests are designed to detect weaknesses in a system, network or application that could allow host or information compromise and safely exploit these weaknesses to evaulate the impact on business operations.
External Penetration Testing involves finding and exploiting known and unknown vulnerabilities from the perspective of an outside attacker. External pentests can also test an organization's monitoring and incident response capabilities. Our testing is designed to mimic a variety of scenarios including a casual hacker who infiltrates a system for spam or other unrelated malicious purposes, dedicated hackers targeting with a specific goal and rogue employees or disgruntled ex-employees who may have privileged access or the ability to bypass certain access controls.
Using the Open Source Security Testing Methodology, our tests are comprehensive examinations of both network and application layer vulnerabilities. Our analysts use commercial and publically available tools - the same tools as the bad guys, in many cases, to achieve accurate and consistent results.
Internal Penetration Testing examines the security surrounding internally connected systems, typically within a corporate network. Just as External Penetration Testing tests the security of externally connected systems from over the Internet, Internal Penetration Testing involves the finding and exploitation of known and unknown vulnerabilities from the perspective of an inside attacker, whether that be a guest within the premises of an organization or disgruntled employee.
Our internal pentests are also designed to address advanced threats such as layer 2 and 3 protocols that if successfully leveraged, can be exploited to gain additional access to a corporate network.
Penetration Testing must be conducted to achieve compliance with a multitude of regulations and standards that industries face including the Payment Card Industry Data Security Standard (PCI DSS) [PDF]. These regulations require that penetration testing to be performed once a year and after any significant application modification or network upgrade.
While not required for compliance testing, many of our customers wish to evaluate the security surrounding their wireless networks - whether for guests or employees. Dara Security will test not only the encryption of your wireless network, but also perform a site survey, identify any rogue access points, and test to ensure proper segmentation is applied. Visitor or guest wireless networks without proper segmentation could allow an outsider access into your business environment.
Social engineering can be performed in a multitude of ways, however our preferred method is through electronic means, such as email and telephone. In a social engineering exercise, our analysts will attempt to solicit employees to supply privileged information, such as usernames or passwords, trade secrets or personal identifying information (PII). We can also passively collect information regarding users who open email attachments or visit potentially malicious websites controlled by Dara Security. Combined with a penetration test, this can offer a valuable evaluation of the human factor of your security program.
Dara Security's analysts have over a decade of experience in various Profiling and Penetration Testing techniques. Our team's certifications include CISSP, GPEN, GXPN, GWAPT and certified web application penetration testing certifications. Our analysts are constantly studying and working to stay at the forefront of penetration testing and security assessment techniques as well as business trends through training, education, and speaking.