Potential areas covered during our Penetration testing include the following;
- Perimeter and Internal Penetration Testing: Please review the Internet Technology Security Testing Module details shown below. Network security testing: We analyse the security of your networks, considering the potential for both an internal and external attack. Important for all organisations, it is essential for high profile or Internet businesses where breaches of customer confidentiality or fraud could result in bad publicity, loss of reputation and busines
- Remote access and remote worker security: We ensure your organisation is equipped to manage the security risks that arise from remote and home working. Issues such as laptop security, home and remote worker security, VPN security and access to remote servers are considered.
- Application security testing: We rigorously test your applications to ensure they are secure enough to cope with the transactions they are required to undertake (e.g. online banking and order processing).
- Payment Card Industry Data Security Standard (PCI DSS): As a Qualified Security Assessor (QSA), our Approved Scanning Vendor team helps organisations who sell or take donations or payments by credit card to become and stay compliant with the PCI DSS, ensuring they do not risk fines or being permanently barred from the card acceptance programme in the event of a security breach.
- Forensics (Incident Response & Investigation Services): If your systems have been attacked or if you require forensically sound investigation of suspected computer abuse our Computer Forensic Incident Response & Investigation Services deliver a professional service based on real technical expertise and investigation experience.
Perimeter & Internal Penetration Testing
The first stage is a reconnaissance scan, before which, critical and sensitive devices will be identified and tools will be configured so as not to interfere with business operations. During the test topCOM will examine the topology of the network looking for potential security weaknesses. After active IP addresses, services and protocols have been identified topCOM will present the initial results back to the client for the opportunity to highlight areas topCOM would recommend concentrating testing activities and for the client to confirm areas of critical interest from a business perspective. At this stage topCOM will perform the Internet Technology Security Testing Module against the active IP addresses discovered during the reconnaissance scanning phase. This module includes the following tasks:
- Logistics and Controls: 100% Manual 0% Automated - Adjusts the configuration of tools used in the rest of the internet technology security tests to reduce false negatives and positives.
- Network Surveying: 100% Manual 0% Automated - Finds reachable systems to be tested without exceeding the legal limits of what may be tested. It is used as a starting point for other internet security tests and may be used in conjunction with network information already provided by the organisation.
- System Services Identification: 75% Manual 25% Automated - Networks identified in previous tests are scanned for services including IP Protocols and UDP/TCP services - once identified these services are added to the network map for further investigation.
- Competitive Intelligence Scouting: 100% Manual 0% Automated - Measures the buzz (feedback) of the organization based on newsgroups, web boards, and industry feedback sites and gives an estimate of the cost of the organisations Internet and support infrastructure. Competitive intelligence scouting also gives an indication of the number and types of products being sold electronically as well as cracked products found in P2P sources.
- Internet Document Grinding: 90% Manual 10% Automated - Recursively examines documents available on the internet for useful information, providing profiles of employees, back and front end technologies as well as external, trusted entities.
- Exploit Research and Verification: 75% Manual 25% Automated - Identification and verification of weaknesses, misconfigurations and vulnerabilities within hosts and networks under control of the organisation or its external trusted entities.
- Routing: 100% Manual 0% Automated - Tests routing configurations, the ability of routing equipment to handle malicious packet streams as well as routing/control protocol testing. Also tests the access lists and general routing equipment to different attacks across OSI layers.
- Trusted Systems Testing: 100% Manual 0% Automated - Maps and tests the organisations infrastructure and trusted systems superstructure by launching attacks posing as trusted internal and external entities identified in the network surveying stage.
- Access Control Testing: 100% Manual 0% Automated - Tests firewalls access control lists for DMZs and Private networks, other utility/security mechanisms (NAT, anti-spoofing, etc) for effectiveness and resilience to attack, as well as mapping services tunnelled through and provided by firewalls protecting the organisation.
- Password Cracking: 50% Manual 50% Automated - Validates password strength through the use of automated password recovery tools that expose either the application of weak cryptographic algorithms, incorrect implementation of cryptographic logarithms, or weak passwords.
- Containment Measures Testing: 100% Manual 0% Automated - Examines the handling of traversable, malicious programs and egressions, as well as testing containment mechanisms and response policies.
Tests are carried out both remotely and locally to best simulate the types of attacks that a customer may experience from a determined attacker.
All topCOM engagements come with access to the SureGuard Security Assurance platform, providing:
- PCI DSS (latest full SAQ) & GSi CoCo (full Annexes) Gap Analysis project plans, and results in one centralised repository providing:
- Full infrastructure, application and IT Health Check (internal) penetration test plans, results and solutions;
- Fully satisfies requirements of internal / external auditors, with advanced vulnerability and test tracking features;
- Full transparency of test methodology and vulnerability discovery steps;
- Year round access to TopCOM certified consultants via on-line secure messaging;
- A continually updated vulnerability database; constantly reviewed with ‘vulnerability combinations’ identified, and severity ratings adjusted accordingly;
- Vulnerability management process with risk-based vulnerability scoring; security weaknesses can be managed in the context of risk the organisation is exposed to (rather than simplisticvulnerability severity approach);
- PCI ASV / CoCo compliant vulnerability scans scheduled and operated by TopCOM;
- Security Review Calls carried out by TopCOM Consultant;
- Proactive vulnerability alerting;
- Comprehensive management and technical reporting suite.
1. The ability to track and communicate progress through the compliance process; 2. The ability to easily identify overlaps across compliance standards;
topCOM User Report Demonstration
At topCOM we supply our customers with a secure online resource to view their vulnerabilities.
Additional Testing Areas
Wireless Security Testing
Tests to verify the security of wireless devices and networks with the aim of confirming security levels and also identifying rogue access devices that should be removed from the network.
VoIP Security Testing
VoIP testing is a specialist area of testing, which not every company is equipped to perform. It is important to test that transmission encryption levels are as expected and that there are no weak points where malicious users could intercept traffic.
POTS Telephony Testing
POTS testing is a specialist area of testing, which not every company is equipped to perform. It is important that there are no weak points where malicious users could intercept or interfere with traffic.