Good Security requires
People Process and Technology
We’ve got all three…

Trust your Security to the Pros, Certified, Experienced, Trusted

cyber-security-assessment-Certified-security-audit

Why Conduct a Penetration Test?

Cyber Security Assessments (Penetration Testing) are a vital part of a good security plan. Assessments bring the hacker’s perspective, and that’s something technology alone cannot do. Technology is not designed to think outside the box, but a skilled hacker is. Hackers are continuously developing new techniques and honing old ones, and technology on its own cannot keep up.

Cyber Security Assessments that are conducted by certified, and experienced, professionals will discover issues that could lead to a breach in security. Assessments can help to address weaknesses and inadequacies in networks systems that only a trained eye can see.

Assessments can check the box on any compliance or supplier driven mandate to prove your company has taken the measures to protect infrastructure and the sensitive data that it supports.

Knowing exactly what is involved in a cyber security assessment from scoping and procedure, to cost, is  only a few clicks away.

Book a free consultation with us to get the answers you need to decide.

Why SecuSolutions

SecuSolutions offers Security Consulting, Managed Security Services, and Security Education and nothing else.  For over 21 years we have served nearly virtually every industry, from financial to the public, and energy sectors on a global scale.

Our experience and dedication to security is evident in the deliverables we produce and the solutions we have developed for the security market.  We are brand neutral and offer no outsourced products, solutions, or services; we focus only solutions that have been developed in house and tested by our most valuable resource, our staff. 

Our team members are certified and hold the most widely recognized and respected security certifications available

Certified-security-audit
secusolutions-Security-penetration-testing

Certifications

Security-penetration-testing-oscp
Offensive Security Certified Professional (OSCP)
Security-penetration-testing-cissp
Certified Information Systems Security Professional (CISSP)
Security-penetration-testing-homeland-security
Certified in Homeland Security, Level 3 (CHS-III)
Security-penetration-testing-cisa
Certified Information Systems Auditor (CISA)
Security-penetration-testing-sdpse
Certified Data Privacy Solutions Engineer (CDPSE)

Methodologies

All our pen tests are conducted using proven methodologies and standards that are recognized worldwide.

penetration-methodologies-secusolutions
Security-penetration-testing-osstmm
OSSTMM

Open Source Security Testing Methodology Manual
Provides a scientific methodology for network penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.

Security-penetration-testing-owasp
OWASP

Open Web Application Security Project
Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.

Security-penetration-testing-ptes
PTES

Penetration Testing Methodology and Standards
Highlights the most recommended approach to structure a penetration test. This standard guides testers on various steps of a penetration test including initial communication, gathering information, as well as the threat modeling phases.

Security-penetration-testing-issaf
ISSAF

Information System Security Assessment Framework
This Framework is designed to evaluate the network, system, and application controls in Penetration testing methodology. It consists of a three-stage approach and a nine-step evaluation. The approach includes the following three stages:

Security-penetration-testing-nist
NIST

National Institute of Science and Technology
is a set of standards with quality principles that can be used by organizations to develop secure information security applications and to perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing.

The industries we serve and why

Certified-security-testing
Certified-security-audit
Small Business

may be small, but they get the bragging rights to the hardest and most often hit industry segment. Small businesses feel they will not be a target of hackers, hackers beg to differ.

“43% of attacks target small businesses” (source purplesec)

Certified-security-audit
Energy

is vital to our economy. It is also a prime target of hackers. One major system shut down involving an oil or gas plant or a bulk power plant such as nuclear, weathervane or hydro dam, can spell disaster.

“77% of U.S. energy companies are vulnerable to ransomware attacks via leaked passwords” (source Houston Chronicle)

Certified-security-audit
Technology

sector is often ground zero for cyber attacks. Valuable technology, trade secrets patents and the willingness to adopt new technologies, make for a soft target of hackers.

“Technology became the most attacked industry for the first time, accounting for 25% of all attacks (up from 17%). Over half of attacks aimed at this sector were application-specific (31%) and DoS/DDoS (25%) attacks, as well as an increase in weaponisation of IoT attacks” (source securitybrief.asia)

Security-penetration-testing
Manufacturing

is an industry that is underprepared for attacks. The lack of resources, and adoption of security technologies has this industry trailing behind most others. This is alarming considering the importance this segment brings to the economy.

“Attacks on manufacturing companies around the world rose 300% in 2021” according to the (Global Threat Intelligence Report)

Certified-security-testing
Healthcare

is getting some unwanted attention. 93% of healthcare organizations experienced data breach. Healthcare systems contain very sensitive information that hackers want.

“Healthcare has the highest number of attacks by ransomware over any other industry” (source purplesec)

Higher Education

needs to hit the books… despite being an industry conducive to learning, educational institutes are far behind when it comes to security. In fact, hackers refer to it as a “playground” for them to test their wares and hone their skills.

“41% of higher education cyber security incidents and breaches were caused by social engineering attacks” (source purplesec)

Certified-security-testing
Finance and Insurance

are the top industries spending the most money to fight cyber crime says a recent report from Deloitte. So much so, many insurance companies are now offering cyber insurance to companies that require it due to regulation or compliance requirements.

“67% of financial institutions reported an increase in cyber attacks over the past year” (source purplesec)

Security-penetration-testing
Government

is forever under attack for obvious and not so obvious reasons. Political reasons, humanitarian reasons, activists, and attacks from other countries are commonplace. Government is generally slow to react and implement change or protective measures, making them a prime target.

For a comprehensive list of attacks, visit (csis.org)

Security-penetration-testing
Transport and Logistics

are high on the list of attackers. Disrupting transport and supply chains can be a lucrative business. Ransomware and Malware attacks are among the top two means hackers are using to wreak financial havoc companies and to create panic for consumers.

“The US Department is offering up to $10 million for information leading to the identification or location of the leaders behind a recent ransomware attack by the DarkSide which was a ransomware attack” (source duo.com)

Security-penetration-testing
Telecommunication

may include satellite companies, internet providers and telephone companies. The amount of data and infrastructure being handled by this industry makes these organizations a favourable target of hackers.

“Telecommunications made a significant jump from sixth place in Q4 2020 to become the number-one DDoS target in Q1 2021” (source Daily Swig)

Still not sure if you need a Penetration Test?

How certain is your IT team that they are doing all they can to protect your data and sensitive information from prying eyes?

When was the last time your company conducted a security audit?

Do you know who in your organization has access to what information?

Will you be required to conduct a compliance audit in the near future?

How much downtime can your company afford?

Do you know where your most critical data is stored?

Would you like to know where the holes in your security plan are?

Do you know which of your company’s assets are in the cloud and who’s responsible for protecting them?

Types of Penetration Tests

types-of-penetration-test
Certified-security-audit
Network Penetration

Network Penetration Testing is an assessment that is conducted by a seasoned and certified security professional. The assessments identifies vulnerabilities within network infrastructure by using the same techniques used by hackers. A pen test is usually conducted once a year to maintain a fortified security posture and to adhere to any compliance regulations. It is good practice to conduct an assessment following any major changes to the infrastructure. Network Penetration Testing can be performed to adhere to required security compliance standards, such as PCI-DSS, ISO27001, and SOC 2.

Certified-security-audit
Internal Penetration

Internal Penetration also known as Insider Threat Simulation Testing is designed to identify and remediate vulnerabilities discovered in internal network infrastructure. The pen test is performed by using the same techniques a dismissed or disgruntled employee might use to breach your network from within. It is highly recommended that an internal pen test is conducted at least once a year or following any major change to the infrastructure. Conducting an internal penetration test is also required by various standards, such as PPCI-DSS, ISO27001, and SOC 2. 

Penetration-testing
External Penetration

External Penetration Testing is an assessment that is designed to find and remediate vulnerabilities discovered within publicly accessible network infrastructures. The pen test is performed just as a hacker or bad actor would, using the latest techniques and exploits available. External network infrastructure is the most targeted segment by hackers. It is highly recommended that an external Network Pen test is conducted at least once a year or following any major changes to the publicly accessible infrastructure. External penetration test can be performed to adhere to required security compliance standards, such as PCI-DSS, ISO27001, and SOC 2.

Security-penetration-testing
Cloud Penetration Testing

Cloud Penetration Testing is an assessment that identifies vulnerabilities within cloud infrastructures, AWS, Azure, Google Cloud etc. While most cloud service providers have standard security measures in place, each organization is responsible for their own security. Due to the numerous options and flexibility available through cloud service providers, and the complex systems that utilize them, new security flaws or vulnerabilities are more likely to be discovered. Cloud Security Assessments ensure that the security of your systems, as well as any cloud-hosted assets are as secure as possible.

Quarterly-audit
Web Application Penetration

Web Application Penetration is an assessment designed to identify and address vulnerabilities in Web applications that could be exploited by hackers. Web applications are very common. They are complex and often vulnerable to exploitation due to improper coding or set up. They contain valuable information that is sensitive and vital to the company’s operations. Web application penetration tests are a must, to ensure the security and stability of the application.

General Questions

general-security-questions-banner

By definition, a Penetration test is an authorized attack on a computer system, network, or application to identify security vulnerabilities that bad actors could exploit for ill gain. Penetration tests are performed by certified security professionals that are trained to think like a hacker.

The goal of a pen test is to identify and document vulnerabilities and weaknesses within the network being tested. The report includes the methods utilized, the impact or severity on the systems and the remediation recommendations, that will help direct your team on how to take the corrective measures to secure the issues that were discovered.

Pen tests are based on industry-leading best practices, methodologies, and standards such as NIST, OWASP, PTES, ISSAF, OSSTMM and other respected standards. 

A Pen Test Can:

  • Determine if a hacker can gain access to sensitive data
  • Determine if any systems can be leveraged to launch malicious
  • Reduce the possibility of malware distribution through the network system
  • Determine if a hacker can compromise any administrator accounts allowing access to sensitive data

There are many reasons to have a pen test performed. Some are motivated by security compliance standards such as SOC, NIST or PCI. Other reasons are due to shareholder, supplier, or partner influence. Many companies store sensitive data that they must ensure is protected by a hacker.

Most companies rely heavily on their online presence and the availability of their systems and cannot afford any downtime due to a security breech. Lately, companies that are seeking insurance must provide evidence that they are conducting regular pen tests before they can qualify for insurance coverage.

There are many factors that can help determine the cost of a pen test. The size of the scope or assets included in the pen test which can include IP addresses, URL’s domains, or the size and complexity of the web application. Other factors are the type of test that are being performed such as SCADA, Network, Cloud, Web Application etc.

The method and the tools utilized can also affect the scope, cost, and length of the Pen Test. Eg: manual vs automated or combination approach.

An influence that can affect scope cost is the requirement to adhere to specific security compliance standards

Vulnerability Assessments and Pen Tests are often misunderstood. Both are used in a Pen Test, but they produce different results. A vulnerability scan could be likened to a security guard walking around a building perimeter inspecting doors windows and locks to ensure they are stable and functioning properly and do not show obvious damage or weaknesses. A penetration test will utilize the information a vulnerability may contain but takes the test much further.

A pen tester will use these documented vulnerabilities produced by a scan but will also search for unseen or undocumented vulnerabilities which could be exploited by a hacker. They will then verify whether those vulnerabilities found by the scanner, or the ones they discovered, can be exploited using hacker techniques.

The Pen Tester will carefully document what was discovered, how they discovered it, the impact on the system and how to remediate the issue.

SecuSolutions follows the most respected and widely recognized methodologies listed below.

  • OSSTMM     Open Source Security Testing Methodology Manual
    Provides a scientific methodology for network penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.
  • OWASP     Open Web Application Security Project
    Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.
  • PTES     Penetration Testing methodology and Standards
    Highlights the most recommended approach to structure a penetration test. This standard guides testers on various steps of a penetration test including initial communication, gathering information, as well as the threat modeling phases.
  • ISSAF     Information System Security Assessment Framework
    This Framework is designed to evaluate the network, system, and application controls in Penetration testing methodology. It consists of a three-stage approach and a nine-step evaluation. The approach includes the following three stages
  • NIST     National Institute of Science and Technology
    is a set of standards with quality principles that can be used by organizations to develop secure information security applications and to perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing.

Scoping Questions

An initial meeting will be hosted to determine and identify which of the company members will be able to provide vital information to SecuSolutions Team Lead. Once this is determined, one of our team leads will be assigned to work with a member of the customers team to gather specific technical information and determine the pen test scope. This information will be collected via a meeting and the use of a comprehensive questionnaire which is provided by SecuSolutions.

Once this information has been collected the customer will receive a detailed proposal that will include:

  • Description of the mutually agreed goals of the pen test including scope
  • Description of methodology and project plan
  • Description of what the deliverables will include
  • Pricing based on the scope

Once the scope has been determined and the proposal has been signed off on a pen test is usually scheduled to start on a mutually agreeable date. Many factors can determine the best start date and time for a Pen Test. Holidays, downtime, peak business hours, scheduled projects, onsite resources, physical location of target assets can all play a role in the start date.

Standard vulnerability levels as defined by internationally recognized vulnerability databases, CVSS, OSVDB etc., are Critical, High, Moderate, and Low.

The accepted criteria are:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with the potential effect on the availability of the system, as well as the confidentiality and integrity of the data.

 

  • Exploitability: The potential of a vulnerability; a vulnerability that is easier to exploit increases the number of potential attackers and thus the likelihood of an attack or its “exploitability”.  Factors are considered when evaluating the exploitability potential of a vulnerability including access vectors, authentication, operational and complexity.

No, in fact most penetration tests are performed remotely as a hacker likely would. While this is the case for external pen tests we rely on secure protocols and technologies to conduct secure tests on numerous types of infrastructure and systems that are not publicly accessible, eg; through use of VPN’s RAD’s and our own device developed to provide secure access to internal networks. 

penetration-testing-scope-question-banner

Reports and Deliverables

Security-Reports-Deliverables

The benefits of a Pen Test is lost if the results are not properly communicated and or demonstrated in the report or deliverable. SecuSolutions takes special care to produce reports that are intelligible, easy to understand and contain actionable remediation recommendations.

Key components of our reports include:

  • Executive summary
  • Component Ratings
  • Findings Summary
  • Summary: External Network Assessment
  • Summary: Web Application Assessment
  • Findings Distribution
  • Strategic Recommendations
  • Findings Matrix
  • External Network Assessment
  • Description
  • Information Profiling
  • Scope Identification
  • Technical Findings
  • Web Application Assessment
  • Description
  • Scope Identification
  • Technical Findings
  • Appendices

 

The report will be validated by SecuSolutions, certifying that the penetration test has been performed using certified professionals backed by proven methodologies and international standards. Report validation will help with any regulatory or compliance standards the company may need to adhere to.

Yes, SecuSolutions offers a small-scale Pen Test we call Pin Point Assessment. This service uses the same certified security professionals and the same methodology as used in a large-scale pen test. A full report is produced with remediation recommendations is also produced. The main difference being the size or scope of the test and the cost. This is a very affordable method of determining the secureness of a single or low number of assets.

Yes, third party requirements are becoming more common and can be quite demanding.  These requirements can come from suppliers, partners, customers, and shareholders.  The Pen Tests SecuSolutions offers will meet or exceed the requirements put on your company.  Common requirements may include, SOC, NIST, GDPR, PCI, ISO etc.

Pen Testing Partnership Program

trusted-security-partner
A Partnership like no other

If you are an IT Consulting company, or a Service Provider that is looking for a way to enhance your service offerings and bring in new revenues, this is a Partnership you need.

We know that starting a security division within your company isn’t easy. Finding qualified resources and choosing the right products or services can be difficult and costly.

Benefit by our experience and provide your customers with world class security while making a healthy profit.

Providing branded security solutions and consulting services has been our business model for 21 years. Choose either to rebrand our work, or keep it as is.

Some Benefits to Partnering with SecuSolutions:

Additional Revenues

Our program offers generous discounts that enable our partners to price penetration services at a fair and reasonable price to their customers, while still maintaining a profit.

Ancillary Sales Opportunities

This point cannot be over emphasized. By nature of the penetration testing we conduct any issues in the networks, applications, and infrastructure will be discovered. Your customers will need additional support and services post pen-testing. This is your opportunity to provide that service to your customer.

Set the Benchmark

Companies that can preserve good security, but struggle setting the benchmark, can utilize our strengths to establish a level of security that can be maintained using your staff and the services you may already offer.

Go Where your Competition Cannot

Many customers that are looking for managed services qualify the companies they short list on whether they offer security services or not, don’t be on the “do not contact list”.  Partnering with us to offer security as part of your service line up will keep you ahead of your competition.

How do I become a Penetration Testing Partner?

We offer the opportunity to discuss your needs and to determine whether a partnership is right for you. All you need to do is use our booking system and schedule a time that works.

Questions and Answers

Some additional answers to questions that you may have.

Certified-security-testing-questions-answers

There are many factors that can help determine the cost of a Penetration Test. The size of the scope or assets in the pen test, which can include IP addresses, URL’s domains, or the size and complexity of the web application. Other factors are the type of test that are being performed such as SCADA, Network, Cloud, Web Application etc.

The method and the tools utilized can also affect the scope, as well as the cost and length of the Penetration Test. Eg: manual vs. automated or a combination approach.

An influence that can affect scope cost is the requirement to adhere to specific security compliance standards.

Some of our partners do little more then make an introduction, while others take part in meetings and updates as the project moves along. It is up to the partner to determine the level of involvement they commit to. Some partners choose to be the point person on the project, while others are happy to just observe.

Yes, this is a popular choice made by our partners. We can produce reports bearing the name of our Pentest Partner. We are happy to submit payment requests to the partner directly. 

We can certainly help with that. Third parties such as insurers, partners, suppliers, or providers may require proof of a proactive security plan that includes penetration testing. We can conduct the penetration test following the requirements your customers need to adhere to. We will also attest that they conducted a professional penetration test using certified security professionals that followed a specific compliance requirement such as (PCI, SOC, ISO, etc.).