| |
Penetration Testing |
| |
|
| |
Objective |
| |
To undertake, on a regular (Monthly, Quarterly or Once-off) basis, a thorough testing of the security configurations and effectiveness of a client's Internet gateway security installation - by probing remotely from the external Internet, in the same manner as any potential intruder. The testing searches for all known Security vulnerabilities that can be practically identified, including most recent at time of test. The testing does not require access to the company network, servers, or to privileged information such as computer account/password data - it is based on the 'black-box' approach. |
|
| |
|
| |
Wabot follow the non-exploitative philosophy - i.e. security holes are identified and advised to the customer, but they are not exploited. Wabot will not attempt to 'break-in' to any systems, and no onsite data files or hard disks will be directly written to. |
| |
|
| |
|
| |
 |
| |
|
| |
|
| |
Output |
| |
At the end of the test, we will deliver a comprehensive report outlining: |
| | |
| | |
| | - Details and exposure of vulnerabilities
|
| | - Penetrations by areas of concern
|
| | |
| | |
| | Wabot operates a discreet service: |
| |
- The report will be couriered to the client and must be signed by the agreed recipient for security reasons
|
| | - Wabot will not publish a client list
|
| | Maintaining confidentiality, integrity and availability |
| | |
| | Protecting your organization from a major disruption by using an ' Wabot penetration testing will result in your organization's ability to do business uninterrupted and continuously maintaining the confidentiality, integrity and availability of your information systems. |
| | |
| | Brief Listing of Test Components |
| | |
| |
Registry database search and checks |
| |
Determine what IP addresses and domains are assigned |
| |
Check associated company details and contact names for correctness |
| |
Search for similar domain names registered to different company's |
| |
|
| |
Internet routing check |
| |
Check that all assigned IP addresses are either routed to the correct company or not routed - ensure that none are routed to other organizations |
| | |
| |
DNS search and checks |
| | Obtain advertised DNS information and determine company Internet servers. |
| |
Check DNS servers for improper configuration |
| | |
| | Internet Router checks |
| |
Determine what network information can be obtained from the company's Internet router |
| | Check for routing vulnerabilities |
| | Check for packet-filtering vulnerabilities |
| | Determine services offered by router; check for vulnerable services |
| | For host-based routers, check for operating system vulnerabilities |
| | |
| | Firewall checks |
| | Check for vulnerable proxy services |
| | Check for routing vulnerabilities |
| | Check for packet-filtering vulnerabilities |
| | Check for operating system vulnerabilities |
| | |
| | Internet server checks (DNS server, Web server, Mail server, FTP server etc.) |
| | Determine accessible services on Internet servers |
| | Check for operating system vulnerabilities |
| |
Check for service-specific vulnerabilities |
| |
Check for public access to mail or news facilities which could allow spamming |
| |
|
| |
Visible non-server hosts scan |
| |
Check for any networked machines that are visible from the Internet and are not the companies advertised Internet servers |
| | Determine accessible services on these machines |
| | Check for operating system vulnerabilities |
| |
Check for service-specific vulnerabilities |
| |
|
| |
Scope and Limitation of Tests |
| |
|
| |
Snap-Shot |
| |
The testing represents a view of the security at a single point of time |
| |
|
| |
Denial of Service attacks are used |
| |
Such attacks can cause data loss on live systems, and are not run except under special separate agreement with customers. Wherever practicable, identification of systems known to be vulnerable to such attacks will be made by other means. |
| |
|
| |
No password cracking |
| |
This is most effectively performed on site by internal staff at regular intervals, and is therefore not included in the service except by special prior agreement. |
| |
|
| |
Wabot performs all testing under strict guidelines that help maintain data integrity and avoids network downtime or data loss. Manual testing eliminates the automated problems of sending hundreds of packets a second to machines, performing unexpected tests, or accidentally performing DoS attacks; thereby limiting the impact to the network and machines. All of our reports will then detail the types of attacks performed, where successful, and details on how to fix or create work-around for all issues. |
| |
|
