Vulnerability & Penetration Testing

Network Vulnerability Testing

FIPCO ^® vulnerability testing is an automated process of proactively identifying vulnerabilities on an institution’s information processing network in order to determine if and where a system or network component can be exploited and/or threatened. It focuses on seeking out security flaws based on an industry standard database of known flaws, testing systems for the occurrence of those flaws and generating a report of the findings that can be used to mitigate the vulnerabilities to improve the organization’s security and reduce risk.

The network based vulnerability scanning can be performed from one of two perspectives:

• External: from the point of view that the world can see, the perspective that hackers/crackers outside of the organization can see,

Or

• Internal: from the point of view if an attacker would get past the perimeter defenses or to assess the threat of rogue software or malicious employees in an enterprise on managing the risks to the IT architecture

IP addresses are established as the targets for scanning. Included is information establishing which will be scanned as well as which should not be included or need special handling.

After the scanning is complete, an executive summary report is generated with an executive summary of the more critical technical vulnerabilities. Detail scanning reports from the scanning software will also be available with technical detail for technical staff to use in mitigating the findings.

The Vulnerability Scan provides for the following deliverables:

• Customer provided Internet Accessible (for external) or the internal IP addresses that the institution wishes to evaluate are scanned for vulnerabilities using an industry standard, commercial vulnerability scanning solution that is vendor supported. For internal scanning a scanning appliance is connected to the customer internal network while actual scanning is managed from a remote location.
• Evaluations of the publicly visible services in a domain, sub-domain or IP address range.
• For internal vulnerability scanning a report on the status and state of internal security from an inside attacker perspective. Specific types of systems and potential exploits are identified.
• Identification and reporting on open ports, services running, services identification and operating system exposures.
• A list of the identified known vulnerabilities and areas of exposure in detail along with corresponding potential safeguards if appropriate.
• A summarization of technical vulnerabilities that are felt to need attention along with availability of all detail scanning results for all IP addresses scanned.
• A list of recommended patches, configuration changes, hardware and software updates.
• A general check of publicly identified web sites known as abuse or black list sites for the presence of Customer’s information (e.g. IP Address, company name).
• Where appropriate recommendations on solutions to vulnerabilities found.
• High level evaluation of exploits and severity.
• Notification of the Customer as quickly as reasonable for any severe issues.
• (optional) Modem Vulnerability Scan (War Dialing). Conduct an automated process to identify security vulnerabilities through dialing of phone number extensions associated with the customer. This process identifies extensions associated with modems that may be exposed to abuse. Not priced in base proposal unless noted.
• Consolidate and analyze collected data, architecture and/or tool recommendations that could correct or mitigate critical risks.
• Outline security status and establish follow-up and next steps.
• Review findings and discuss recommendations, remediation and next steps.

Network Penetration Testing Services

Penetration testing is a method that typically evaluates the vulnerabilities and exposure of a computer system or network by simulating an attack by a malicious user. The process typically includes vulnerability scanning. Analysis is carried out from the position of a potential attacker who is attempting to exploit vulnerabilities that may be identified with a goal of gaining access to internal systems. Security issues that are found will be reported with an assessment of their potential impact. The intent of a penetration test is to determine feasibility of an attack and typically to measure the effectiveness and maturity of an institutions vulnerability management. With penetration testing there is a greater possibility that systems may be damaged in the course of testing and may be rendered inoperable, even though there are benefits in knowing that the system could have been rendered inoperable by an intruder it can still be an expensive event. This risk is minimized by using experienced penetration testers, but it can never be fully eliminated. Scoping of a penetration test is important and generally a matter of time and resources that an organization wishes to commit for the penetration attempt.