Sage’s External Vulnerability Assessment and Penetration Test identifies the key strengths and weaknesses of your current environment, allowing you to see how it would handle various types of cyber-attacks. Once we’ve assessed your system for vulnerabilities, we conduct simulated attacks where we behave like the world’s most sophisticated cyber-intruder to determine how those vulnerabilities could be exploited. Using the results, we develop a remediation strategy that will help you mitigate the risk of falling victim to legitimate cyber intruders.
The external network perimeter delivers public-facing network services that could provide a point of entry to unauthorized attackers through the successful exploitation of identified vulnerabilities. Performing assessments against the external network perimeter can help an organization:
Our external vulnerability assessment and penetration testing methodology is continuously engineered to meet evolving best practices and is informed by several standardized approaches.
Each engagement is customized to meet unique goals and objectives, therefore the specific elements of our methodology that are leveraged is contingent upon the level of testing and defined scope. The following is an accounting of the potential testing phases and their respective individual elements:
This step involves searching various publicly available sources for detailed company-specific information. This allows us to identify target systems and provides information that may prove useful in an attack.
Here we take a more focused look at the devices, servers, and Internet-facing applications. We use a variety of specialized security tools to identify the architecture and vulnerabilities. The goal is to identify systems / devices that respond to authorized and unauthorized requests, the services / applications that those systems are providing, and inherent and/or potential vulnerabilities.
This is the attempt to gain unauthorized access to systems and / or information utilizing the vulnerabilities identified in the previous phase. This task is customized based upon the findings of the engagement. Sage’s approach is to exploit the perimeter vulnerability and gain access to systems / information; once access is obtained, Sage will report the finding to the client so the method of access can be remediated promptly. If requested by the client, Sage can attempt to pivot the attacks towards internal machines; however our general approach is to report the finding and move on in an attempt to find additional external vulnerabilities.
In this final phase of the engagement. Sage will generate an executive summary and a technical report that explains the findings, includes visuals/screenshots, provides customized remediation recommendations, and, if available, includes details on repeating the attack scenario. This report is generally delivered via a WebEx report delivery.
Sage’s cybersecurity professionals bring highly-skilled expertise to each unique engagement through specialized training in security testing disciplines. Continuous education is a fundamental element of ensuring quality testing and Sage personnel maintain several professional credentials.
The scale and scope of each engagement is a function of satisfying business obligations and understanding organizational risk tolerance. Sage works in a collaborative fashion to customize the level of engagement that will satisfy unique organizational needs. A mix of options can also be selected depending on the type and frequency of testing desired.
Primarily automated testing using a commercial network vulnerability scanner; excludes manual penetration testing. An external vulnerability assessment is ideal for periodic testing between penetration testing engagements and as a quick verification / sanity check when changes are made to the organization’s perimeter.
Building on the external vulnerability assessment, Sage will attempt to verify / exploit the vulnerabilities identified. In addition, Sage will perform testing for default credentials on any common systems / software found as default passwords are a common and easily exploited attack. Ideal for budget-conscious organizations with developing cybersecurity programs that would like to get a basic understanding of their external security posture.
Building on what is offered at the baseline level, this test includes manual attack techniques, open source intelligence gathering, target environment specific research, and unauthenticated web application testing against commonly used applications. This option is best suited for compliance-driven organizations and high-value targets (i.e. Financial Institutions, Healthcare Organizations).
In recent years, 80% of all high vulnerabilities and 46% of all vulnerabilities that Sage reported in penetration tests were found due to the manual techniques that are incorporated into this level of penetration testing.
This type of testing is necessary for any website / web application that is custom developed for the organization and recommended for any website / web application that uses sensitive information. As it requires a significant manual effort for the most effective results, custom scoping / pricing is required for most engagements.
Depending on the size, scope, complexity, and sensitivity of the web application, a minimum number of days will be recommended. Testing can be conducted from an authenticated or unauthenticated user perspective and performed from various user roles with unique privileges (end user, manager, administrator, etc.).
Mobile application testing is a thorough review of a mobile application installed on a mobile device. Via automated tools and manual testing, Sage Data Security reviews the mobile application for insecure configuration settings and insecure data storage. In addition, Sage uses the application as a normal user, and proxies the traffic through an intermediary system to analyze the network traffic for insecure data transmission.
Part of a mobile application review is testing the HTTP requests made by the application using the Web Application Testing Methodology described above. Sage’s mobile application testing methodology is designed to review the mobile application for the top mobile application risks.
Once we have completed the External Network Vulnerability Assessment and Penetration Test, we will provide you with:
There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”
A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.