Penetration Testing
Print-friendly version

Statistically, most businesses will be hacked, sooner or later, either by individuals within the organization or by external hackers. The number of entry points into corporate networks is always increasing due to the use of e-commerce technologies, applications and technologies such as Wireless and Bluetooth. Even after you have taken every possible measure to secure your network and applications, there is still the threat of social engineering to deal with. Through our penetration testing services, we can help identify, explain and simplify the various methods by which access can be gained to your information assets and also the potential impact of any such illicit access.

Enterprise Risk Management's (ERM) penetration testing methodology provides a comprehensive assessment of exposures to both internal and external intrusions. These assessments provide detailed technical, procedural and strategic recommendations to enhance your organization's security posture at the enterprise or product level.

Specifically, ERM's security consultants can perform the following types of penetration tests:

  • Network Penetration Tests
  • Application Penetration Tests
  • Social Engineering Tests

Network Penetration Tests: Network penetration tests can be external or internal. An external penetration test examines the security posture of all systems that are accessible over the Internet. On the other hand, an internal penetration test simulates attacks that may arise from within your organization either through a disgruntled employee or through an attacker who has been able to bypass your perimeter defenses.

Although the methodology used for any network penetration test is the same, it needs to be customized according to the needs of the client and the technology in use. War-dialing, war-driving and blue-snarfing are some of the techniques that we can use to provide a comprehensive security assessment.

  • War-dialing: By using sophisticated war dialer programs, we can simulate the methods by which a hacker can potentially identify phone numbers that can successfully connect to a computer modem. War-dialing can also be used to identify modems that have been set up in an unauthorized manner that provide access to the company's internal resources.
  • Bluetooth Discovery and Blue-Snarfing: Bluetooth devices are prone to security vulnerabilities just like any other technology. Securing Bluetooth devices including cell phones and PDAs is important because of the sensitive information that they contain. ERM can help evaluate the security of your Bluetooth devices by obtaining information such as the device type, services and application running. This can help identify the measures that need to be taken to protect the information at risk.
  • War-driving: War-driving is the act of discovering wireless access points that are part of your network. Wireless technology is known to be vulnerable to certain types of attacks and hackers can use this as an entry point to gain unauthorized access. By using war-driving tools and techniques, ERM professionals can evaluate the types of exploits that can be performed on the internal network upon gaining access to wireless access points.

Application Penetration Tests: Application penetration tests can be used to test the security of both web-based and stand-alone applications. This kind of testing can be used to identify vulnerabilities such as flow injections, buffer overflows and cross-site scripting. It can also be used to detect issues such as improper error handling, insecure configuration management, credential pre-detection and file path abuse. Through our application penetration testing services, not only will we be able to pinpoint the risks that threaten the integrity of your organization's critical data, but we will also help prioritize the risks.

Social Engineering Tests: Why would a potential attacker spend hours trying to figure out your network infrastructure when they could accomplish that by simply tricking a few unsuspecting employees through e-mails, telephone calls or even in person? The attacker could gather bits of information from each employee and the next thing you know, they have mapped out your network. The attacker could find out what applications are being used, the naming scheme for users, and even some passwords from overzealous employees trying to help. When developing a security program many organizations overlook the human aspect, which in most cases is the weakest link in any security infrastructure. ERM can help you navigate the myriad of issues related to social engineering. Our social engineering tests can help you mitigate the risk of social engineering and increase awareness in your organization.

Network and Application Penetration tests along with Social Engineering Tests, can thus be used to secure your information assets at different levels. These tests can be customized to include technologies such as wireless and Bluetooth wherever necessary, thus providing for a comprehensive assessment of the security of your entire information infrastructure.



Contact ERM
Silka M. Gonzalez
Tel: 305-447-6750
Fax: 305-447-6752
Email: info@emrisk.com
Newsletter Subscription
For updated industry news and guidance, subscribe to the ERM monthly newsletter.
Related Resources
> Wireless: The Airborne Killer

> Pandora's Box

> Incident Response: Plan for the Inevitable