RightSec Penetration Testing Services
Transcript of RightSec Penetration Testing Services
RightSec
Penetration Testing
Services Version 1.0
September 2021
1 RightSec Penetration Testing Services
Table of Contents
RightSec Security Assessment ................................................................................................................. 2
Security Testing ....................................................................................................................................... 3
Methodology and Approach ............................................................................................................... 3
Types of Tests and Exercises ................................................................................................................... 4
Application Penetration Testing ......................................................................................................... 4
Compliance Driven Penetration Testing ............................................................................................. 5
Internal Network Penetration Testing ................................................................................................ 6
Mobile Application Penetration Testing ............................................................................................. 7
Red Team Assessment ........................................................................................................................ 8
Wireless Penetration Test ................................................................................................................... 9
API Security Assessment ................................................................................................................... 10
Infrastructure Security Assessment .................................................................................................. 11
Secure Code Review .......................................................................................................................... 12
Social Engineering Exercises ............................................................................................................. 13
Server Hardening Assessments ......................................................................................................... 14
Blockchain Penetration Testing ........................................................................................................ 15
Contact Us ............................................................................................................................................. 16
2 RightSec Penetration Testing Services
RightSec Security Assessment
Practical security assessments are essential for a business to understand their
environment’s risk and help define appropriate strategies to ensure a safe and healthy
Technology landscape. RightSec provides a wide range of testing solutions including web
application penetration tests, internal, Active Directory testing, Wi-Fi testing, secure code
review and red teaming amongst others.
RightSec is comprised of nationally renowned white-hat hackers equipped with industry
best certificates, and security specialists experienced in military and private sectors that
can support you achieve any business goal.
The below are examples of most common enterprise drivers towards vulnerability
assessments:
• Compliance with PCI-DSS requirements, APRA CPS 234, Vendor Risk Assessments
• BAU Security Testing as part of your ISMS Vulnerability Management Program
• Release of new systems into productions with confidence and speed
• Determine areas of weakness, uncover flaws and previously-unknown
vulnerabilities — and see how they can be exploited
• Controls Assurance (Validate your security controls)
• Ensure your systems are safe
• Receive actionable advice on how to harden your systems against attacks
• Improve confidence in your cyber security, confirm that the design of your system
is secure
• Tackle new business opportunities by securely integrating to partner systems (API
testing)
We can test your systems to strengthen security and keep your organisation safe.
3 RightSec Penetration Testing Services
Security Testing
Security assessments aim to identify vulnerabilities within the assessed infrastructure,
diagnose those vulnerabilities, and exploit them in a safe and controlled manner.
Each test RightSec provides is directly aligned to your business needs, with separate goals
and different methodologies.
Methodology and Approach RightSec has developed a testing methodology by combining several industry best practice
frameworks such as OWASP, OSTTM and WASC along with RightSec’s custom internal
testing methodology. Each test that RightSec offers has its own custom methodology. This
ensures that our testers will thoroughly analyse all aspects of the target in a safe and
methodical manner. Our toolkit includes best-of-breed commercial, open-source and
customised penetration tools.
You will receive a comprehensive business report of our testing, detailing our approach and
techniques, risk-ranked prioritised findings and clear recommendations on mitigating
actions.
Any security issues are reported with accompanying step-by-step instructions and
screenshots, so that you can replicate the attack, get a visual perspective of the problem,
and understand the nature, and urgency, of the potential risk.
RightSec will incorporate the client’s approach to
risk management, prioritising mitigation
recommendations in accordance with the client’s
risk appetite.
Next section will cover the different types of tests
RightSec can offer.
4 RightSec Penetration Testing Services
Types of Tests and Exercises Whatever your penetration test driver is, RightSec can support you. The following are some
of the services RightSec is ready to offer you:
Application Penetration Testing
Application penetration tests are fundamental for gauging the security level of the business’
external environment. Aligned against industry best practices such as OWASP, OSSTMM and
RightSec internal testing methodology, application penetration tests look to exploit common
web application vulnerabilities in order to compromise the assessed host.
RightSec uses a combination of automatic and manual tests to fully assess the application. With
expert knowledge in the field, and testers using custom tooling designed to assess even the
most robust applications, RightSec will be able to accommodate testing for any type of
application.
We understand that the purpose of applications differs between organisations and our
testers do not follow a trivial approach for each engagement. RightSec applies custom
test cases and methodologies to ensure that our test is tailored to your business needs.
We use a structured approach to understand the application and model vulnerabilities
based on the WASC threat classification framework to allow for an easier analysis of
any threats found.
5 RightSec Penetration Testing Services
Compliance Driven Penetration
Testing
Some organisations are required to perform penetration testing in order to comply with
and maintain governance responsibilities. Our services can support you with getting
compliant with most regulations and standards, including:
• Regulations such as PCI DSS, ISM, SOX, and HIPAA
• Industry standards such as ISO 17799 and ISO 27001.
• APRA CPS 234 Vulnerability Management for financial entity and partners.
• Privacy legislations such as GDPR and the Australian Privacy Act
• Vendor Security Assessments
6 RightSec Penetration Testing Services
Internal Network Penetration
Testing
Internal networks generally hold the most critical business applications and data. It allows for
collaboration between employees and management of assets. Internal penetration tests assume
the pretext of an attacker having already compromised the network. An attacker sets their goals
to compromise critical internal infrastructure by elevating their privilege levels and moving
laterally throughout the network. Attackers leverage several vulnerabilities and employ tools,
techniques and procedures (TTP’s) from the most advanced threat groups.
RightSec understands that in the modern age of computing, the dynamics of security are
constantly changing. Our testers are readily available to test and emulate the latest threats to
ensure that your organisation is ready for what may face them.
Internal penetration tests generally consist of three phases:
• Network Discovery: In this step the internal infrastructure will be mapped out with
a strong emphasis on critical infrastructure. At the end of this phase, the testers
should have a good understanding of the internal system layout.
• Target Identification: Following on from the previous step, the tester will take
a detailed look into the found systems and attempt to identify any
vulnerabilities within the assess host.
• Vulnerability Exploitation: At this stage, the attacker
will attempt to safely exploit any found vulnerabilities
in the hopes of compromising the assessed
infrastructure, elevating their privilege levels and
moving laterally throughout the internal network.
7 RightSec Penetration Testing Services
Mobile Application Penetration
Testing
Mobile applications are often overlooked when it comes to security, yet their
functionality is as complex as a web application. RightSec has performed numerous
mobile application penetration tests, and our testers have a deep understanding of the
nuances of the vulnerabilities that arise from the development of mobile applications.
RightSec combines a process of automated and manual testing with a testing
methodology derived from industry-best practices. Our testers employ proprietary and
custom tooling to ensure that the full depth of the application is sufficiently tested.
8 RightSec Penetration Testing Services
Red Team Assessment
The threat of an attack against your organisation is always imminent, however being
able to practice theory is a rare occurrence. When the time comes to respond to an
attack, it is important that security team operators and linked business groups are ready
to engage with any threat that comes their way.
A red team assessment is an excellent way to test the robustness of security controls.
The attacking team will attempt to compromise the business infrastructure and reach
the set goals within the agreed scope. This can range from application and infrastructure
attacks to social engineering and physical asset compromises.
The team at RightSec is extremely well trained in assessing an organisation’s external
footprint and creating an attack chain that will ensure that all business units are
sufficiently engaged to respond to the threat.
9 RightSec Penetration Testing Services
Wireless Penetration Test
The internal wireless network is mostly seen as a barrier between an attacker remaining
outside of your network, and full access to internal infrastructure. With modern
technology, attackers can remain unseen as they attempt to penetrate the corporate
wireless network, and even attempt to coerce employees with fake wireless login
portals to harvest credentials.
Wireless penetration tests assess the resilience of wireless networks against an attacker
attempting to infiltrate the network. Various different test cases are performed
depending on the type of setup. RightSec can modify their testing methodology on the
fly to accommodate for all types of wireless setups. RightSec will aid in defining a
methodology tailored directly to your business needs.
Wireless penetration tests generally consist of the following:
• Site survey: Mapping out of all access points, and identification of areas of interest
such as places with low wireless signal strength and clients nearby
• Wireless infrastructure testing: The objective of this phase is to thoroughly assess
the wireless infrastructure in use and determine any points an attacker may be able
to exploit. This can take many forms, and is highly dependent on the infrastructure
in use
• Wireless client testing: Thorough testing of the process for
authenticating and managing clients that may leave it vulnerable
to attacks which could compromise the integrity of the
connection and user credentials
• Wireless exploitation: Depending on the findings in the previous
step, RightSec will create an attack plan, and attempt to execute
it against the wireless infrastructure
10 RightSec Penetration Testing Services
API Security Assessment
Application Programming Interfaces (API) are great ways to deploy multiple
applications and let them flow through a single endpoint. As such API endpoints
generally receive sensitive data, authorisation requests and perform checks when
accessing privileged application functionality.
RightSec’s skilled testers are capable of testing even the most robust API endpoints,
searching for security risks and functionality bypasses. RightSec has adopted a
custom methodology derived from industry best practices such as the OWASP top
10 API vulnerabilities and our own internal methodology to ensure that the target
application is thoroughly tested. Our findings are group by the WASC threat
classification module allowing for easier analysis and understanding of findings.
11 RightSec Penetration Testing Services
Infrastructure Security Assessment
Once an application is deployed, either externally or internally, the infrastructure
requires constant maintenance to ensure that configuration is secure, services and
ports exposed are secure, and no software is missing any security patches.
Infrastructure security testing involves the use of techniques to compromise assets
commonly used by attackers while focusing on infrastructure components such as
servers, operating systems and security devices.
RightSec has developed an infrastructure security testing methodology based on a
combination of automated and manual testing. Similarly to application testing,
findings are grouped in classifications to make analysis easier to visualise and help
with future remediation steps.
12 RightSec Penetration Testing Services
Secure Code Review
The software development life-cycle followed by most development teams often
miss the important aspect of security. As such, applications tend to be riddled with
numerous simple vulnerabilities that could have been remediated before
application release.
RightSec has developed a secure code review methodology that can be used across
many different programming languages. Our methodology combines manual
inspection of source code as well as the use of proprietary, custom and open-source
tooling. RightSec will work closely with the business to ensure that our
methodology is tailored to your needs, and a secure application will be ready at
release time.
13 RightSec Penetration Testing Services
Social Engineering Exercises
Often the weakest point of any entity lies within human manipulation. RightSec
offers a wide range of services to help train employees against social engineering
attacks, whether that be through active phishing and vishing assessments or in-
person/virtual training seminars tailored to the business.
RightSec employees possess military training of human and emotional intelligence.
Our testers are capable of performing social engineering assessments ranging from
extremely high-skilled to low-skilled threat actors. Pretexts defined in the social
engineering assessments will be tailored directly to your business by
reconnaissance through open source intelligence vectors.
Consistent social engineering training is a vital element in ensuring that employees
are aware and alert of imminent threats and understand how to respond to threats
accordingly.
14 RightSec Penetration Testing Services
Server Hardening Assessments
Server hardening assessments involve thoroughly reviewing configurations of the
server to understand their conformance to industry-best practices. By assessing the
configuration of a standard server deployment, any security issues can be fixed
across a whole fleet of servers.
RightSec has developed a server hardening assessment methodology by combining
benchmarks from CIS, NIST, ACSC and our own internal resources. Throughout
testing RightSec will employ various scripts and manual configuration reviews to
ensure that the configuration of the server is consistent with industry best
practices.
15 RightSec Penetration Testing Services
Blockchain Penetration Testing
Blockchain is a timestamped chain of immutable records (i.e., blocks)
that are linked cryptographically. It is effective in recording information
in a permanent and tamperproof way. The technology is readily being
developed and adopted for different services and applications in highly
regulated sensitive areas such as the Financial Sector and Healthcare.
Blockchain, as other technologies, need to present the right security
configuration and not introduce further risk to the business adopting it.
As such, it is vital to perform penetration tests against blockchain
applications. Effective blockchain testing supports organisations with
building and utilising the technology securely with the connected
infrastructure, and ensure that it is secure and aligned to industry
regulations and best practices.
RightSec has developed a blockchain penetration testing methodology
based on industry best practices. Through a combination of manual and
automated testing, RightSec will thoroughly test any implementation
of blockchain technology.
We understand that Blockchain implementations and use cases vary
between organisations. For that reason, our methodology and the
wide-ranging expertise and skills of our penetration testers are robust
and adaptable. We adopt a structured approach and model
vulnerabilities based on the SWC registry classification of smart
contract weaknesses to allow for easier analysis and documenting of
threats found.
A specific blockchain configuration is usually a combination of multiple
technologies, tools and methods that address a particular problem or
business use case. RightSec addresses and considers all elements
within the blockchain. From the ledger, smart contracts, business and
application logic, all the way down to the infrastructure being used. We
understand the importance of integrity, confidentiality and privacy of
the data stored inside the blockchain and we will dedicate ourselves to
maintain these values.
16 RightSec Penetration Testing Services
Contact Us
Whatever your security drivers are RightSec can help.
Still have some questions?
Reach out for a consultation today
Your one-stop cyber security shop!
Email: [email protected] Website: https://www.rightsec.com.au Phone: +61 401 730 789
RightSec