Since vulnerability scans leverage preconfigured pattern recognition, there are many aspects of a system that cannot be tested completely (or at all). Penetration testing provides coverage for serious security faults that scanners are incapable of testing, and will definitely improve the security posture of an organization.
A vulnerability scan is performed by a pre-configured computer program that evaluates your network and applications for vulnerabilities, and produces a report. This report will contain false positives and require interpretation. Vulnerability scanners are good at finding known vulnerabilities but are not very good at identifying logical faults, and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is included with all penetration tests from C-Secure, but the primary focus of the penetration test is intensive manual testing by our experienced penetration testing engineers. The C-Secure team advises our clients of what we found, where we found it and specifics surrounding how to fix it. Ultimately, the difference between a vulnerability scan and a full penetration test is that security engineers think, analyze, track, follow up and judge and scanners do not. Reliance on scans alone will almost certainly lead to an insecure posture.
Typically, a vulnerability scan will identify and report some issues as low severity, which will be correctly identified as high / critical when examined in a contextual instance by a security engineer. For example; recently, a scanner reported an email address exposure as “informational”. Our security engineer identified a brute force weakness in a web application, determined that the email address was the account name of the network administrator, and ultimately brute forced the password. This issue was reported on the penetration test as a high vulnerability because of the combination with the brute force vulnerability.
A vulnerability scanner is only as good as the configuration. If a scanner is not configured to find a vulnerability, it will not be found. An experienced security engineer, using the context of the system, has the ability to change direction based upon what is uncovered, following leads and problems as they emerge. Example: A recent law enforcement client had a perimeter router that had the lowest access level enabled by default. The scan reported this as a low issue. Our security engineer made an immediate decision to focus efforts there, found additional weaknesses and generated a previously unknown attack. We were able to elevate privileges to the highest level and take control of the perimeter router.
Vulnerability scanners are automated and thus are inherently more dangerous to system stability than manual penetration testing. To compensate, scanners are often configured to run only “safe checks”. As a result, scanners miss key elements that should be tested. A knowledgeable security engineer is able to devise safer yet more thorough testing strategies, and find issues that automated scanners often skip for the sake of safety. Example: In a recent penetration test, the scanner had been configured to perform safe checks for buffer overruns and reported an issue as informational. The security engineer performed manual testing of buffer overruns on the customer’s Oracle database and discovered that this vulnerability would ultimately lead to a complete system compromise. Clearly, this qualified as a high or critical – not “informational” vulnerability.
Since vulnerability scanners are only interrogating one issue at a time, they cannot see the complete picture. Security engineers, using experience, judgment, reasoning, and skill, are able to correlate seemingly disparate issues. Example: Our client was using a captcha device as added protection on their website login form. This was implemented to bolster a weak password policy, to prevent brute force attacks. However, they were passing the captcha values in a hidden form field. The scanner looked at the form, and the code behind it, and passed the issue because captcha devices are designed to defeat automated tools. The scanner could not correlate the hidden value with the captcha image because it couldn’t read the image. The security engineer immediately recognized the “hidden” captcha code, and used this weakness to craft an attack that bypassed the captcha device and ultimately brute forced several accounts.
Vulnerability scanners cannot find logical faults that involve separate processes. A security engineer has no difficulty correlating information across multiple processes. Example: We often encounter integrated email or text message responses, which our security engineers examine as part of their testing. A scanner cannot even see these important processes, and therefore cannot test them.
Vulnerability scanners have no understanding of business logic. The security engineer does, and will interpret results within the context of the business logic. Example: A customer used numbers in a URL parameter; and a vulnerability scan passed this issue because automated manipulation of the values did not result in any indication of access control faults. Our security engineer understood the business logic and correctly identified a serious access control fault that allowed anyone to view confidential account details of others.
The goal of our business process and testing methodology is Return On Security Investment. We provide high quality information security services, guide our customers through the entire process, deliver deep and actionable results, and deliver reports that are easily understood by both management and technical staff.
Initial Communication. You will notice the difference very early in the process. While many of our competitors are engaged in price support activity, asking you to attend WebEx sessions or sending you 20 page marketing slicks, we will ask you for a 30 minute initial scope call. We will identify your needs, ask pertinent questions, and answer your questions. We will not waste your time.
Efficiency Continues. The 30 minute scoping call provides all the information we need, allowing us to facilitate tight deadlines, quickly delivering the proposal. Contract approval secures your place on the schedule. We’ll start and conclude testing during the agreed upon timeframe, and will deliver reports within 3 days of window completion.
Reports. The level of clarity and detail provided in our reports enables our clients to begin remediation immediately, and our team is always available to any questions. The reports include what we found, where we found it (with specific examples and screenshots as appropriate), issue summaries and specific details on how to correct the issue. In pertinent cases we provide sample files or scripts to make it easy for developers and administrators to replicate the issue themselves. All of our security engineers have coding backgrounds, enabling us to explain complex coding issues to your developers. Your internal resources will have precisely what they need to quickly deploy corrections.
Remediation Assistance. We will assist you in the correction of any faults. When you advise us the issues are corrected, we will validate that the vulnerabilities are closed.
Our People. This may come as a surprise, but a security certification does not attest to programming knowledge. Most certified industry security professionals have a background in networking, but few have a solid background in production level programming. All C-Secure penetration testers have a production programming background in at least two development languages. All of our penetration testers have solid, real life production development backgrounds, not just a couple of college semesters or theoretical knowledge. Why is this important?
It’s hard to test what you don’t understand. Almost all information security faults that are not related to configuration or simple logical faults originate in programming code. Penetration testers who are not expert coders are forced to rely on tools to identify and test these faults. In contrast, our penetration testers are capable of hand crafting exploits in several programming languages. They can – and do – make their own tools for custom exploits as needed.
It’s hard to find what you don’t recognize. It is much easier for our penetration testers to find application faults because they have extensive application development backgrounds. They know the shortcuts, pitfalls and pressures that development teams encounter. Our penetration testers will make intuitive leaps because they are able to “get inside the head” of a developer whom they have never met. It is almost impossible to do that if you have never been a developer.
It’s hard to communicate what you don’t know. Interpreting a report written by a penetration tester with insufficient development background is frustrating, particularly when issues require explanation. Our reports contain executive summaries, and also include detailed finding reports that focus on the technical details written in a language that your system administrators and developers understand. If you need additional guidance, our penetration testers are always available by phone. You can be certain that a security engineer with a networking and development background can effectively communicate with your technical staff.
We are client focused and committed to the highest Return on your Security Investment. Throughout our process, you will be confident that your security is being handled by the best. You will discover that our team is easy to talk to, easy to understand, efficient and have a wealth of experience in all the right areas. C-Secure – we look forward to securing your business.
The most costly component of any true penetration testing engagement is the experienced security engineer – their time spent performing manual penetration testing. C-Secure leverages our experienced US penetration testing team for every engagement, and due to our streamlined and cost effective processes, we’re able to provide aggressive pricing for our customers. We may not be your lowest cost provider of penetration testing, but we are absolutely confident that we are delivering comprehensive and thorough results.
Currently, there is no recognized “standard” for penetration testing, and the quality varies dramatically. Some vendors offer automated scans call it a penetration test. Others offer an automated scan with a manual review of the scan results and call it a penetration test. Still others will opt to outsource their security engineer work to the lowest cost bidder with offshore resources.
If your goal is to satisfy a compliance mandate, this type of testing can be rejected by auditors and lead to numerous and expensive rounds of repeat testing. If you seek to satisfy an important potential client, the client may want details about quality of the testing, and may legitimately reject these methods. Finally, if your purpose in testing is to secure your organization, these superficial methods of testing are only marginally better than vulnerability scans and can lead to an inaccurate belief in the security of your systems.
If you are pursuing penetration testing to satisfy compliance mandates, C-Secure will insure that the testing meets compliance requirements. For your potential or existing clients, we can provide client facing reports that include details about the scope and breadth of testing, but will not include sensitive details of the testing engagement results. If your purpose is improvement of your organizational security, we provide testing that thoroughly covers network, system and application layers, addressing the latest security threats.
Once the contract is signed and returned to C-Secure, we will immediately schedule the engagement. Scheduling is typically 4-8 weeks out, so we recommend our customers get their signed contracts in to secure their slot on the schedule.
The length of the penetration testing engagement depends on the type of testing, the type and number of systems and any engagement constraints. Typical engagements have an average testing time of 1 – 3 weeks.
We have performed single engagements for clients covering more than 4000 IP addresses and thousands of web pages covering many different systems.
Our penetration testing methodology is specifically designed to mitigate data loss, downtime and risks to our customers. In cases where exploiting a vulnerability carries a risk to the system, we will document the vulnerability, and report it to the client, but will not pursue the exploit unless our customer asks us to do so.
Vulnerability scans leverage preconfigured pattern recognition, so there are many aspects of a system that will not be scanned completely. Some will not be scanned at all. Penetration testing provides coverage for large number and variety of serious security faults that scanners are incapable of finding and testing.
Testing the network layer (firewalls, web servers, email servers, FTP servers, etc.); the application layer (all major development languages, all major web servers, all major operating systems, all major browsers); wireless systems; internal workstations, printers, fax machines; WAR dialing phone numbers, virtual environments including cloud, internet enabled devices, and more. We have tested law enforcement systems, state and municipal government systems, and private sector systems ranging from online gaming to financial institutions.
Frequently Asked Questions
Find answers to the most frequently asked questions about internet security.