IDENTIFY THE GAPS IN YOUR SECURITY

Identify issues and address the root causes

Penetration testing is defined as a practice of testing a computer system, network or application in order to exploit inherent vulnerabilities. The ultimate goal is to determine if an attacker could leverage a vulnerability to gain access to data contained therein.

Whether it’s a black box test that simulates a real-world attack scenario, or a white box examination with design and target information supplied to the tester, our penetration services provide decision makers with a baseline from which to build a comprehensive information security program required to be secure and compliant.

Network enumeration, vulnerability analysis, and exploit testing occurs such that proper risk mitigation strategies can be put into place and executed. MainNerve will help you identify and classify risks so that you can mitigate them with technology and/or administrative improvements.

Some of the major areas of assessment are:

  • Network Enumeration
  • Vulnerability Analysis
  • Web Application Penetration Testing
  • Custom Security Risk Rating
  • Vulnerability Mitigation and Support

A penetration test is the first step towards improving your corporate security risk profile. MainNerve believes in Four Pillars of risk identification: Usability, Performance Functionality, and Security. Security, namely, is the overarching pillar with which to operate a company with integrity. Our comprehensive security assessments consider of all your infrastructure including, desktops, laptops, servers, and software

Frequently Asked Questions

What is a penetration test?
A penetration test is the most thorough and complete way to identify security holes and vulnerabilities and prove that they could be exploited. It is also known as a “pen test” or “penetration assessment”. A penetration test evaluates client networks, servers, web apps, mobile platform, wireless system, printers, modems–any technology that may store, process, transmit or receive data that would have value to an unauthorized party or hacker. A penetration tester will use software application, and in some cases, hardware to exploit vulnerabilities with the express intent of gaining unauthorized access to data.
What are different types of penetration tests?

There are three approaches to penetration testing: black-, grey-, and white-box testing.
In a black box penetration test, the penetration tester has no prior knowledge of the design, architecture, systems, and software of the entity being tested. The engineers must spend more time and energy discovering, analyzing and determining ways to exploit each system. This is performed by emulating a real-world (or nation-state) attacker.
In a white box examination, the penetration tester has a clear idea of how the system is designed and architected and will often even have the code that particularly interesting systems might run such that it can be tested for vulnerabilities and weaknesses. Full disclosure by the customer give the tester complete insight into the details of each system to be tested. As a result, a white box test often takes less time because less reconnaissance is required.
A grey box test is combination of black and white box tests. A tester is given the range of systems to be tested and their respective roles. Limited discovery and analysis occurs as the penetration tester matches actual findings versus what has been disclosed by the customer.

What is a Vulnerability Scan?

A Vulnerability Scan is a rigorous scanning of a company’s internal and external facing IP addresses and systems to determine the level of security by identifying known vulnerabilities in operating systems, applications and security devices. Regulations and Executive concern often mandate that Vulnerability Scans take place in support of a good information security or assurance plan. Using state of the art software and tools, Our experienced technicians can scan tens of thousands of IP addresses, multiple data storage facilities, multiple locations and public and private cloud to provide an accurate depiction of a Enterprise’s current security status. Vulnerability Scans not only outline security concerns, but, when done on a periodic basis, serve to test updates and patches ensuring that the corporate data security plan is being followed.

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is designed to evaluate a network, system and/or applications for weaknesses. Vulnerability scanners are purpose-designed to identify known vulnerabilities, but are not very good at identifying logical faults and often fail to find serious security flaws in custom coded applications. Vulnerability scanning is also intended to evaluate a range of systems and services. Due to the lower cost in time and effort, larger ranges of systems can be efficiently scanned in a shorter amount of time. Nevertheless, a vulnerability scan is designed to only find vulnerabilities and automatically identify solutions.
A penetration test is goal oriented. That is, the purpose of a penetration test is to locate a single exploitable vulnerability. While a vulnerability scan might occur during a penetration test, the goal is find one or more weakness that can be leveraged for access to sensitive network(s) and/or data. As a result, during a penetration test, not all systems will be “tested”.

Why contract for a penetration test?
Valuable data is being stolen, copied and sold every day without the knowledge of the rightful owners. Most organizations are unaware of how vulnerable they are to this theft. Unlike a physical break-in, data theft may go undetected for months or even years. One of the best ways to protect data is to identify and eliminate the vulnerabilities that exist in the system before they are discovered and exploited.
When do you need a penetration test?

As stated earlier, there are many reasons for a penetration test. The most common are:

  • Regulatory compliance requirements (e.g. security audit for HIPAA, PCI, and FINRA)
  • Unusual amount of virus, malware, spyware activity on the network
  • After implementing significant software and/or hardware changes in website or network
  • Suspicious traffic on network
  • After installing new software or other upgrades
  • If you store valuable data and have never had one
  • Prior to purchasing or breach insurance
My data is stored in the cloud. Why do I need a Penetration test?

Software, particularly proprietary or custom-developed software, can be riddled with security holes unknown to the developer. Moreover, your cloud provider has no control over your software. Devices within your corporate environment, such as, printers, servers, and workstations may be vulnerable. Penetration testing is crucial for this environment to address actual vulnerabilities after which a relevant mitigation plan can be made.

What types of systems have you tested?

Each of the following should be considering for penetration testing:

  • Network layer (firewalls, web servers, email servers, etc.)
  • Application layer (all major development languages, all major web servers, all major operating systems, all major browsers)
  • Wireless systems
  • Virtual environments including cloud, internet-enabled devices
We’re already performing vulnerability scanning, why should we perform a penetration test?

Vulnerability scans leverage preconfigured pattern recognition. As such, there are many aspects of a system that will not be scanned completely or not scanned at all. Penetration testing provides coverage for large number and variety of serious security vulnerabilities that vulnerability scanners are incapable of discovering and testing.

Can a penetration test break my system?

Our penetration testing methodology is specifically designed to mitigate data loss, downtime, and risks to our customers. In cases where exploiting a vulnerability would pose a risk to the system, We will document the finding and report it to the client, but will not pursue the exploit unless our customer requests it.

How long does it take to perform a penetration test?

The length of the penetration test depends on the type and scope of testing. This includes determining the type and number of systems and any limitations. Generally, projects can vary greatly, but have an average testing time of one to three week

What’s the difference between your approach and others that have automated tests?

There are few recognized standards for penetration testing and quality varies dramatically among all vendors. Some vendors offer fully automated scans and call it a penetration test. If your goal is to satisfy a compliance mandate, this type of testing can be rejected by auditors and lead to numerous and expensive rounds of repeat testing. If you need to satisfy the requirements of an important potential client, they may want details about quality of the testing and could reject these methods. While automated methods still have a place in penetration testing, We leave the decision to the customer. This method is dependent on such critical factors as time, money, and scope of the engagement. We ensure that the testing meets compliance requirements where applicable. We use proven methods put forth by NIST and OWASP. For your potential or existing clients, We provide client-facing reports that include details about the scope and breadth of testing. But, the report will not include sensitive details of the testing engagement results. If your purpose is improvement of your organizational security, we provide testing that thoroughly covers network, system and application layers, addressing the latest security threats.

l

SCOPING
To scope your penetration test, your call will be answered by a qualified technician who will provide you with questions intended to scope out the project

SCHEDULING
Within 24 hours of the scoping process, the technician will respond with a quote and estimated price for the penetration test, if accepted a time is scheduled for your test.

Z

TESTING
The penetration test will be conducted as required and within the scope the customer has approved.

REPORTING
The report will outline the vulnerabilities found and provide mitigation strategies to repair them.

Penetration Tests and Vulnerability Scans are delivered and implemented in Partnership with 

mainnerve_logo_basic_tagline_FINAL_USE

Here are a few other services that we offer

Free Vulnerability Scan

1 External IP Address scanned for Free and receive a Free report.

Free Wi-Fi Network Assessment

Our Free Wi-Fi Network Assessment Program will validate your network’s performance.

Free Network Assessment

Our Free Servers, Desktops and Network Infrastructure Assessment will validate any potential issues.

Free vSphere Resilience HealthCheck

The free vSphere Resilience HealthCheck provides important insights on the resilience of your infrastructure.

Fill out my online form.