Internal Penetration Test

IT solutions are made to support your company and make your business grow in an organised and efficient matter. However these products developed in-house or by third party companies, can present bugs or in other words vulnerabilities that, if exploited, can be used by malicious parties to penetrate your IT infrastructure and damage your business. In 2017 Verizon bought Yahoo for $4.8 billion, $350 million short of the originally stipulated price. This happened because Yahoo, back in 2013, had been hacked giving access to millions of Yahoo accounts to malicious hackers. As cyber-attacks multiply, therefore, it is vital to consider the security of your internal and external IT assets:

• Computers (Desktop and Laptops)
• Servers (Windows Domain servers, testing/production servers, Web servers, Email servers)
• Routers, Switches and Firewalls
• Email solutions (Microsoft Exchange)
• WIFI solutions
• MDM solutions (Mobile Device Management for BYOD)
• VPN solutions (working from home)
• Standard system builds for desktops and servers

CodeGrazer offers internal penetration test services, designed to cover all the security aspects related to your internal network. A penetration test or pen test is an authorized simulated attack against IT systems to evaluate their security. In short, a penetration test is employed by companies to discover and fix vulnerabilities in their systems and at the same time improve their security policies to be a step ahead of malicious hackers.

The Scoping Phase

During the scoping phase, you as the client, with our help, will define a list of targets you want to assess, a list of targets deemed critical that our consultant should focus on in a capture the flag manner and a list of goals you want to achieve with the test.

The Assessment

The consultant assesses each asset that you wish to be tested against the most up-to-date security best practice from two points of view:

• that of an unauthenticated user.
• that of an authenticated employee turned malicious, e.g. an internal threat.

The consultant will use a set of tools developed in-house by CodeGrazer or made available by third parties (e.g. Tenable's Nessus vulnerability scanner and the Metasploit exploitation framework) to discover and exploit vulnerabilities to show how an attacker would potentially be able to compromise your network (passing from connecting to your internal network without credentials to get full privileges as Domain or Enterprise Administrator) and capture the critical targets. During the test, the consultant will report critical vulnerabilities identified directly to you and your team so that the remediation process can start as soon as a vulnerability is discovered.

The Report

Within 2 working days since the completion of the assessment, the consultant will deliver a report:

• Illustrating within the executive summary the state of your network.
• Listing and describing all the discovered vulnerabilities ranked according to their criticality and exploitability.
• Showing detailed proof of concept for exploited vulnerabilities.
• Suggesting a fix.
• In different formats: in an extended, written format (PDF) and a concise format (Excel).

By purchasing CodeGrazer's penetration testing services you will be able to:

• Push the state of your network up to high standards of security by watching a top level ethical hacker in action.
• Assess your patching policy to discover if your assets are protected against the latest vulnerabilities.
• Learn how to use a vulnerability scanner to maintain constant control even once the assessment is over.
• Discover what confidential internal information is available to an unauthenticated user connected to your network (e.g. showing how information leakage via shares could happen)
• Find out which user accounts make use of weak credentials.
• Improve your password policy and create a user awareness program.
• Determine whether your Email server is blocking correctly spam and malicious emails.
• Check the state of your Layer 2 and 3 devices (e.g. Routers, Switches).
• Review the rules configured on your Firewall to make sure they adhere to the least access principle.
• Determine whether your WIFI solution can be used to access your domain from the parking lot.
• Assess the security of your MDM solution to secure employee's BYOD devices.
• Improve the security standards for system builds of desktops and servers.