Security requires People, Process, and Technology.

We’ve got all three.

Trust your Security to the professionals. Certified, experienced, and trusted.

Why Conduct a Penetration Test?

Cybersecurity assessments in the form of penetration tests are a vital part of a strong security plan. These assessments demonstrate an organization's security posture from an adversarial perspective. That’s something technology alone cannot do. Technology is not designed to think outside the box, but a skilled adversary is. Real-world cybercriminals are continuously developing new techniques and honing old ones, and technology on its own cannot keep up.

Cybersecurity assessments that are conducted by certified, experienced professionals will discover issues that could result in a breach. These assessments help address weaknesses and inadequacies in networks that only a trained eye can see.

Assessments can check the box on any compliance or supplier driven mandate to prove your company has taken the measures to protect infrastructure and the sensitive data that it supports.

Knowing exactly what is involved in a cybersecurity assessment from scoping and procedure, to cost, is only a few clicks away.

Book a free consultation with us to get the answers you need to decide.

Why SecuSolutions?

SecuSolutions offers Security Consulting, Managed Security Services, and Security Education.

For over 24 years, we have served nearly every industry. From financial to the public and energy sectors on a global scale, our experience and dedication to security is evident in the deliverables we produce and the solutions we have developed for the security market.

We are brand neutral and offer no outsourced products, solutions, or services; we focus only solutions that have been developed in house and tested by our most valuable resource, our staff.

Our team members are certified and hold the most widely recognized and respected security certifications available.

Certifications

Offensive Security Certified Professional (OSCP)

Certified Information Systems Security Professional (CISSP)

Certified in Homeland Security, Level 3 (CHS-III)

Certified Information Systems Auditor (CISA)

Certified Data Privacy Solutions Engineer (CDPSE)

eLearnSecurity Certified Professional Penetration Tester (eCPPTv2)

Methodologies

All our penetration tests are conducted using proven methodologies and standards that are recognized worldwide.

OSSTMM

Open Source Security Testing Methodology Manual

Provides a scientific methodology for network penetration testing and vulnerability assessments to identify vulnerabilities from various angles of attack.

OWASP

Open Web Application Security Project

Aims to identify vulnerabilities within web and mobile applications. It provides over 66 controls in total to assess and identify potential vulnerabilities within the functionalities found in modern applications today.

PTES

Penetration Testing Methodology and Standards

Highlights therecommended approach to structuring a penetration test. This standard guides testers through various steps of a penetration test, including initial communication, information gathering, and threat modeling phases.

ISSAF

Information System Security Assessment Framework

This framework is designed to evaluate the network, system, and application controls in the penetration testing methodology. It consists of a three-stage approach and a nine-step evaluation.

NIST

National Institute of Science and Technology

is a set of standards with quality principles that can be used by organizations to develop secure information security applications and to perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing.

The Industries We Serve and Why

Small Business

may be small, but they get the bragging rights to the hardest and most often hit industry segment. Small businesses feel they will not be a target of hackers, hackers beg to differ.

“43% of attacks target small businesses” (source: PurpleSec)

Energy

is vital to our economy. It is also a prime target for adversaries as one major system shut down involving an oil or gas plant or a bulk power plant such as nuclear, weathervane or hydro dam, can spell disaster.

“77% of U.S. energy companies are vulnerable to ransomware attacks via leaked passwords” (source: Houston Chronicle)

Technology

sector is often the ground zero for cyber attacks. Valuable technology, trade secrets, patents and the willingness to adopt new technologies make this sector a soft target for adversaries.

“Technology became the most attacked industry for the first time, accounting for 25% of all attacks (up from 17%). Over half of attacks aimed at this sector were application-specific (31%) and DoS/DDoS (25%) attacks, as well as an increase in weaponisation of IoT attacks” (source: securitybrief.asia)

Manufacturing

is an industry that is underprepared for attacks. The lack of resources, and adoption of security technologies has this industry trailing behind most others. This is alarming considering the importance this segment brings to the economy.

“Attacks on manufacturing companies around the world rose 300% in 2021” according to the Global Threat Intelligence Report

Healthcare

is getting some unwanted attention. 93% of healthcare organizations have experienced data breaches. This is likely due to healthcare systems containing sensitive information that adversaries want.

“Healthcare has the highest number of attacks by ransomware over any other industry” (source purplesec)

Higher Education

needs to hit the books. Despite being an industry conducive to learning, educational institutes are far behind when it comes to security. In fact, adversaries refer to it as a “playground” for them to test their wares and hone their skills.

“41% of higher education cybersecurity incidents and breaches were caused by social engineering attacks” (source purplesec)

Finance and Insurance

are the top industries spending the most money to fight cyber crime says a recent report from Deloitte. So much so, many insurance companies are now offering cyber insurance to companies that require it due to regulation or compliance requirements.

“67% of financial institutions reported an increase in cyber attacks over the past year” (source purplesec)

Government

is forever under attack for obvious and not so obvious reasons. Political reasons, humanitarian reasons, activists, and attacks from other countries are commonplace. Government is generally slow to react and implement change or protective measures, making them a prime target.

For a comprehensive list of attacks, visit (csis.org)

Transport and Logistics

are high on the list of targets for adversaries. Disrupting transport and supply chains can be a lucrative business for them. Ransomware and malware attacks are among the top two methods adversaries use to wreak financial havoc on companies and create panic among consumers.

“The US Department is offering up to $10 million for information leading to the identification or location of the leaders behind a recent ransomware attack by the DarkSide which was a ransomware attack” (source duo.com)

Telecommunication

may include satellite companies, internet providers and telephone companies. The amount of data and infrastructure being handled by this industry makes these organizations a favourable target for adversaries.

“Telecommunications made a significant jump from sixth place in Q4 2020 to become the number-one DDoS target in Q1 2021” (source Daily Swig)

Still not sure if you need a Penetration Test?

How certain is your IT team that they are doing all they can to protect your data and sensitive information from prying eyes?

How much downtime can your company afford?

When was the last time your company conducted a security audit?

Do you know where your most critical data is stored?

Do you know who in your organization has access to what information?

Would you like to know where the holes in your security plan are?

Will you be required to conduct a compliance audit in the near future?

Do you know which of your company’s assets are in the cloud and who’s responsible for protecting them?

Types of Penetration Tests

Internal Penetration Testing

Internal penetration testing, also known as insider threat simulation testing, is conducted to identify and remediate vulnerabilities discovered in the internal network infrastructure. This testing not only simulates the actions of a dismissed or disgruntled employee but also takes the perspective of adversaries who’ve found an internal foothold, mimicking the techniques they might use to exploit vulnerabilities from within the network. It is highly recommended that an internal penetration test is conducted at least once a year or following any major change to the infrastructure. Conducting an internal penetration test is also required by various standards, such as PCI-DSS, ISO27001, and SOC 2.

External Penetration Testing

External penetration tests help to find and remediate vulnerabilities discovered within publicly accessible network infrastructures. The penetration test is performed by utilizing the latest techniques and exploits available, mimicking an adversary's approach. As the external network is the most targeted segment by adversaries, it is highly recommended that an external network penetration test is conducted at least once a year or following any major changes to the publicly accessible infrastructure. External penetration tests can be performed to adhere to required security compliance standards, such as PCI-DSS, ISO27001, and SOC 2.

Cloud Penetration Testing

Cloud penetration tests are assessments that identify vulnerabilities within cloud infrastructures such as AWS, Azure, Google Cloud, etc. While most cloud service providers have standard security measures in place, each organization is responsible for their own security. Due to the numerous options/flexibility available through cloud service providers, and the complex systems that utilize them, new security flaws and/or vulnerabilities likely to be discovered. Cloud Security Assessments ensure that the security of your systems, as well as any cloud-hosted assets are as secure as possible.

Web Application Penetration Testing

Web application penetration tests are conducted to help identify and address vulnerabilities in web applications that could be exploited by adversaries. Web applications are very common and often complex, making them vulnerable to exploitation due to improper coding or configuration. These applications contain valuable, sensitive information that is vital to a company’s operations, making Therefore, web application penetration tests are essential to ensure the security and stability of the application.

General Questions

What is a Penetration Test?

By definition, a penetration test is an authorized attack on a computer system, network, or application with the goal of identifying security vulnerabilities that adversaries could exploit for ill gain. Penetration tests are performed by certified security professionals who are trained to think like adversaries. The goal of a penetration test is to identify and document vulnerabilities and weaknesses within the network being tested. The report following a penetration test includes the methods utilized, the impact or severity on the systems and the remediation strategies, that will help direct your team to take the corrective measures to mitigate the issues that were discovered.

Penetration tests are based on industry-leading best practices, methodologies, and standards such as NIST, OWASP, PTES, ISSAF, OSSTMM and other respected standards.

A penetration test can:

Determine if an adversary can gain access to sensitive data.
Determine if any systems can be leveraged to launch additional attacks.
Reduce the possibility of malware distribution through the network system.
Determine if an adversary can compromise any administrator accounts, allowing them to access sensitive data.

Why have a penetration test performed?

There are many reasons to have a penetration test performed. Some organizations are motivated by security compliance standards such as SOC, NIST or PCI. Other reasons are due to influence from their shareholders, suppliers, or partners. Many companies store sensitive data that they must ensure is protected from adversaries.

Most companies rely heavily on their online presence and the availability of their systems and cannot afford any downtime caused by a security breach. Lately, companies that are seeking insurance must provide evidence that they are conducting regular penetration tests before they can qualify for insurance coverage.

How much should a penetration test cost?

There are many factors that can help determine the cost of a penetration test. The size of the scope or assets included in the penetration test which can include IP addresses, URL’s domains, or the size and complexity of the web application. Other factors are the type of test that are being performed such as SCADA, Network, Cloud, Web Application etc.

The method and the tools utilized can also affect the scope, cost, and length of the penetration test. Eg: manual vs automated or combination approach.

An influence that can affect scope cost is the requirement to adhere to specific security compliance standards.

Is a penetration test the same as a vulnerability scan?

Vulnerability assessments and penetration tests are often misunderstood. Both are used in a penetration test, but they produce different results. A vulnerability scan could be likened to a security guard walking around a building perimeter inspecting doors windows and locks to ensure they are stable and functioning properly and do not show obvious damage or weaknesses. A penetration test will utilize the information that a vulnerability may contain but takes the test much further.

A penetration tester will use these documented vulnerabilities produced by a scan but will also search for unseen or undocumented vulnerabilities which could be exploited by an adversary. They will then verify whether those vulnerabilities found by the scanner, or the ones they discovered, can be exploited using adversarial techniques.

The penetration tester will carefully document what was discovered, how they discovered it, the impact on the system and how to remediate the issue.

What are some of the penetration test methodologies that are used?

SecuSolutions follows the most respected and widely recognized methodologies listed below.

OSSTMM: Open Source Security Testing Methodology Manual

Provides a scientific methodology for network penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.
OWASP: Open Web Application Security Project

Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.
PTES: Penetration Testing methodology and Standards

Highlights the most recommended approach to structure a penetration test. This standard guides testers on various steps of a penetration test including initial communication, gathering information, as well as the threat modeling phases.
ISSAF: Information System Security Assessment Framework

This Framework is designed to evaluate the network, system, and application controls in Penetration testing methodology. It consists of a three-stage approach and a nine-step evaluation.
NIST: National Institute of Science and Technology

is a set of standards with quality principles that can be used by organizations to develop secure information security applications and to perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing.

Scoping Questions

What process does SecuSolutions use for scoping a penetration test project?

An initial meeting will be hosted to determine and identify which of the company members will be able to provide vital information to the SecuSolutions team lead. Once this is determined, one of our team leads will be assigned to work with a member of the customer's team to gather specific technical information and determine the penetration test scope. This information will be collected via a meeting and the use of a comprehensive questionnaire which is provided by SecuSolutions.

Once this information has been collected, the customer will receive a detailed proposal that will include:

Description of the mutually agreed goals of the penetration test, including scope.
Description of the methodology and project plan
Description of what the deliverables will include
Pricing based on the agreed scope

How soon can a penetration test be scheduled?

Once the scope has been determined and the proposal has been signed off, the penetration test is usually scheduled to start on a mutually agreeable date. Many factors can determine the best start date and time for the penetration test. Holidays, downtime, peak business hours, scheduled projects, onsite resources, physical location of target assets can all play a role on the start date

How is the severity of a vulnerability measured?

Standard vulnerability levels as defined by internationally recognized vulnerability databases, CVSS, OSVDB etc., are Critical, High, Moderate, and Low.

The accepted criteria are:

Potential impact: The potential impact of an attack based on a vulnerability, combined with the potential effect on the availability of the system, as well as the confidentiality and integrity of the data.
Exploitability: The potential of a vulnerability; a vulnerability that is easier to exploit increases the number of potential attackers and thus the likelihood of an attack or its “exploitability”. Factors are considered when evaluating the exploitability potential of a vulnerability including access vectors, authentication, operational and complexity.

Are all penetration tests performed on-site?

No, in fact most penetration tests are performed remotely as adversaries would. While this is the case for external penetration tests, we rely on secure protocols and technologies to conduct secure tests on numerous types of infrastructure and systems that are not publicly accessible. For example: through use of VPN’s, RAD’s and our own device developed to provide secure access to internal networks.

Reports and Deliverables

What will a penetration test report include?

The benefits of a penetration test are lost if the results are not properly communicated and or demonstrated in the deliverable. SecuSolutions takes special care to produce reports that are intelligible, easy to understand and contain actionable remediation recommendations. The report will be validated by SecuSolutions, certifying that the penetration test has been performed using certified professionals, backed by proven methodologies and international standards. Report validation will help with any regulatory or compliance standards the company may need to adhere to.

Key components of our reports include:

Executive summary
Component Ratings
Findings Summary
Summary: External Network Assessment
Summary: Web Application Assessment
Findings Distribution
Strategic Recommendations
Findings Matrix
External Network Assessment

Description
Information Profiling
Scope Identification
Technical Findings
Web Application Assessment
Description
Scope Identification
Technical Findings
Appendices

The report will be validated by SecuSolutions, certifying that the penetration test has been performed using certified professionals backed by proven methodologies and international standards. Report validation will help with any regulatory or compliance standards the company may need to adhere to.

Does SecuSolutions offer a smaller scale penetration test to help determine if a larger scale engagement is required?

Yes, SecuSolutions offers small-scale penetration tests, which we call "pin point assessments". This service uses the same certified security professionals and the same methodology as used in a large-scale penetration test. The main difference is the size and/or scope of the test along with the cost. A full report is produced along with the with remediation strategies. This is a very affordable method of validating the security of a single or low number of asset(s).

Penetration Testing Partnership Program

A Partnership like no other.

If you are an IT Consulting company, or a Service Provider that is looking for a way to enhance your service offerings and bring in new revenues, this is a Partnership you need. We know that starting a security division within your company isn’t easy. Finding qualified resources and choosing the right products or services can be difficult and costly.

Benefit by our experience and provide your customers with world class security while making a healthy profit. Providing branded security solutions and consulting services has been our business model for 24 years. Choose either to rebrand our work, or keep it as is.

Some Benefits to Partnering with SecuSolutions

Additional Revenues

Our program offers generous discounts that enable our partners to price penetration services at a fair and reasonable price to their customers, while still maintaining a profit.

Ancillary Sales Opportunities

This point cannot be over emphasized. By nature of the penetration testing we conduct any issues in the networks, applications, and infrastructure will be discovered. Your customers will need additional support and services post assessment. This is your opportunity to provide that service to your customer.

Set the Benchmark

Companies that can preserve good security, but struggle setting the benchmark, can utilize our strengths to establish a level of security that can be maintained using your staff and the services you may already offer.

Go Where your Competition Cannot

Many customers that are looking for managed services qualify the companies they short list on whether they offer security services or not, don’t be on the “do not contact list”. Partnering with us to offer security as part of your service lineup will keep you ahead of your competition.

How do I become a Penetration Testing Partner?

We offer the opportunity to discuss your needs and to determine whether a partnership is right for you. All you need to do is use our booking system and schedule a time that works.

Questions and Answers

Some additional answers to questions that you may have.

What is the cost of a Penetration test?

There are many factors that can help determine the cost of a Penetration Test. The size of the scope or assets in the penetration test, which can include IP addresses, URL’s domains, or the size and complexity of the web application. Other factors are the type of test that are being performed such as SCADA, Network, Cloud, Web Application etc.

The method and the tools utilized can also affect the scope, as well as the cost and length of the Penetration Test. Eg: manual vs. automated or a combination approach.

An influence that can affect scope cost is the requirement to adhere to specific security compliance standards.

Do we need to become involved in the Penetration Test?

Some of our partners do little more then make an introduction, while others take part in meetings and updates as the project moves along. It is up to the partner to determine the level of involvement they commit to. Some partners choose to be the point person on the project, while others are happy to just observe.

Do you offer Branding?

Yes, this is a popular choice made by our partners. We can produce reports bearing the name of our Pentest Partner. We are happy to submit payment requests to the partner directly.

What if our customer needs to meet a specific requirement?

We can certainly help with that. Third parties such as insurers, partners, suppliers, or providers may require proof of a proactive security plan that includes penetration testing. We can conduct the penetration test following the requirements your customers need to adhere to. We will also attest that they conducted a professional penetration test using certified security professionals that followed a specific compliance requirement such as (PCI, SOC, ISO, etc.).