Upload
kader18
View
218
Download
0
Embed Size (px)
Citation preview
8/2/2019 Trustwave Penetration Testing
1/2
About Trustwave Trustwave is a leading provider of information security and compliancemanagement solutions to large andsmall businesses throughout theworld. Trustwave analyzes, protectsand validates an organizations datamanagement infrastructurefrom
the network to the applicationlayer to ensure the protection of information and compliance withindustry standards and regulationssuch as the PCI DSS and ISO 27002,among others. Financial institutions,large and small retailers, globalelectronic exchanges, educationalinstitutions, business service rmsand government agencies rely onTrustwave. The companys solutionsinclude on-demand compliancemanagement, managed securityservices, digital certi cates and 24x7multilingual support. Trustwave is
headquartered in Chicago with of cesthroughout North America, SouthAmerica, Europe, the Middle East,Africa, Asia and Australia.
Network Penetration Testing
Evaluate Your Security Stance, Think Like an Attacker
The most accurate method to evaluate your organizations information security stance is to observe how it standsup against an attack. With Trustwaves penetration testing service, our experts perform a simulated attack on yournetwork to identify faults in your system, but with care to help ensure that your network stays online. Our external,internal and wireless penetration testing services follow a structured methodology to ensure a thorough test of
your entire environment that includes a detailed report with tactical and strategic recommendations that take yourbusiness goals into account.
Every tool used in our penetration testing has been thoroughly tested in Trustwaves labs by experts that haveperformed numerous information security assessments of organizations in the retail, healthcare, biomedical,pharmaceutical and other industries.
External Penetration TestingFrom the Outside In
Our penetration testing service includes iterative tests of your environment starting with the most generalcomponents working toward the most speci c. Trustwaves expertise and proven methodology allow us to effectivelymodel attack scenarios that highlight risk from the largest, most complex environments to the most simple.Trustwave experts employ a primarily manual process to limit the generic results offered by general vulnerabilityassessments that use automated scanners and check-list methods.
Internal Penetration TestingAddressing Internal Threats
Internal threats can be the most devastating that organizations face today. Internal corporate LAN and WANenvironments allow users greater amounts of access, but usually with fewer security controls. Depending onyour needs, Trustwave can facilitate an internal penetration test either using the traditional method of deploying consultants to your facility, or testing can be conducted remotely using our Remote Penetration Test Appliance.Using either method you end up with a focused, iterative, manually based security test of your internal networkinfrastructure.
On-site Penetration Testing A Trustwave expert will report for work as an employee or contractor. Utilizing normal to minimal system access levels based on the simulated role, Trustwave iteratively tests all accesscontrols in an attempt to acquire critical data.
Remote Penetration Testing Trustwave will deliver one of Trustwaves Secure Remote Penetration Testing Appliances to facilitate the remote access needed to conduct the penetration test.
Testing Wireless Networks
Attackers commonly exploit unsecured wireless networks to gain greater access to a corporate network andcompromise data. Trustwave will perform a penetration test of wireless networks using directed attack-basedlogic to identify the real risks inherent in your wireless infrastructure and what that risk means to sensitive datastored elsewhere. Trustwave tests a varied array of wireless technologies such as 802.11 Wi-Fi, application-speci cZigBee, 900MHz networks, legacy FHSS technologies, 5.8GHz networks and others.
For organizations
that need an expert
assessment of their
network security for
strategic planning and
to ful ll compliance
requirements
70 W. Madison Street, Suite 1050, Chicago, IL 60602www.trustwave.com
1.888.878.7817
I S S U E
09RPT091709:
For more information about Trustwaves
Elements of Compliance and Data Security
please visit: www.trustwave.com
To ensure that your network infrastructure is secure, you must identify
what youre protecting and what youre protecting it from.
8/2/2019 Trustwave Penetration Testing
2/2
Trustwaves Proven Methodology
Trustwave always follows a highly structured methodology to ensure a thorough test of the entire target environmentand each layer of your organizations security stance. Our unique approach comprised of both reconnaissance andattack-modeling phases ensures that your network is tested to the full extent with minimal business impact.
Reconnaissance
Moving from the general to the speci c, Trustwave will begin by gathering information about your network andsystems. The consultant will use this step to gain an understanding of the network topology, design philosophy andsecurity controls present.
Network Mapping Trustwave will use both technical and non-technical techniques for this purpose. Depending onthe network, methods such as layer 2 ARP sweeps, RF pro ling, or more traditional methods such as port scanning,may be used.
System Identi cation & Classi cationTrustwave again uses technical and non-technical methods to identify thesystems, network components and security devices located on the network, and classi es them.
Network Tests
Low Level Network TestingTaking a holistic view of your network architecture, Trustwave will gather vitalinformation at this stage that may aid our consultant (or an attacker) in compromising internal systems andapplications.
System Tests
Systemic Vulnerability Identi cation and Development of Attack PathsTrustwave consultants will use theknowledge of your network to map out potential attack paths and vulnerabilities that may be exploited. At this stagethey will collect necessary information and determine a plan for linear and non-linear attacks
Vulnerability ExploitationTrustwave will inform key security contacts within your organization of speci cvulnerability ndings and explain the plan of attack for these vulnerable components.
Once Compromised
System CompromiseAs our experts compromise yourenvironment, they keep you informed so that you can makeinformed decisions about whether a particular system shouldundergo additional tests.
Data ExtractionOnce our experts compromise a system, theydetermine whether that system holds critical data and les anddownload a sample of this data if so. Further Compromise Once a system has been compromised,its many trust relationships with other assets can lead to furtherexploitation. Trustwave will launch a new stage of discovery againstthe environment to identify any trust relationships that will allowfurther access to a system.
Report Development & Delivery
Upon conclusion of testing, Trustwave provides you with a reportdetailing results and recommendations on mitigating your networkvulnerabilities, including:
Assessment of design and operating effectiveness of existing controls
Overall risk level rating
Identi ed risks and potential areas of vulnerability
Security risk mitigation recommendations
Architectural and procedural recommendations
Files, passwords or system information obtained during the test
I S S U E
09RPT091709:70 W. Madison Street, Suite 1050, Chicago, IL 60602
www.trustwave.com1.888.878.7817
Why Trustwaves SpiderLabsis the Best Choice
Trustwaves SpiderLabs services anddelivery are backed by a full portfolioof information security resources:
ExpertiseThe SpiderLabs team consists of some of the top information security
professionals in the world. With careerexperience ranging from corporateinformation security to security researchand federal and local law enforcement,our staff possesses the background anddedication necessary to stay ahead of the technical, legal and managementissues affecting your organizationsinformation security.
Experience SpiderLabs has performed hundreds of forensic investigations and applicationsecurity tests and thousands of ethical
hacking exercises for a client list thatincludes Fortune 500 companies, smallto mid-sized businesses, governmentsecurity agencies and law enforcementagencies.
Certi cation Trustwave is certi ed by the NationalSecurity Agency (NSA), the agencyresponsible for assessing the USgovernments information securityposture. We are also authorized by allmajor credit card brands to conductinvestigations of compromised mer-
chants and processors.
Facilities SpiderLabs maintains the mostadvanced application and hardwaretesting facility in the industry.
Safety SpiderLabs works closely with clientsto ensure that all of its services areperformed with strict con dentialityand rigorous legal oversight.
Trustwave Methodology