8/2/2019 Trustwave Penetration Testing
1/2
About Trustwave Trustwave is a leading provider of information
security and compliancemanagement solutions to large andsmall
businesses throughout theworld. Trustwave analyzes, protectsand
validates an organizations datamanagement infrastructurefrom
the network to the applicationlayer to ensure the protection of
information and compliance withindustry standards and
regulationssuch as the PCI DSS and ISO 27002,among others.
Financial institutions,large and small retailers, globalelectronic
exchanges, educationalinstitutions, business service rmsand
government agencies rely onTrustwave. The companys solutionsinclude
on-demand compliancemanagement, managed securityservices, digital
certi cates and 24x7multilingual support. Trustwave is
headquartered in Chicago with of cesthroughout North America,
SouthAmerica, Europe, the Middle East,Africa, Asia and
Australia.
Network Penetration Testing
Evaluate Your Security Stance, Think Like an Attacker
The most accurate method to evaluate your organizations
information security stance is to observe how it standsup against
an attack. With Trustwaves penetration testing service, our experts
perform a simulated attack on yournetwork to identify faults in
your system, but with care to help ensure that your network stays
online. Our external,internal and wireless penetration testing
services follow a structured methodology to ensure a thorough test
of
your entire environment that includes a detailed report with
tactical and strategic recommendations that take yourbusiness goals
into account.
Every tool used in our penetration testing has been thoroughly
tested in Trustwaves labs by experts that haveperformed numerous
information security assessments of organizations in the retail,
healthcare, biomedical,pharmaceutical and other industries.
External Penetration TestingFrom the Outside In
Our penetration testing service includes iterative tests of your
environment starting with the most generalcomponents working toward
the most speci c. Trustwaves expertise and proven methodology allow
us to effectivelymodel attack scenarios that highlight risk from
the largest, most complex environments to the most simple.Trustwave
experts employ a primarily manual process to limit the generic
results offered by general vulnerabilityassessments that use
automated scanners and check-list methods.
Internal Penetration TestingAddressing Internal Threats
Internal threats can be the most devastating that organizations
face today. Internal corporate LAN and WANenvironments allow users
greater amounts of access, but usually with fewer security
controls. Depending onyour needs, Trustwave can facilitate an
internal penetration test either using the traditional method of
deploying consultants to your facility, or testing can be conducted
remotely using our Remote Penetration Test Appliance.Using either
method you end up with a focused, iterative, manually based
security test of your internal networkinfrastructure.
On-site Penetration Testing A Trustwave expert will report for
work as an employee or contractor. Utilizing normal to minimal
system access levels based on the simulated role, Trustwave
iteratively tests all accesscontrols in an attempt to acquire
critical data.
Remote Penetration Testing Trustwave will deliver one of
Trustwaves Secure Remote Penetration Testing Appliances to
facilitate the remote access needed to conduct the penetration
test.
Testing Wireless Networks
Attackers commonly exploit unsecured wireless networks to gain
greater access to a corporate network andcompromise data. Trustwave
will perform a penetration test of wireless networks using directed
attack-basedlogic to identify the real risks inherent in your
wireless infrastructure and what that risk means to sensitive
datastored elsewhere. Trustwave tests a varied array of wireless
technologies such as 802.11 Wi-Fi, application-speci cZigBee,
900MHz networks, legacy FHSS technologies, 5.8GHz networks and
others.
For organizations
that need an expert
assessment of their
network security for
strategic planning and
to ful ll compliance
requirements
70 W. Madison Street, Suite 1050, Chicago, IL
60602www.trustwave.com
1.888.878.7817
I S S U E
09RPT091709:
For more information about Trustwaves
Elements of Compliance and Data Security
please visit: www.trustwave.com
To ensure that your network infrastructure is secure, you must
identify
what youre protecting and what youre protecting it from.
8/2/2019 Trustwave Penetration Testing
2/2
Trustwaves Proven Methodology
Trustwave always follows a highly structured methodology to
ensure a thorough test of the entire target environmentand each
layer of your organizations security stance. Our unique approach
comprised of both reconnaissance andattack-modeling phases ensures
that your network is tested to the full extent with minimal
business impact.
Reconnaissance
Moving from the general to the speci c, Trustwave will begin by
gathering information about your network andsystems. The consultant
will use this step to gain an understanding of the network
topology, design philosophy andsecurity controls present.
Network Mapping Trustwave will use both technical and
non-technical techniques for this purpose. Depending onthe network,
methods such as layer 2 ARP sweeps, RF pro ling, or more
traditional methods such as port scanning,may be used.
System Identi cation & Classi cationTrustwave again uses
technical and non-technical methods to identify thesystems, network
components and security devices located on the network, and classi
es them.
Network Tests
Low Level Network TestingTaking a holistic view of your network
architecture, Trustwave will gather vitalinformation at this stage
that may aid our consultant (or an attacker) in compromising
internal systems andapplications.
System Tests
Systemic Vulnerability Identi cation and Development of Attack
PathsTrustwave consultants will use theknowledge of your network to
map out potential attack paths and vulnerabilities that may be
exploited. At this stagethey will collect necessary information and
determine a plan for linear and non-linear attacks
Vulnerability ExploitationTrustwave will inform key security
contacts within your organization of speci cvulnerability ndings
and explain the plan of attack for these vulnerable components.
Once Compromised
System CompromiseAs our experts compromise yourenvironment, they
keep you informed so that you can makeinformed decisions about
whether a particular system shouldundergo additional tests.
Data ExtractionOnce our experts compromise a system,
theydetermine whether that system holds critical data and les
anddownload a sample of this data if so. Further Compromise Once a
system has been compromised,its many trust relationships with other
assets can lead to furtherexploitation. Trustwave will launch a new
stage of discovery againstthe environment to identify any trust
relationships that will allowfurther access to a system.
Report Development & Delivery
Upon conclusion of testing, Trustwave provides you with a
reportdetailing results and recommendations on mitigating your
networkvulnerabilities, including:
Assessment of design and operating effectiveness of existing
controls
Overall risk level rating
Identi ed risks and potential areas of vulnerability
Security risk mitigation recommendations
Architectural and procedural recommendations
Files, passwords or system information obtained during the
test
I S S U E
09RPT091709:70 W. Madison Street, Suite 1050, Chicago, IL
60602
www.trustwave.com1.888.878.7817
Why Trustwaves SpiderLabsis the Best Choice
Trustwaves SpiderLabs services anddelivery are backed by a full
portfolioof information security resources:
ExpertiseThe SpiderLabs team consists of some of the top
information security
professionals in the world. With careerexperience ranging from
corporateinformation security to security researchand federal and
local law enforcement,our staff possesses the background
anddedication necessary to stay ahead of the technical, legal and
managementissues affecting your organizationsinformation
security.
Experience SpiderLabs has performed hundreds of forensic
investigations and applicationsecurity tests and thousands of
ethical
hacking exercises for a client list thatincludes Fortune 500
companies, smallto mid-sized businesses, governmentsecurity
agencies and law enforcementagencies.
Certi cation Trustwave is certi ed by the NationalSecurity
Agency (NSA), the agencyresponsible for assessing the USgovernments
information securityposture. We are also authorized by allmajor
credit card brands to conductinvestigations of compromised mer-
chants and processors.
Facilities SpiderLabs maintains the mostadvanced application and
hardwaretesting facility in the industry.
Safety SpiderLabs works closely with clientsto ensure that all
of its services areperformed with strict con dentialityand rigorous
legal oversight.
Trustwave Methodology
