Cyber Assessments and Penetration Testing
Cyber Assessments and Penetration Testing
Cybersecurity assessments are an important component of any comprehensive security program. Stronger helps organizations of all sizes better assess and test their cybersecurity readiness. Vulnerability assessments and penetration testing programs are critical to understanding the true extent of an organization’s vulnerabilities, skills and readiness.
STRONGER TESTING SERVICES
- Risk Assessments identify, analyze and evaluate the risk to an organization. It looks at the impact and likelihood of an attack and breach and how this would affect intellectual property, customers, HR data, server hardware, laptops, systems, etc…. Risk Assessments are a more comprehensive look at an organization’s vulnerabilities and exposure. It is a key assessment used by executive teams to strategize how and when to implement recommended controls to reduce risk.
- Vulnerability Assessments create a report that identifies an organization’s exposure to being attacked. Organization’s often need outside input to see what they cannot see in their structure and systems. Vulnerability assessments are designed to identify and report noted vulnerabilities and weaknesses in the organization’s network and computer systems. Stronger leverages proprietary internal tools, as well as more commercially available tools and techniques, to identify and validate vulnerabilities, whether in the code base or known settings. Vulnerability assessments are critical for all organizations. The assessment will detect and classify weaknesses within an organization’s network and systems. What are the potentials for a breach or attack? Any vulnerabilities in the system, including open ports in the perimeter firewall, local software firewall application on a server, or outdated firmware on data center routers.
Penetration Testing
- External Penetration Test mimics the actions of an attacker seeking to exploit weaknesses in the organization’s network to test the security of an organization.
- Internal Penetration Test assess the security of an organization by testing how fire-walled and compartmentalized information and systems are within the organization. It determines if an intruder can perform malicious activities from inside the organization’s network in the event of unauthorized access.
- Independent Red Team tests the existence of vulnerabilities, the efficacy of defenses and defensive practitioners, and the effectiveness of mitigating the controls currently in place and those planned for future implementation. This is a hands on exercise and is often part of training and readiness for a security team.
- Nation-State Threat Emulation reproduces advanced persistent threats (APTs) that come from nation-state actors or known hacker groups. This type of emulation gives organizations a real time emulation of today’s specific attacks. Stronger conducts extensive research to imitate the specific tactics, techniques, and procedures (TTPs) of particular groups or nation-states to help protect the organization.
- Cyber Ranges provide hands-on training experiences countering real-world cyber threats. This includes a broad range of post-assessment challenges and activities in which staff can train, develop, and strengthen their intelligence, analysis, and incident response skills in the same environment they’ll be protecting.
Key Factors in Implementation
The effectiveness of the network architecture. We look at the effectiveness and segmentation of the network — including firewalls, functional demilitarized zones, and security appliances — to contain and regulate communication paths in and out of the network.
Internet Connection Sharing (ICS). Stronger ensures an organization is communicating with only the people they intend to by exploring ICS LAN, examining communication links between field equipment and the ICS networks, and testing an attack from a corporate client to a host inside a functional DMZ or ICS Lan.
Weaknesses in the networks. Exploring the hosts and applications that could allow unauthorized access into networks and trusted zones is essential to detecting weaknesses in networks. This includes an evaluation of the placement and configuration of firewalls and intrusion detection devices.
Effective Security Policies and Procedures. Knowing what to do when something happens is critical to successful cybersecurity. Having a plan in place to help personnel defend against, detect, and appropriately respond to both routine and sophisticated attacks is a key element in Stronger services.
YOU CAN TRUST STRONGER
A broad range of government and commercial clients trust Stronger to assess and test their IT, manufacturing, and industrial systems. Stronger’s Industrial Control System (ICS) testing team was forged in the crucible of government and agency security teams, where Stronger team members performed similar testing, exploitation, and defense of government ICS and SCADA assets.
Stronger is accustomed to the unique insecurities and handling risks associated with testing live production environments as well as the myriad of application vendor communication protocols that are inherent to ICS. Because of this, we expertly guide clients through various ways to safely test their ICSs — whether by isolating, taking system components offline, or establishing a cyber range to provide a safe virtual environment for testing ICS and other systems.
Stronger has also tested a broad range of ICS systems, including on-off, open-loop, feed-forward, and closed-loop control systems. Our team includes experts at assessing and testing the entire ICS footprint, including Programmable Logical Controllers (PLCs), Distributed Controls Systems (DCS), Supervisory Control and Data Acquisitions (SCADA) systems, Human Machine Interfaces (HMIs), and Remote Terminal Units (RTUs).
Please note – most of the SCADA/ICS projects that Stronger currently and historically have worked on are classified and cannot be generally referenced in an open forum. However, Stronger would be pleased to provide appropriate briefings to cleared US Government personnel (or alternatively direct US Government personnel to the relevant counterparts for intra-governmental briefings) after receiving appropriate authorizations from client stakeholders.