Description
INTRODUCTION
Infrastructure penetration testing includes all internal computer systems, associated external devices, internet networking, cloud, and virtualization testing. Whether it’s concealed on your inner business network or from a government point of perspective, there’s always a chance that an attacker can leverage that can damage your infrastructure.
If your defense is strong enough for Application layer attacks does not assure security from Network Layer. Infrastructure Penetration Testing involves rigorous testing of the controls, frameworks, and processes designed for the networks related to the system. It lays out procedures to penetrate into key networks of the system with an aim to identify security susceptibilities and mitigate them much before the attackers do from multiple entry points at different levels.
METHODOLOGY
AUTOMATED: We would identify the vulnerabilities present for the in-scope asset with the help of automated tools and eliminate the false positives. Ideally, such an assessment should be used for non-critical assets.
MANUAL: The analyst would identify every exploitable vulnerability w.r.t the in-scope network assets. Utilizing manual effort, we fetch for every open port and the services running on the assets within the scope. After that, we test them for vulnerabilities depending on their level of exploitability and availability in the environment they exist in. We verify and validate these vulnerabilities based on the standard benchmark.
BLACK BOX: In a black-box assessment, the auditor has no internal knowledge of the target system. A Black Box security assessment determines the vulnerabilities in a system that are exploitable from outside the network. Black Box penetration testing will be performed on all publicly discoverable servers, network and security devices, etc.
GREY BOX: In gray-box assessment, typically, the auditor has some knowledge of the internal network, potentially including design and architecture documentation and internal access to the assets. The purpose of gray-box assessment is to provide a more efficient & focused security assessment of in-scope network assets than a black-box assessment. This activity helps to simulate an attacker with longer-term access to the in-scope network.
SECURITY CONTROLS
| Control Group | Control Group Specification | Description |
|---|---|---|
| Access Control | Authentication | Authentication is the process of verifying that an individual, entity or node is who it claims to be. In infrastructure, there are different types of authentication protocols being used such as Kerberos. |
| Authorization | An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for the transfer of authentication data between two entities. | |
| Data Security | Data at Rest | The controls in this group are checked against data stored on media such as system hard drives, external USB drives, storage area networks (SANs), and backup tapes. |
| Data in Transit | The controls in this group are checked against data that is transmitted over a network including internal networks using wired or wireless methods and public networks such as the Internet. | |
| User Input Handling | The vulnerabilities like SQL injection, Cross-Site Scripting, Insecure file upload, OS Command Injection, HTTP Response Splitting, etc which falls under this group are checked. | |
| Risk Management | Updates and Upgrades | The controls in this group are checked against asset specifications within the network like firmware version, OS patches, hotfixes, etc. |
| Log Management | Logging and Monitoring | Logging controls evaluate the network for the information stored on the client-side/server-side logs or logging methodology. |
| Configuration Management | Misconfiguration | Controls in this group evaluate the network for its configuration, without which a network might end up disclosing internal/sensitive information. |
| System Security | Password Management | The controls in this group are checked against the network which implements password management. |
Description
Intect is top penetration testing and security assessment firm with a focus on web, mobile apps, network, and cloud testing. As a security partner, we identify and demonstrate the risk and the vulnerabilities which put clients at risk.
Our mission is to help our clients to secure their digital assets. We operate across India and in several other countries for clients who require our specialised skill sets.
Our team includes active security researchers, ethical hackers, bug bounty players & tool developers who are highly credentialed in their field. We work hard to stay at the forefront of cybersecurity industry and that is shown through our research and training.
Our penetration testing assessments are not just for a tick in the checkbox on the list of security requirements. The detailed reports we provide enable you to substantiate the security of your applications and networks to your stake-holders. Intect provides the technical expertise and guidance to find the gaps in your security.
Our consultants have expertise across a range of industries, including BFSI, e-Commerce, telecom, technology, enterprise suites, manufacturing, education and public sector.