Icon1.png

Internal Penetration Test - IPT

 

description

The goal of a penetration test is to try and identify exploitable weaknesses in the target. Often times something that is exploited does not directly result in a true or complete breach but may offer a toe-hold which creates another avenue or vector by which the attacker can use to continue attacking the target. This toe-hold concept is known as pivoting. During our testing E3 will attempt to identify possible pivot points in order to identify possible means of data ex-filtration, device compromise or denial of service.

  • Internal Network Penetration test for authorized LAN/WAN segments

  • Vulnerability identification and risk ranking

  • Threat modeling and exploitation attempts for identified vulnerabilities

  • Brute force testing

  • Data ex-filtration attempts

  • Review of monitoring/alerting for intrusion attempts


TESTING OBJECTIVES

There are many methods to employ pivoting techniques with technical and non-technical attacks. Ultimately, the goal is to find a weakness which can be exploited to gain access to sensitive information. When conducting these tests, E3 has the goal to try and identify weaknesses and attempt to exploit them as a malicious attacker would.

There are essentially three types of penetration test approaches. The first approach is the black box testing approach where the tester is given little or no information about the target and has no real communication with the target’s internal staff.

The next approach is known as white box testing. This testing is done with full knowledge of the target’s internal staff and the target generally gives the tester information about their target in advance.

In white box testing for example, it would be common for an applications source code to be provided. It would be common for configurations of firewall and other network devices to be given in advance of threat modeling and vulnerability testing. This approach gives the tester a lot of inside knowledge that an outsider would not have. This approach effectively decreases the amount of time required to identify possible vulnerabilities or attack vectors.

The third type of testing approach is known as grey box testing. Grey box testing, as one might expect, is a hybrid between black and white box testing. The degree of advanced knowledge given to the tester is generally worked out during the scoping phase of the test.

Most penetration testing employs various methods of social engineering unless otherwise directed by the target.


Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation
Icon1.png

External Penetration Testing - EPT

description

External penetration testing follows the same basic outline as the internal penetration testing. The main difference is that the external testing is conducted remotely using E3 systems hosted at our data center. Utilizing the Penetration Execution Standard (PTES). E3 will follow the framework described above against all the internet facing systems we are authorized to test.

External testing includes the same basic stages as the internal penetration testing does:

  • Passive and Active information gathering

  • Vulnerability identification and ranking

  • Threat modeling and exploitation attempts

  • Detection avoidance

  • Denial of service attacks

  • Brute force attacks


Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation
Icon3.png

Web Application Penetration Testing - WAP

Description

Web application penetration testing also follows the same general principals as an internal or external network penetration test. Our web application penetration test will provide you with a better understanding of potential vulnerabilities and accessibility of the target application. Our testing does include the use of automated software. However, software of our own creation and manual procedures and attacks are used to thoroughly test and review your application. E3 will use the OWASP testingmethodology. Through this process the application’s security model itself will be effectively evaluated.


Testing objectives

Testing attempts to determine if the application’s security measures work effectively.

  1. Testing will attempt to identify any weaknesses in the application setup and configuration that can be exploited

  2. Testing will further identify if any application security weaknesses exist and provide recommendations for repair.

  3. Utilizing the OWASP methodology for conducting web application penetration tests can be summarized as follows:

    • Information Gathering

    • Business Logic Testing

    • Authentication Testing

    • Session Management Testing

    • Data Validation Testing

    • Denial of Service Testing

    • Web Services Testing

    • AJAX Testing (if applicable)

    • Report writing and follow up

Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation