Penetration Testing

Internal Penetration Test

IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct independent testing of the Information Security Program, to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information, including Non-Public Personal Information (NPPI). The internal network (file servers, workstations, etc.) of the organization is exposed to threats such as external intruders breaching perimeter defenses or malicious insiders attempting to access or damage sensitive information or IT resources. In a 12-month period alone, over 100 million personal records have been compromised due to security breaches. Almost 1/3 of these breaches were the result of hackers.

Best Practices recommend that each organization perform an Internal Penetration Test in addition to regular Security Assessments in order to ensure the security of their internal network. An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability, or integrity of the network, thereby allowing the organization to address each weakness. TraceSecurity can perform this testing both onsite or remotely.

TraceSecurity’s Internal Penetration Test follows documented Best Practices security testing methodology including:

  • Internal Network Scanning
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Manual Configuration Weakness Testing and Verification
  • Limited Application Layer Testing
  • Firewall and ACL Testing
  • Administrator Privileges Strength Testing
  • Password Aging and Strength Testing
  • Network Equipment Security Controls Testing
  • Database Security Controls Testing
  • Internal Network Scan for Know Trojan/Hacker Ports
  • Third-Party/Vendor Security Configuration Testing
  • Hardened Server/Device Configuration Testing

TraceSecurity’s Internal Penetration Test also includes on-demand access to the TraceAssess and TraceReport modules of TraceCompliance Manager. The TraceAssess module provides on-demand vulnerability scanning of your network. The TraceReport module allows reports to be generated as needed for both executive/board level and technical staff.

External Penetration Test

IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information, including Non-Public Personal Information (NPPI). The Internet-facing component (website, email servers, etc.) of the organization’s network is constantly exposed to threats from hackers. In a 12-month period alone, over 100 million personal records have been compromised due to security breaches. Almost 1/3 of these breaches were the result of hackers.

Best Practices state that each organization should perform an External Penetration Test in addition to regular security assessments in order to ensure the security of their external network. An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability, or integrity of the network, thereby allowing the organization to address each weakness.

TraceSecurity’s External Penetration Test follows documented Best Practices security testing methodology which includes:

  • External Network Scanning
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Firewall and ACL Testing
  • Intrusion Detection/Prevention System Testing
  • Password Strength Testing
  • External Network Scan for Know Trojan/Hacker Ports
  • Remediation Retest

TraceSecurity’s External Penetration Test also includes on-demand access to the TraceAssess and TraceReport modules of TraceCompliance Manager. The TraceAssess module provides on demand vulnerability scanning of your network. The TraceReport module allows reports to be generated as needed for both executive/board level and technical staff.