Our Penetration Testing Services

Our experts review your environment just like a real-world adversary would, going beyond vulnerability scanners to help you find blind spots, enhance your security posture and better prepare.

MANUAL VS Automated testing

Many IT security firms sell some variety of automated pentesting as a budget or "on-demand" option. However no automated or "AI powered" pentest solution can ever match the results of manual testing performed by an experienced professional. This is part of the reason why ECR Security finds vulnerabilities others miss.

The other problem with automated vulnerability scanners is that they produce a large number of false positive findings; vulnerabilities which have already been patched or mitigated in some other way rendering them unexploitable. ECR Security employs manual testing on every engagement to validate findings and eliminate false positives.

You want more than just an empty compliance checkbox exercise. You want real security. You want ECR Security.

A test of the internal network, including PCs, servers, routers, network appliances, printers, mainframes, NAS, and databases.  Get a better understanding of possible attack vectors an internal threat could exploit. More than just a list of vulnerabilities, we understand how small, non-critical vulnerabilities are combined into a sophisticated attack chain that can result in a serious breach. Our team mimics the behavior of an attacker inside the network perimeter and maps out the paths they can take to escalate privileges, navigate undetected, gain unauthorized access and steal data. 

A test of internet facing devices, including VPN access points, webservers, firewalls, security appliances, ftp and email servers. External testing is done to simulate the most common type of attack, a remote hacker attempting access from outside the network perimeter. Find out what an external attacker can see and access and if they can breach the perimeter to reach the internal network.

As Web Applications have gotten more complex, they have also gotten harder to secure. At the same time they have become ever more integrated into business operations and more important to your organization's bottom line. We use a combination of automated and in-depth manual penetration testing, focusing on OWASP Top 10 vulnerabilities such as Cross-Site Scripting, and SQL injection. We also do business logic and process testing which turns up vulnerabilities automated scanners often miss. The best time to test your WebApp is before it goes live and after any major updates.

Phishing involves contacting employees via email or SMS in an attempt to convince them to click on a malicious link and either download malware onto a company asset or give up login passwords or other confidential data. Exploiting the human element of security, this is a way to test the effectiveness of organizational policies and security awareness training programs.

Phishing is the most common real world attack because it is the most effective way of breaching an organizations network perimeter. Attackers can leverage public information to craft compelling and realistic looking emails while impersonating someone trustworthy.

A Red Team engagement combines phishing, external and internal testing to more accurately simulate a real attack as it moves from outside the network perimeter to the inside. The simulation includes real-world adversarial behaviors and tactics, techniques, and procedures (TTPs). Network defenders are not informed of the test to better understand threat detection capabilities and responses. Find out if your IDS and log monitoring systems are set up correctly to flag and alert on actual attack traffic. Find out if your SOC personnel respond quickly and effectively to signs of an ongoing attack. A Red Team engagement is most appropriate for an organization which already has a mature security program in place and wants to verify their security controls are effective when faced with persistent and determined attackers.

Even the best network security controls can fail when the attacker is physically inside secure facilities. Our team will try to gain access to your facilities using techniques such as impersonating service personnel such as janitorial staff, tricking an employee into providing access, spoofing ID badges, cloning RFID or magstripe smart cards, tailgating, climbing fences, sneaking past guard stations, or lockpicking interior and exterior doorways.

Once inside we will attempt evasion of security systems inside the facility, cameras and motion sensors, emplacing rogue listening or point-of-presence devices, and attempting access to protected areas such as server rooms, network/telephony closets, badge facilities, and executive offices.

Find out if employees are leaving confidential documents out in the open, whether employees follow No Tailgating policies, whether employees use cable locks on laptops and lock the screen when they walk away, whether computer security controls can be bypassed by booting from a malicious USB drive, and how much sensitive data can an attacker find unprotected in common areas like printer rooms. The test may also include leaving simulated malicious USB drives in the lobby or parking lot to see if employees plug them into their work computer.

Wireless is often one of the weakest links in an organizations security, propagating to areas accessible to the public and using inadequate encryption and security controls to prevent capture of sensitive data and access to critical parts of the internal network. Wireless testing may include attempting to access the network wirelessly from public locations, scanning for unauthorized wireless access points, cracking encryption keys in password based and certificate based authentication schemes, or setting up a rogue access point to collect logins from unwary users. 

  • We can work with you to conduct a custom test based on a specific threat scenario such as a lost or stolen laptop, rogue remote employee, or simulate a specific threat actor using known tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework.
   
  • Testing specialized equipment which falls outside the purview of a typical test, such as SCADA/ICS.
   
  • Rapid vulnerability verification for times when a new exploit is making headlines because of widespread attacks and you need to know NOW whether your equipment is vulnerable or not.

Penetration testing can be a real eye opener for companies that have a false sense of security. But the question is whether you would rather have a "white hat" hacker penetrate your network and give you a report after, or a "black hat" hacker who you won't find out was there until the damage is already done.

Vulnerability Scanning vs Penetration Testing

Depending on who you partner with for security testing, it may not be clear whether you are getting a vulnerability scan or a pentest. In some cases you might be told you are getting one when in reality you are getting the other.

A vulnerability scan is an automated scan of version numbers for software installed on your network, which may also scan for missing security patches. If it shows a security patch is missing, that doesn't mean the vulnerability is actually exploitable.

Some software (such as Apache) doesn't update version numbers when security patches are applied, meaning it will continue to show on the vulnerable machines list even after it's patched.


In other cases a vulnerable version of software needs to be configured with non-default settings in order to be exploitable. Or there may be an IPS, firewall, or some other security appliance protecting the the machine with the vulnerable software. The vulnerability scanner has no way to test for any of this however and out of an abundance of caution and a desire to provide a report full of urgent looking findings, any uncertain vulnerabilities are reported as positives.

On the other side of the equation, vulnerability scanners miss whole classes of major exploitable vulnerabilities such as default password usage. Pentesting on the other hand, usually starts with a vulnerability scan, but quickly moves into manual testing to verify possible findings reported by the vulnerability scanner as well as to test for vulnerabilities a scanner is unable to find. Real exploits will be launched at any suspected vulnerabilities. Those which are successful will be marked as validated and a screenshot will be taken as proof.

Methodology

Scoping

Scoping is the most important part of a penetration test of any kind. Proper scoping ensures you get the test that most closely matches your security needs while resulting in minimal or no disruptions to normal business operations. We work closely with you to determine what will be tested and when, including:

  • Hours and dates of testing
  • Blackout dates or times where you don’t want any testing to occur
  • IPs, Subnets, and/or Hostnames to be tested
  • URLs in scope for testing
  • Any exclusions to IPs or pages otherwise in scope
  • Any sensitive IPs or Subnets where you want to approve exploitation attempts prior to execution
  • Which employees and/or email addresses to include in a phishing campaign
  • Which physical facility locations to include in a physical test
  • Any type of testing you don’t want performed

Reconnaissance and Enumeration

Testing begins with enumeration of live hosts and research into the architecture and environment.

Vulnerability Scanning

An automated vulnerability scan is conducted to identify software packages installed on hosts in the environment and the version or patch level. These are compared to a database of known vulnerabilities to identify potential vulnerabilities which may exist in the target environment.

Vulnerability Verification

Potential vulnerabilities are researched and manually verified using test scripts and other technical methods to determine if the conditions for successful exploitation exist.

Exploitation

A review of all previous data is conducted to determine if the previously identified vulnerabilities can be safely exploited and whether publicly available exploits exist. If both conditions are met, an exploitation attempt is conducted to prove exploitability under current conditions. In cases where the vulnerability poses a serious and immediate risk to the organization, the assessor will reach out to notify the point of contact by email and/or phone depending on severity.

Privilege Escalation and Lateral Movement

Once a vulnerability has been successfully exploited, a discovery process is undertaken to determine additional business risk by searching the vulnerable asset for sensitive information. If possible, privilege escalation and/or lateral movement are conducted to discover how deep into the environment an attacker could potentially move using the previously exploited vulnerability.

Reporting

At the conclusion of the penetration test we will provide a detailed report of all testing activities along with the results of testing, any vulnerabilities discovered as well as other findings of note, proof of actual exploitation, and any confidential data exposed during the test.

The report contains an executive summary written from a business impact point of view in terms a non-technical executive audience can understand with clear logic between vulnerabilities found and threats to company resources, productivity, competitive advantage, and intellectual property, including broad recommendations for changes to overall security posture and any policy level issues uncovered.

The technical details section will include enough information to enable your tech team to replicate the findings step by step, including:
  • Description of the vulnerability
  • IP/URL/Hostname of affected machines
  • CVE number if applicable
  • Screenshot, proof of concept exploit, or other proof for vulnerabilities rated Medium severity or higher
  • Steps needed to mitigate.
   
All the information your IT Dept will need to close the vulnerabilities uncovered during the test and prevent a real attack. Also included will be a storyboard walkthrough which documents each step of exploitation and demonstrates how the vulnerabilities were chained together and what privileged access or sensitive data was gained at each step.

The Remediation section gives steps needed to resolve all the findings discovered, ranked in order of business impact and cost in man hours to deploy.  We are also able to provide post remediation retesting and letter of attestation for regulatory compliance requirements upon request.

Retest

After the client has finished remediating the discovered vulnerabilities, ECR Security offers optional retesting for all vulnerabilities listed in the report to verify whether the remediation effort was successful. At the conclusion of the remediation testing the report will be updated with a new risk level determination and vulnerabilities which have been closed will be marked as such.

Download a Sample Report

Internal Assessment Report

Contact us

For more information or a price quote.

Phone

+1 (512) 861-9399

Email

Javascript Required