PHYSICAL, LOGICAL & TECHNICAL SECURITY & TESTING SERVICES
An organization's priority when it comes to security, whether it be physical, logical, or technical, is to identify where its weaknesses and vulnerabilities exist and to mitigate them to the highest degree possible before a malicious bad actor does. The real damages associated with a breach can be disastrous in financial terms through fines, penalties, and litigation, but it is the harm to a firms' reputation and good-standing that can be deadly.
RedPenSec's (Red Team, Penetration, Security) technical experts are experienced and highly-skilled ethical hackers who hold some of the most respected industry certifications and follow the highest standards in the field. Together, our team offers a wide variety of cybersecurity services and custom-crafted options to keep your organization ahead of the bad guys by keeping your finger on the pulse of its security stance, protecting your people, assets, and reputation. Further, Internal/External Vulnerability Scanning and Penetration Testing are also a due diligence and compliance requirement of many industry standards and frameworks, such as PCI-DSS, HIPAA, GDPR, NIST, and ISO, therefore, it is a highly recommended first step towards understanding your cybersecurity posture and gaining control of any weaknesses or vulnerabilities that you may be unaware of, but a malicious attacker might find to exploit your organizations' Confidentiality, Integrity and/or Availability, the "CIA Triad".
Our comprehensive documentation and reporting will arm you with the information and recommendations you need to remediate any vulnerabilities and weaknesses to achieve and maintain your cybersecurity compliance goals.
If you have a question for our team or would like more information on our services, we are available for a free, confidential, no-obligation consultation to discuss your cybersecurity concerns, answer your questions, and have a conversation about how we can help your organization meet its' cybersecurity and compliance goals.
Internal & External Vulnerability Scanning Services
Internal/External Vulnerability scanning focuses on identifying host and network-based IT security issues within a target environment using a combination of industry-standard, open-source, and proprietary tools combined with AI powered testing methodologies.
• Identify security issues affecting accessible IT and IS assets
• Identify missing patches, recommended system upgrades, and out-of-date software
• Catalog known vulnerabilities associated with an open port or running service
• Ensure compliance with approved configuration standards
Penetration Testing & Segmentation Testing Services
Internal, External, Wireless & Web Application Penetration testing and post-exploitation focus on the controlled discovery and exploitation of vulnerabilities and insecure configurations identified in the target environment using a combination of highly specialized, enterprise-grade tools and manual techniques. Pen-Testing (ethical hacking) focuses on emulating the actions an adversarial user would take while attempting to compromise the organization by gaining unauthorized access to critical data, internal systems, intellectual property, or organizational assets to affect the confidentiality, integrity and/or availability (CIA Triad) of the business and its' resources.
We perform the bulk of our testing manually, with an effective real-world approach that ensures the best outcome for our clients. Unlike many of our competitors, we do not simply use automated tools such as Nessus or MetaSploit, preferring to use manual, hands-on techniques to safely and effectively attack and evaluate the security of your infrastructure. In addition to ensuring that we provide the most thorough and accurate assessment possible, our carefully plotted and planned methods greatly reduce the risk of unintended Denial-of-Service (DoS) attacks during the exercise, which is a risk when automated testing techniques are used.
Our work approach for Web Application penetration tests is modeled around the Open Web Application Security Project (OWASP) testing methodology and as such follows the most current OWASP recommendations and best-practices. Our proprietary testing methodology is built specifically around the OWASP testing guide as it is the definitive resource for web application penetration tests. Using this approach allows us to be creative in our approach while staying within a secure framework.
Pen-Testing and Ethical Hacking is designed to:
• Emulate real-world intrusion techniques with tailored attacks specific to the environment
• Provide a carefully controlled and monitored adversarial simulation by attacking assets in the target environment
• Evaluate your overall technical security environment, phishing, and CIA Triad security controls
• Provide recommendations and solutions, based on best practices, for remediating any weaknesses or vulnerabilities discovered
Segmentation Testing is performed to verify/confirm that the traffic flows containing sensitive data (PAN, SAD, PHI & PII for example) are not able to co-mingle with less sensitive data. Network segmentation is often used for compliance scope reduction, operational performance improvement via reduced network congestion, and malware/virus outbreak containment.
Technologies tested often include:
• VLANs (Virtual Local Area Networks)
• Firewall Configurations
• ACLs (Access Control Lists)
• Router & Switch Configurations
Physical Security Assessments/Audits & Physical Penetration Testing
Physical Security Assessments/Audits, as indicated by the name, focus on physical security controls (versus logical or technical controls). RedPenSec uses a comprehensive, best practices methodology to pinpoint gaps in controls meant to protect your organizational assets.
Physical Security Assessments/Audits are on-site engagements, domestic and/or international, designed to audit and evaluate your physical security controls, based on industry best practices, and may include:
• Comprehensive review of Physical Security Policies & Procedures
• Audit and testing of physical security access and controls (RFIDs, locks/latches, doors, gates, fences, roof access, terrain, landscaping,
barricades, windows, docks/waterside access, mantraps, hinges/hardware, and tailgating, for example)
• Site Illumination/Lighting
• Video surveillance & Monitoring (logging/back-up, adequate coverage & resolution)
• Vehicle Inspection & Access
• Defense in Depth (DiD) for Core Assets
• Break & Blast Resistant Glass
• Equipment/Critical Assets Security (utilities, HVAC/Air Intakes, control/communications rooms/wiring closets, POS Systems/Point of
Interaction Devices (POI)/Servers)
• Alarms & Sensors
Note: Physical & Logical Audits can be assessed together and will include additional elements.
Secure Code Review
Application-level security is more scrutinized than ever. As apps become more interconnected, flaws in the code of one application can very easily lead to the exploitation of other applications. Maintaining a high-quality code base, by verifying that correct security mechanisms are in place, and that the apps themselves do not contain vulnerabilities is critical.
The goal of a secure code review is to apply a set of security standards to the code, and then identify specific security-related flaws within it that a malicious user could use to compromise the confidentiality, integrity, and availability of the application. A secure code review is a highly specialized, systematic examination (using both manual and automated resources), performed by our experienced application security personnel, to identify any security-related vulnerabilities, code smells, weaknesses or flaws which may exist.
Our services include:
• A line-by-line manual inspection and review
• Threat Modeling, Penetration Testing, and Infrastructure Review.
• Provide a detailed report with recommendations and solutions, based on best practices, for architecture improvements to
maximize security and performance.