Your business is involved in the handling, processing, or transferring of federally protected information or you are simply concerned with the protection of your employee's information and the intellectual property (IP) of your company. While you have worked hard to do the right thing, you are unsure of your compliance obligations surrounding this sensitive information or the implications of what could go wrong from the business standpoint, the affected end user, or your personal liability.
What are the effects of compliance? Being compliant can help your business because you can, in some cases, advertise being compliant. Not being compliant will attract attention from regulators as well as drive business away from your company. After all, why would a customer want to do business with a company that can't follow the rules or protect their own employee's data? One way of being more compliant is to ensure internal and external penetration testing is performed and there is no regulatory environment that doesn't require that to happen.
Penetration testing can be in several forms:
Internal - Internal penetration is generally performed from the standpoint of a hostile insider. In other words, if your company had a disgruntled employee, what could that employee do to damage your company or increase risk. This could be viewed in a variety of ways such as gaining access to the physical security system (badging) and simply turning off all the magnetic doors or cameras and simply allowing a hostile insider to walk into the building for uncontrolled access. Other options could be compromising printers to steal confidential data retained in print buffers or printer based hard drives. Also possible would be a hostile insider deploying man-in-the-middle (MiTM) attacks by capturing data as it travels internally. The possible scenarios are relatively unlimited. Lastly, quite often, a hostile party will often perform hostile insider activities if they have managed to successfully penetrate into a network using external attack methods. Should the client have an internal security team, this activity can also help exercise their skillsets, response times, overall response activity, as well as internal security technology configurations.
External - An external penetration test is viewed as an attack from outside of the network with attempts to steal data or break into the target location to further launch an internal attack. External testing is almost always going to involve some form of web application testing in order to gain access to that program and then launch further attacks from there. Quite often the theft of data is certainly possible or the planting of hostile code in hopes that legitimate users or administrators will inadvertently launch that code which creates further issues that only benefit the hostile party. From the Arrakis standpoint, once we have a valid external target (and approval letter) we work with the absolute most basic information needed in order to simulate an actual hostile party. Similar to an internal penetration test, should the client have a security team or security related technology then this hostile external activity provides a perfect opportunity to exercise those teams and equipment.
Application - Application testing is simply viewed as testing the security controls of the application itself and how the application can be compromised. Arrakis tests the application for the OWASP top 10 and other secure coding guidelines. We also apply a common sense approach to the program itself, such as, using a social security number for a username. Additionally, various user roles are tested for possible lateral movement or escalation of privileges.
The Arrakis Methodology - Arrakis follows the same methodology regardless of what type of penetration testing is performed. After signing of an engagement letter, the potential targets are validated for legal testing and any necessary approval documentation is completed. The initial steps are to perform an informational gathering exercise on public target information followed by a passive reconnaissance of the target(s). If compromising information can be found that can result in a successful penetration then a first attempt will be made. Assuming no compromising information is discovered publicly then an active reconnaissance will be made including a vulnerability assessment to expand the fingerprinting of the target(s). Once completed any vulnerabilities are exploited. For internal penetration testing, programs that can be deployed in a hostile manner to help gather further information or to compromise data in flight will be utilized.
After a PenTest - So you have had a pentest performed and you would like to know where you stand. Arrakis can help you remediate issues as well as act as an independent verification of remediation activities. As a part of this verification, Arrakis will provide a document indicating status of remediation and any outstanding efforts still in progress. Additionally, Arrakis can help provide a long term plan to reduce risk for future penetration testing.
Pricing - Arrakis offers a flat fee of $35,000 per year for "pentesting as a service" which includes monthly pentests for up to 250 devices. This Pentest-as-a-Service price is greatly reduced when compared to one-off penetration testing from other companies. Having said that, Arrakis cautions companies to not fall into the trap of any pentest that is less than that as it is likely a vulnerability assessment that has been masqueraded as a pentest. While the company may not be able to detect the falsehood, an auditor will. While pentests are generally only required annually per regulation(s), doing it more often is far more beneficial to a company that wants to reduce risk. Manual pentesting is also possible however must be scope and, it must be understood, that manual pentesting is at a much higher cost.