PENETRATION TESTING

In the increasing reliance on computer systems, cyber security testing has become more important in helping to determine if security controls are operating as intended and how well the information assets, including intellectual property, is protected. To this end, BDO has developed a security assessment approach that can be optimized for any goals and reporting requirement.

 

  • BDO has world leading expertise in employing sophisticated penetration testing procedures and tools.
  • Our team has a unique understanding and knowledge of conducting penetration tests for various entities, including military, private, public and federal.
  • Our security experts are experienced in conducting remote tests of the Internet perimeter, internal systems and assessing other critical access points including modems and third-party interfaces to “trusted” servicers or business partners.

 

APPLICATION TESTING

Web application testing, especially for custom-developed, rich applications, requires significant testing due to the large number of potential vulnerabilities. Web application frameworks, application programming interfaces (APIs), poor coding techniques, logic flaws and other mechanisms can all provide an attacker enough information or ability to compromise a system.

BDO’s methodology and toolset provides coverage of the SANS Top 25 and OWASP Top 10 web application vulnerabilities. Web application testing specifically includes, but is not limited to, those areas designated by the PCI DSS assessment procedures including: Injection Flaws, Buffer Overflows, Insecure Cryptographic Storage, Insecure Communications, Improper Error Handling, Cross-Site Scripting (XSS), Improper Access Control and Cross-Site Request Forgery (CSRF).

 

INTERNAL AND EXTERNAL NETWORK TESTING

Internal networks typically have significantly more systems than those exposed on the Internet.  Therefore the approach to internal penetration testing is to map the network and then prioritize the systems for detailed testing.

Systems containing personally identifiable information and financial systems are typically targeted, as are systems that may not receive consistent patching, such as atypical hardware.

 

MOBILE APPLICATION PENETRATION TESTING

In the increasing reliance on mobile applications, cyber security testing has become more important in helping to determine if security controls are operating as intended and how well the information assets, including intellectual property, is protected. To this end, BDO has created a mobile testing methodology that leans on guidelines from the OWASP Application Security Verification Standard, that includes the following testing:

  • Mobile platform internals
  • Security testing in the mobile app development lifecycle
  • Basic static and dynamic security testing
  • Mobile app reverse engineering and tampering
  • Assessing software protections
  • Detailed test cases that map to the requirements in the MASVS.
  • Business logic Bypass
  • Authentication and Authorization mechanism bypass
  • Session Management
  • Access Control
  • Malicious Input Handling
  • Cryptography at Rest
  • Error Handling and Logging
  • Data Protection
  • Communications Security
  • Business Logic

 

NETWORK SECURITY REVIEW

Network controls can effectively protect your critical assets and increase the likelihood of detecting unauthorized activity or a breach.

These areas are typically appropriate for review by our technical security assessors and engineers:

  • Perimeter design
  • Segmentation of critical systems
  • Choke points
  • Inbound remote access mechanisms
  • Wireless networks
  • Log aggregation
  • Monitoring and attack detection capability
  • Firewall rules
  • Threat intelligence
  • Maintenance processes

 

SECURE CODE REVIW

Security code review is required by some regulations and is a common stage in Secure Software Development Lifecycle (S-SDLC), in today's trendy threat landscape where every laptop or smartphone has access to company sensitive data, any developed application or website that allows others to access company held sensitive data, requires assessment of the security weakness, derived from the usage and implementation of a programing language.  BDO will perform a set of detailed security testing methodologies including: automated static analysis and manual inspection of code, for the process of auditing the source code for an application to verify that the proper security controls are present. The resulting report will present the development team with detailed security issues that may cause the application to be hackable, the report will include recommendations for fixing such issues.

BDO Cyber Security Consulting is well versed in nearly all programming languages in use today, including: Java, C#, ASP, C / C++, Objective C, Visual Basic, Perl, Python, TCL and assembly language on various platforms.

 

  WIRELESS NETWORK ASSESSMENT

Wireless networks, by their very nature, are often exposed beyond the physical confines of your facility or offices. In addition, rogue access points may target your users’ mobile devices.

BDO assesses wireless networks by performing testing at multiple locations and monitoring for weaknesses in the networks present.  We will perform brute force attacks on networks to confirm the ease or difficulty of attackers to gain access.  Scanning will be performed for rogue networks and weak algorithms.

The objectives of the wireless network assessment will be to:

  • Perform a wireless network survey to identify the exposure of your networks beyond your user community;
  • Search for rogue access points setup by users or attackers
  • Test security protocols to confirm the likelihood of a brute force attack;
  • Search unprotected networks for gateways or vulnerable systems;
  • Capture wireless traffic to assess replay attacks or dictionary cracking; and,
  • Recommend countermeasures to high risk vulnerabilities.

 

SOC TESTING SERVICES

WHY EXERCISE YOUR SOC?

The Security Operations Centre [SOC] lies at the heart of any capability to defend an organization from cyber attack, and establish a base-line level of cyber resilience.

Investment in SOC capabilities is significant, and that investment in technology, intelligence, and staff, needs to be regularly justified against a hierarchy of security risk priorities, and proven against ‘real-world’ threats.

SOC testing will invariably identify multiple potential points of failure in your ability to combat a cyber attack, whether technical, or human, or procedural.

It will check your situational awareness & assessment capabilities, and give a broad base for evaluating the effectiveness in monitoring, detection, prevention, & response.

 

TESTING YOUR CAPABILITIES

BDO’s SOC testing provides a unique service, in which multiple attack vectors are launched against the organization, both external and internal, in order to assess the actual capabilities of the SOC.

The SOC testing evaluates how and will your SOC protect the organization from a possible breach. After few years of working for leading international enterprises, BDO’s experts have great history of success.

The SOC testing, which can be modified to suit the customer’s needs, include the following:

  • Technical exploitation of the organization’s external online assets (external, web applications, etc.)
  • Infiltrating internal networks
    (elevating privileges to gain internal or physical access)
  • Gateway of traffic from the Internet to the Intranet and vice versa (phishing emails, malwares etc.)

Attackers use a broad spectrum of tools and tactics to compromise networks;  BDO’s SOC testing team not only uses today’s tools, but tomorrow’s as well. If you need to assess all the functions of your SOC we apply the latest hacker techniques as part of a unique ‘war games’ methodology to simulate a real cyber crisis. This process evaluates how your SOC Operators, Analysts, and Managers perform when faced with different scenarios from basic triage and first response, to a low-frequency, high-impact event.