Red teaming is the practice of analyzing a security mechanism from the standpoint of an external attacker or adversary. A red team is a group of third-party penetration testers that detects vulnerabilities in your systems and networks while mimicking the attacks of an intruder. The ultimate purpose of red teaming is to HARDEN your security against real-world attacks.
Red Teaming Strategy - Penetration Testing Tactic
Smart organizations use the progressive strategy known as “red teaming.” This is the rewarding practice of using an external, independent team to challenge organizations to find ways to improve their effectiveness. The red teaming strategy encompasses and parallels the military use of simulations and war games, invoking references to competition (play) between the attackers (the red team) and the defenders (the blue team). Our clients use red teaming to improve the security effectiveness of their business and information systems.
Pratice against Us to Win against Them
We will challenge your security mechanisms and procedures so you can improve their effectiveness against actual adversaries. Our ultimate objective is to subject your security policies, programs, ideas, mechanisms, procedures, and assumptions to meticulous analysis and testing. We are able to do this by deploying our Global Ghost Team™; helmed by Kevin Mitnick, this team maintains a 100 percent successful track record of penetrating systems using technical exploits and social engineering to expose vulnerabilities within any organization. Consider this red teaming a friendly face-off between our world-renowned Global Ghost Team™ and your organization’s security team. Your defense team will hone its skills by practicing against us.
This practice will reveal holes and vulnerabilities in your organization’s defenses so you can eliminate them before your real enemy (the “black hat” attacker) takes advantage of them. We will provide mitigation strategies to eliminate vulnerabilities to ensure you will win against malicious hackers in the battle of security. Remember, the reality is that you are practicing against us so you can beat the bad guys. To be the best player, we scrimmage constant attack scenarios together so your organizational security will always be at the highest level of security effectiveness and readiness.
Business and Financial Factors of Red Teaming
It is crucial that you understand how valuable and important it is to constantly use the red teaming strategy. Before that, you must come to grips with the reality that it is impossible to quantify how secure something is. Theoretically, the goal of being 100 percent secure and ready for any attack can only be reached temporarily at best because the goal is a moving target. There is no such thing as absolute security. The bad guys are always researching and developing new ways to prey on slow-moving organizations. Red teaming propels organizations forward to stay apace with those who would do them harm and to ensure constant preparedness to face the evolving security challenges that lie ahead.
Our goal is to supplement your decision-making process by clearly laying out the strategies of the attacker for you to envisage. Mitnick Security’s Global Ghost Team™ will explore alternative security mechanisms and procedures that you can deploy and provide you with intelligent estimations of their effectiveness. The purpose is to make you aware of your adversary’s abilities and facilitate mitigation before business losses occur. As soon as you stop strategically red teaming, your security and readiness for attacks diminishes. The odds increase that new unknown vulnerabilities, technologies, and techniques will provide unforeseen exploits and attacks.
This is why militaries are constantly “war gaming.” This is why you should constantly undergo penetration testing. To improve your play, to become the best you can be, you should always practice against the best you can find. This is why practicing against the Global Ghost Team™ is your best option for red teaming and penetration testing.
Mitnick Security will evaluate various areas of your organizational security using a multidimensional approach. Our Global Ghost Team™ follows the Defense in Depth concept while testing, which means we will test your security against every layer of possible attack, including application boundary, external perimeter, internal LAN, individual hosts, application, and operating system, among others. Our team will test each layer to see how well it complies with your organization’s security policy. We will test areas of your organizational security including, but not limited to, Internet security, data security, social engineering, wireless security, communications security, and physical security. Our Global Ghost Team™ uses a balanced and tested combination of publicly known and proprietary penetration testing techniques that reveals maximum vulnerabilities in your systems and networks.
How to Maximize Your Red Teaming Budget's Effect
While you want to be effectively secure against the latest and most advanced threats, we understand that you are on a budget and will want to achieve the maximum results from your dollar. This is where our Global Ghost Team™ comes into play. At Mitnick Security, we have a team of highly skilled elite security experts who are apt at locating maximum vulnerabilities in systems and networks within a given amount of time.
Simply put, our Global Ghost Team™ will give you the most bang for your buck. Unlike many other red teams out there, the veteran professionals on our team know exactly where they need to be to uncover the most significant vulnerabilities in your systems and networks. Our team is able to discover vulnerabilities and develop corresponding exploits using the least amount of time and effort. We pass these savings on to you when you employ the world’s premium red teaming service at a competitive rate.
A General Overview of the Meaning of Penetration Testing
Penetration testing occurs when organizations engage trusted third-party security professionals to simulate attacks by real intruders against their systems, infrastructure, and people. Penetration testing provides you with a thorough analysis of the current security of your organization. The results of penetration testing are presented in an executive report that contains details of the existing security posture of your organization, possible consequences of an actual attack, and, normally, Mitnick’s recommended solutions to HARDEN your security. Penetration testing is the most thorough possible analysis of your security because actual vulnerabilities found are exploited to understand the depth and breadth of how your organization can be compromised. Your organization will be able to understand its current level of security and the consequences of an attacker breaking in through your defenses.
The Extensive Advantages of Penetration Testing
The benefit of penetration testing is increased security and security awareness for your organization. It will provide you with in-depth, actionable reporting and analysis to facilitate your planning, strategies, and provide practical solutions to your security deficiencies. You will learn the attacks your systems and networks are vulnerable to. You will understand whether or not your current defenses would protect your organization against viable attacks. Your high-risk vulnerabilities will be exposed. Possibly the most important benefit of penetration testing, using an external party, is that the knowledge gained will help both management and staff to see the “security truth” and will dispel myths of “it couldn’t happen to us.” A third party offers an unbiased, realistic measure of your existing security and provides expert remediation to help mitigate risk and align with best security practices. While penetration testing is the ultimate tool for hardening overall security in your organization, Mitnick Security provides the ultimate penetration testing team.
Mitnick's Approach to Penetration Testing Using Our World-Renowned Team
Overview of Mitnick's Capabilities
Our Global Ghost Team™ has world-renowned knowledge on all aspects of penetration testing, including extensive access to all toolsets and leading technologies in the world today. We gain detailed knowledge of your systems and network(s). We do not simply regurgitate the output of automated scans and tools. This is because, unlike most of the security firms performing penetration testing, Mitnick Security deploys senior security specialists to manually scan your systems. These specialists are experts on formulating exploits that target specific vulnerabilities in your systems. They then initiate attacks tailored toward the weaknesses discovered in your systems.
Our approach is highly effective in exploiting maximum vulnerabilities in your systems, as opposed to depending on automated scan results and generic exploit codes alone, which can reveal only approximately 15% of your vulnerabilities. This is one of the “dirty little secrets” of the penetration business, and it is why discerning clients choose Mitnick Security. We reflect what a concentrated, researched, and planned attack would actually be like in a “real world” situation. Automated scanning reflects the least sophisticated hacker you will face, for these automated scanning tools are readily available to the public.
Using Mitnick Security’s adaptive methodology allows us to discover chains of vulnerabilities hidden in the deepest levels. Our team deploys the lateral thinking of hackers to spot relations among vulnerabilities that occur, or “chain,” together. This is to ensure that our Global Ghost Team™ identifies the maximum attack vectors.
An additional unique feature of our testing is that when we simulate the attacks of actual hackers, we keep disruptions to operations at a minimum. Normally your staff is completely unaware we are there. This is how it happens in the real world.
There are generally four phases to any type of penetration testing: planning, pre-attack, attack, and post-attack.
The scope and objective of the penetration test is defined, and your expectations, as well as our understandings, are made clear. The timing and duration of the penetration test is determined. The organization may, or may not, choose to alert the employees of the penetration test. We always recommend the latter to ensure an accurate result and reflection of your security posture.
Our Global Ghost Team™ follows a flexible approach to penetration testing. We adapt our methodology according to the intelligence we gather. We start with “Reconnaissance” or “Data Gathering” of the intended targets. During this phase, our team collects details about the target from a variety of sources. For example, when our targets are systems, we use sources including WHOIS databases and DNS servers. We locate the IP blocks and use WHOIS lookups to gather information relating to personnel and hosts. Coupled with extensive network scanning, this information then aids us in the creation of detailed network diagrams and target identification. After identifying the system targets, we perform port scanning to find open ports. This is followed by service identification. After that, we scan for vulnerabilities in the target. For real human targets, we may use social media sites such as LinkedIn or Facebook to gather information on identities. Unlike most security firms, Mitnick Security also uses senior security specialists with at least 10 years experience to manually scan the systems, in addition to the common practice of automated scanning. We perform an in-depth manual analysis to discover hard-to-find vulnerabilities buried deep inside your systems that an automated scan can never find. We write “exploit code” to target specific vulnerabilities discovered in your systems. This is to ensure that our Global Ghost Team™ identifies maximum attack vectors.
After vulnerabilities are located and qualified, the penetration attempts or “attacks” begin. This phase includes penetration of the perimeter by testing for buffer overflows, SQL injection, improper sanitization, denial of service possibilities and other issues, without causing harm to your business operations. Wireless configurations are also tested for security flaws. The target is then “acquired” by either using an automated exploit framework (if the vulnerability is well known) or by writing a manual exploit against that target’s vulnerable system or device. The Global Ghost Team™ also uses a variety of social engineering attacks that exploit the “human” element of security. We test the enforcement of your security policies and analyze the current level of awareness of employees, regarding security threats.
Once a target has been acquired, we attempt to gain higher privileges to gauge the level of access an actual attacker could have in such a situation. We gain greater access to protected resources by using privileges escalation attacks. Our Global Ghost Team™ welcomes the challenge of escalating privileges on your target system or network, while causing no disruption to your normal business operations. For illustrative purposes, you may request that we leave a signature on the system or network that we have compromised.
In this phase, we restore the systems and network configurations to their original states (i.e., the condition they were in before the commencement of the penetration test). This phase involves activities such as removing files, cleaning newly added registry entries, and removing any shares or connections. Our Global Ghost Team™ cleans up after the client has accepted the report.
As penetration testing concludes, normally you are provided with a report that contains the findings of the test. The report is normally tailored to the receiving audience, defined in the planning phase. This report includes a summary, a list of vulnerabilities discovered, an analysis of the findings, conclusion of the findings, remediation measures and recommendations, log files from tools as evidence of findings, and an executive summary for sharing across corporate levels.
Some clients want to know the extent of what is at risk and the value of the assets at stake. We identify the assets exposed to the vulnerabilities that we discover. After successful exploitation, we calculate the level of exposure of these assets and then determine the probability of the threat materializing and the expected losses, if any. This will help explain the impact of security compromise in terms of monetary figures.
The Multiple Types of Penetration Testing We Provide
Social Engineering Penetration Testing
Understanding the Meaning of Social Engineering Penetration Testing
Social engineering penetration testing will determine if your people are susceptible to being tricked into revealing information or doing an action item, such as opening an Office document sent in an email. Social engineering is an art that leverages people’s tendencies to trust. It exploits their complicity in being blissfully gullible in the approach to their work. Trust is a truly noble human characteristic; however, in terms of organizational security, it is also a truly significant weakness because trust can be exploited. Social engineering penetration testing will manipulate individuals’ trust and attempt to influence them to ignore your organizational security policy.
Social Engineering Penetration Testing Is Critically Important for Security
Social Engineering attacks are the most serious cyber threat organizations face today. When you undergo Social Engineering Penetration Testing, you will learn how vulnerable you are to bad decisions, specifically regarding security best practices, which are normally widespread and are unaddressed on all levels of an organization. Many of your people will be easily convinced to unwittingly hand over the “keys to the kingdom.” Social engineering attacks are the most difficult to detect and defend against. Mitnick Security’s groundbreaking social engineering penetration testing will help identify which people can be compromised and their level of susceptibility to social engineering attacks, and we are able to recommend or provide the training and inoculation exercises they should receive. Furthermore, we are able to put in place new (or adjust old) security policies to reflect the new realities of the threats that social engineering brings today. Mitnick Security recommends a recurring social engineering penetration testing program, not only to ensure that new security policies are enforced but also to keep your staff in a constant state of alertness.
Why Mitnick Security Is the World Standard for Social Engineering Penetration Testing
Kevin Wrote the Book
Kevin Mitnick’s method of social engineering penetration testing is the leading standard for the security industry. In his groundbreaking and bestselling work, The Art of Deception: Controlling the Human Element of Security, which is required reading by many organizations, including universities, Kevin explains that the easiest way to penetrate high-tech systems is through the people who manage, operate, and use them. In it, he demonstrates that humans are the weakest link in security. Therefore, the company he founded, Mitnick Security, uses his proprietary blend of information reconnaissance, technology, and personally mentored social engineers to provide unparalleled social engineering penetration testing through all attack vectors, including phone, web, e-mail, social media, and onsite infiltration.
Kevin’s Company Deploys His Proven Principles and Techniques
Social engineering penetration testing involves expert use of persuasive techniques that allow careful manipulation of personnel. This involves the use of psychological principles that often lead to devastating effects on security. Use of these principles requires skilled professionals with a highly flexible approach. Some of these principles are Trappings of Role, Establishing Credibility, Altercasting, Distracting from Systematic Thinking, Building a Momentum of Compliance, Exploiting Attribution, Exploiting Liking, Invoking Fear, and Exploiting Reactance. These are just some of the principles deployed during social engineering penetration testing. Note that all of these techniques are highly flexible, and Mitnick Security’s team of the world’s leading experts are extensively trained in the correct deployment of these techniques.
Trappings of Role
The Global Ghost Team™ members exhibit the behavioral characteristics of the role . . . “they look like they belong.” Your personnel fill in the blanks when given just a few characteristics of the role. The role our team plays may be that of IT technicians, customers, newly hired employees—whatever it is, “we belong.”
Establishing credibility is the first step in social engineering penetration testing. The Global Ghost Team™ establishes itself as being trustworthy, using a variety of tactics.
The team maneuvers the targeted person into an alternative role, such as forcing submission by being aggressive. Alternatively, our team gains the sense of a role in which the targeted personnel would be most comfortable. Your staff is likely to accept positive roles that make them feel good.
Distraction from Systematic Thinking
Human beings process incomplete information in systematic or heuristic mode (Dr. Brad Sagarin, a noted professor of psychology, explains, “When processing systematically, we think carefully and rationally about a request before making a decision. When processing heuristically, on the other hand, we take mental shortcuts in making decisions”). The Global Ghost Team™ approaches your personnel who are in heuristic mode and keep them there. In this mode, your personnel may comply with a request that might otherwise be challenged.
Building a Momentum of Compliance
Our team starts by making a series of innocuous requests (which your staff will readily comply with) and eventually make requests that threaten security. This establishes a mental framework in which the target is positioned to think about and treat the sensitive information as innocuous.
Exploiting the Human Nature
Helping makes us feel empowered. The Global Ghost Team™ takes advantage of your staff’s inclination to be helpful. It is a business conundrum, for businesses want “friendly and helpful”, yet it is one of the biggest vulnerabilities known today.
The Global Ghost Team™ will get your personnel to attribute certain characteristics to them, such as credible, trustworthy, expert, and so on. These attributes later allow the team to manipulate your personnel into revealing sensitive information or performing actions that threaten your organization’s security.
Your personnel help people they like. The Global Ghost Team™ takes advantage of this fact by posing as likable individuals (e.g., people with similar career interests, educational background, or hobbies) or by simply using flirtation to get personnel to succumb to physical attraction.
The team invokes fear in your personnel by making them believe that something terrible is about to happen. The team will state that danger can be averted if the personnel act as instructed. The target is likely to ignore security protocol due to the fear of impending doom.
When people feel their choice or freedom is being taken away, they lose their sense of perspective. The Global Ghost Team™ exploits this normal human condition. An example might be a call made to the target stating that he or she will not have access to certain resource for an unacceptable duration. When the person becomes emotional, our team suggests a solution that requires overlooking security protocol.
Categories of Social Engineering Penetration Testing
Different Types of Social Engineering
Modern social engineering penetration testing is categorized into human-based and computer-based social engineering penetration testing. Computer-based social engineering techniques use computer systems as a medium of attacks and manipulation, whereas human-based social engineering techniques involve direct involvement of personnel. It is important to differentiate between the two. This is because computer-based social engineering attacks are equally devastating for your organization. It is usually easier to write a well-thought-out, manipulative e-mail than it is to deceive a person on the spot. These are some of Mitnick Security’s social engineering penetration testing techniques that are publicly known, but many are not known outside the company.
Examples of Human-Based Social Engineering Penetration Testing:
Eavesdropping: This involves secretively listening to communication between two parties.
Piggybacking: The Global Ghost Team™ tags along with an authorized person into your secure facility, sometimes simply by initiating an intriguing conversation.
Impersonation: The team members pretend to be valid employees of your organization. Duplicate identification information aids the team in gaining access to secure areas.
Examples of Computer-Based Social Engineering Penetration Testing
Spear Phishing Attacks: The Global Ghost Team™ sends carefully crafted e-mails to your employees, tempting them to click a link or reveal sensitive information. The team targets specific employees of your organization based on either susceptibility or position within the organization.
Mass Mailer Attacks: The Global Ghost Team™ sends carefully crafted bulk phishing e-mails to your employees, eliciting a response.
SMS Spoofing Attacks: Our team crafts SMS messages and sends it to targeted employees in your organization. These SMS messages appear to have arrived from an authentic source.
External network penetration testing scans your organization’s systems and network(s) for potential security holes from the outside, using a public network such as the Internet, and gathers information and performs exploitation from outside of your network perimeter. External network penetration testing involves analyzing your organization’s publicly available information and testing your organization’s publicly accessible infrastructure, which essentially finds the holes in your perimeter defenses.
An Absolute Necessity
An external network penetration test will help you assess the level of damage a hacker could cause while acting from outside your network perimeter. It will also help you determine the practicality and effectiveness of your defenses against targeted attacks. It will tell you whether your current level of security would outweigh the dedication and skills of an external attacker or succumb to their challenge. You will learn system and personnel response times and coping mechanisms they have for attacks, including how much damage could be caused in the time it takes to respond. Thorough external network penetration testing plays a vital role in ensuring the security of your external network(s).
Scanning Is Just Scratching the Surface—People Make All the Difference
Mitnick Security’s Global Ghost Team™ consists of world-renowned penetration testers who are skilled in the art of “manual penetration testing.” Our team finds the maximum number of vulnerabilities, using a combination of automated and manual scans. Automated scans depend on the knowledge base of the scanners. These scanners contain “signatures” of commonly known and exploited vulnerabilities. There are limits to the amount of vulnerabilities these scanners can detect. Studies have shown that detection rates of even the best vulnerability scanners cannot match the detection rates that result from a thorough manual scan. People make the difference. With Mitnick Security, it is all about the senior people we have on our team.
Automated Scanners Only Reveal 45% of Vulnerabilities at most—A MUST-READ FACT
The following is a truly important fact to understand regarding the use of automated scanners with external network penetration (and vulnerability assessments):
According to the Open Web Application Security Project (OWASP), MITRE Corporation (a not-for-profit organization that engages in research and development sponsored by the US government) “found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE). They also found very little overlap between tools, so to get 45% you need them all (assuming their claims are true).” CWE stands for Common Weakness Enumeration, which is from the MITRE not-for-profit organization, and is a community-developed list of software weakness types.
Our Team Augments Automated Scanning with Proven Real-World Methodologies
The Team and the Approach
The Global Ghost Team™ stands out high above the crowd because of our manual techniques. We have creative masterminds, the world’s leading “white hat hackers” who have the knowledge to discover all related vulnerabilities during a manual scan. For specific types of networks, because of our unique global reach, we can bring in specific specialists. Our team uses “lateral thinking” to discover chains of vulnerabilities. This is done to ensure we reach deeply embedded vulnerabilities that an automated scan simply cannot find. Ultimately, we give you a thorough, well-researched analysis into how vulnerable your assets are to security breaches. Others just give you 45% of what you should know, at best. Mitnick Security’s people discover vulnerabilities that automated tool-based scans simply cannot identify.
Because of new Zero-Day exploits, security researchers must augment automated scanning and testing of your systems. Zero-Day exploits are those for which no official patch has been released by the vendor, that is, the number of days since a security patch has been released is zero. Every day, new Zero-Day exploits are discovered, traded, and sold. Mitnick is at the forefront of Zero-Day exploits because we manage our own private marketplace for them.
Unless your domain registration information is kept “private,” a WHOIS search reveals significant information about your company. This includes the owner, the registered address, the technical and DNS contacts, contact e-mail, contact phone number, and domain expiration date.
Google Search Using Advanced Filters
Our Global Ghost Team™ uses this technique to leverage the power of the Google search engine. The team accesses relevant information about your organization’s domain using Google’s advanced search filters (e.g. “site,” “intitle,” “intext,” “inanchor,” “inurl,” “filetype,” “cache,” etc.). Using advanced searching, our team gains access to information such as “removed content” (recovered from the Google cache), web server banners, default page titles, “admin” pages, “index” pages, specific types of files, and so on. This information is leveraged in the later phases.
Network scans serve as building blocks for the attack phase. ICMP Scanning: Our team sends ping requests to determine live hosts, and though your external network security device may deny ping requests, our team is still able to identify live hosts using covert channels. Port Scanning: Your organization may have unnecessary ports open, and one extra open port is just another window for an intrusion attempt. Based on identification of open ports, the Global Ghost Team™ moves on to recognize the services associated with these ports. Vulnerability Scanning: Our team uses automated scans (using tools such as “Nessus”) as well as manual scans and uncovers vulnerabilities of your systems. The team proceeds with banner grabbing and OS fingerprinting to target specific vulnerabilities. For example, MS08-067 is a well-known and frequently exploited vulnerability on an un-patched Windows XP box.
The Global Ghost Team™ carries out enumeration after scanning. Enumeration includes a variety of techniques to collect and compile a list of your usernames, machine names, network devices, network shares, and so on. This is not a passive activity; active querying of your systems is required to gain this intelligence. NetBIOS Enumeration: Your systems may have a NetBIOS Null session enabled, allowing people to connect without using a username or password. NetBIOS gives important information (such as NetBIOS machine names) and helps us to know the location of the machine within the network (e.g., ACCOUNTsPC-23525) or helps us to know the user of the machine (e.g., JohnMonroePC-42). LDAP Enumeration: The Lightweight Directory Access Protocol allows hackers to gain unauthorized access to sensitive information. Several security weaknesses have been reported in LDAP implementation, and testing them all would help you avoid confidential information leakage. SNMP Enumeration: Your network devices such as routers and switches contain SNMP agents to manage the device. The SNMP management station is used to send a request that elicits relevant responses from the agent. Leaving default SNMP community strings unchanged allows unauthorized access to the SNMP configuration file, and our team will eventually control/own your network device.
DNS enumeration is used to locate all DNS servers relating to your organization and the corresponding records. A DNS redirection leads visitors of your website to a different server altogether.
Sniffing techniques allow an attacker to eavesdrop on packets passing through your network. That means any unencrypted channel will be susceptible to information leakage. Man-in-the-Middle attacks are deployed to gather data packets coming to and from your network. During these attacks, the intruder positions him or herself between your network and the destination address. Your communication passes through the intruder, leading to information leakage.
Social Engineering Attacks
All technical defenses amount to nothing if your organization’s employees are unaware of social engineering attacks. Despite the existence of proper organizational security policies, humans (users) are the weakest link in the chain of security. Kevin Mitnick’s method of social engineering is the leading standard for the security industry; in fact, he actually helped coin the term. Any discussion of social engineering is incomplete without reference to his groundbreaking and bestselling work, The Art of Deception: Controlling the Human Element of Security, which is required reading by many organizations. Mitnick Security uses a proprietary blend of information reconnaissance, technology, and social engineers who use Kevin’s methodologies for phone, web, e-mail, social media, and onsite testing. Some of Mitnick Security’s social engineering techniques are publicly known, but many are not.
Testing Password Services
This is always an important part at almost every turn, as an attack on passwords and subsequent password compromise leads to direct access to your confidential information/protected resources. The Global Ghost Team™ performs extensive, exhaustive tests under this category including, intelligent password guessing. Intelligent Password Guessing: Personal information about a user is leveraged into generating intelligent potential passwords for that user account. These passwords are tried against the system. Dictionary Attacks: Simple passwords come straight out of a word that can be located in a dictionary. In this test, our team tests all dictionary strings as potential passwords until success or until the end of the dictionary is reached. Brute Force Attacks: Brute force attacks are exhaustive attacks that will try every possible “answer” to the problem. With relevance to password cracking, all possible combinations of the available characters are tried as possible passwords, using high-speed processing power and multidirectional attempts. We use high-performance graphic processing units (GPUs) that have multiple cores and are highly effective in brute force attacks. Hybrid Attacks: Simply put, these are a combination of a dictionary attack and brute force attack. Words found in the dictionary are combined with numbers or special characters to generate potential passwords.
Denial of Service Attacks (Stress Testing)
There is only so much processing your systems and network(s) may handle at any given time. Under extreme stress (load), your system (or network link) may fail, leading to a denial of service (DoS), where your customers (authentic users) of your system are denied service while the system is busy responding to bogus traffic.
An important note about DoS as part of testing: We understand that you may be concerned about simulation of DoS attacks on live production systems. In such a case, stress testing would be simulated on a similar system instead of your production system and may also be avoided altogether.
Session Hijacking and MITM Attacks
An attacker does not need to crack the password to your account if he or she can hijack the session of an authenticated user. Testing the entropy (or randomness) of the session ID is extremely important to preventing the possibility of an attacker being able to guess or predict a valid session ID.
Web Server Misconfiguration Attacks
If you have left defaults unchecked on your server configuration files, there are various security holes that may be targeted by an external hacker. For example, a common issue with Microsoft’s IIS (Internet Information Services—a web server by Microsoft) default website is that all users in the “everyone” group have full control of all the files in the default website directory. The Global Ghost Team™ tests your web applications to discover vulnerabilities outlined by the OWASP, which is an open and popular online community that focuses on web application security, and Mitnick Security is appreciative of their efforts. Your web server faces the Internet and is the most targeted host. Our team performs an exhaustive search of vulnerabilities on your web server to discover all weaknesses.
Wireless Penetration Testing
Wireless networks are deployed in your organization to facilitate mobility. It is not possible to restrict wireless packets/beacons within your organization’s perimeter. This opens up new possibilities for the attacker hunting for weak wireless networks (aka “war-driving”). Wireless attacks include deploying rogue access points. Deploying Rogue Access Points: These are set up by the team in the vicinity of your organization with the same session service identifier (SSID, which is the public name of your wireless network) as that used by your organization (aka “evil twin attack”). This causes employees to connect to the rogue access point, and then the team initiates further system attacks. Cracking Weak Encryption: Older encryption protocols such as the wired equivalent privacy (WEP) protocol used to ensure security in wireless networks, have known encryption weaknesses (hash collision) the Global Ghost Team™ exploits to gain unauthorized access to a wireless network. Dictionary Attacks on Wi-Fi Protected Access (WPA) Used to Secure Wireless Networks Handshakes: Your organization is probably using WPA/WPA2 for ensuring wireless security. Our team performs a dictionary attack on the captured WPA/WAP2 four-way handshake. A poor password used to secure the wireless local area network (WLAN) is found in a dictionary deployed by the attacker, leading to a wireless security breach. Wireless Traffic Sniffing: Wireless packet sniffing is used to locate any confidential information leaks. This test checks if the possibility of a confidential data leak via wireless channels exists. Attacking Access Points with Default Authentication: Once the Global Ghost Team™ gains access to a WLAN, we gain control of the access point or wireless router, if defaults credentials are left unchanged (e.g., Netgear wireless routers have default “username:admin” and “password:password”).
Evading Defenses such as Intrusion Detection Systems (IDS), Honeynets, and Firewalls
Your organization has a variety of network defenses in place, and these will be tested for effectiveness. The Global Ghost Team™ deploys techniques to bypass your network security devices. For example, the following techniques are used for IDS evasion: Blinding the sensor, Packet Encryption, Denial of Service, Deploying newer attacks against an outdated signature file, Targeting Buffer Overflows, and Privilege Escalation.
During the test, several other weaknesses are uncovered such as IDS Analyst limitations, successful manipulation of the IDS database, and unauthorized backdoor connections into the network.
Internal Network Penetration Testing
Internal Network Penetration Testing Shows You the “Inside Job”
Internal network penetration testing simulates attacks on the systems or network(s) from within the organization. Our Global Ghost Team™ assumes the role of a malicious insider, with a certain level of legitimate access to the internal network. Attacks are carried from within the internal corporate network and our Global Ghost Team™ simulates threats caused by a rogue employee, a malware infestation, casual internal hackers, and dedicated thieves that have penetrated your physical or corporate security and now are hacking you “from the inside” and are trying to get access to specific valuable information or resources your company possesses.
Protect Yourself from the Inside Out
The benefit of internal penetration testing is protection for your organization against internal threats, as an attacker from the inside will cause extensive damage and can generate tremendous losses. The traditional security mindset had defenses concentrated toward protecting the network perimeter from outsider attacks, and besides having internal network logins with passwords, in many cases that is as far as it went. This is a critical mistake, for even the most dedicated and knowledgeable black hat hacker on the outside cannot match the level of damage a trusted insider can cause. A malicious insider (such as a disgruntled employee) is considered a major threat to security. Insiders have detailed knowledge of your systems and networks. They even have a level of legitimate internal access. Not only do they know the weaknesses in your current security implementation, they also know what your defenses are and how they can be evaded. Internal network penetration testing is essential for your understanding for what inside attackers can accomplish and how they can misuse, alter, or destroy sensitive information or how they can set up false transactions or siphons to steal funds continually.
Mitnick’s Approach to Internal Network Penetration Testing
Using tools such as “nmap” that send packets for network exploration, our Global Ghost Team™ understands the structure of your internal network and creates a network map that aids in the identification of potential targets.
Once the team knows a target system to be alive (systems are powered on),we determine the ports that are open on this host. Note that without a host-based IDS or firewall, it becomes easy to identify ports open on the host from within the network.
Our Global Ghost Team™ determines the operating system (OS) the host is running on. This allows us to narrow down the attack vectors, as each OS has a specific set of weaknesses. This allows us to craft special vulnerability-specific exploits that target weaknesses of that specific OS.
When we identify a service running on a system, we are able to determine potential weaknesses associated with that service.
Once we have gathered information about the OS, services, and ports, the Global Ghost Team™ performs manual and automated scans to identify the vulnerabilities present in your system. This helps us determine whether an OS or service is vulnerable to a specific weakness commonly associated with it. Otherwise, it may be patched.
The team exploits a vulnerability using a prefetched exploit code (one which is openly available on one of the exploit databases) or performs exploit research to craft an exploit specifically to compromise your vulnerable machine.
Configuration Weakness Testing
Your network devices or systems may not be properly configured (since default “out-of-the-box” configurations are usually not secure), leaving security holes. The Global Ghost Team™ identifies such devices, their configurations, and related implications. After securing access to your vulnerable systems, we elevate privileges, that is, we leverage each limited set of privileges to get to the next subsequent set of higher privileges.
Your internal users have a specific level of access to your systems. The Global Ghost Team™ seeks to understand whether it is possible to exploit the existing set of privileges to secure unauthorized access.
Password Strength Testing
This is always an important part at almost every turn as an attack on password and subsequent password compromise leads to a direct access to your confidential information or protected resources. The Global Ghost Team™ performs extensive and exhaustive tests under this category, including intelligent password guessing. Intelligent Password Guessing: Personal information about a user is leveraged into generating intelligent potential passwords for that user account. These passwords are tried against the system. Dictionary Attacks: Simple passwords come straight out of a word that can be found in a dictionary. With this test, our team tests all dictionary strings as potential passwords until success, or until the end of the dictionary is reached. Brute Force Attacks: These attacks are exhaustive attacks that will try every possible “answer” to the problem. With relevance to password cracking, all possible combinations of characters are tried as possible passwords, using high-speed processing power and multidirectional attempts. We use high-performance graphic processing units (GPUs) that have multiple cores and are highly effective in brute force attacks. Hybrid Attacks: Simply put, these are a combination of dictionary attacks and brute force attacks. Words found in the dictionary are combined with numbers or special characters to generate potential passwords.
Database Security Testing
Databases store a variety of sensitive information (e.g., confidential customer personal or financial information) and should be tested for security weaknesses against all internal users. Since databases often also contain password hashes (a hash is a one-way function that takes the plaintext password as input) and customer details, they are of special interest to internal attackers. Our team extensively checks database security controls for potential weaknesses such as poor database passwords, incorrect database configurations, improper access control, and so on.
Your employee may unknowingly bring malware, installed on his or her personal portable device or workstation, into your organization’s internal network. This malware now attempts to spread or collect information from within your internal network, and it sends this information to a predetermined location using your Internet connection. The Global Ghost Team™ conducts extensive malware scans to identify such internal and existing threats. We also test the employee’s devices for susceptibility to malware infestation.
After discussing your specific goals, Intranet testing will be performed by the Global Ghost Team™ under varying degrees of disclosure of network information by you, with or without network accounts and credentials.
Physical Penetration Testing
Understanding Your Security Requires Physical Penetration Testing
Physical penetration testing determines the vulnerabilities present in your organization’s physical security controls by simulating attacks of real-world intruders. You will learn whether intruders can break into your buildings or data centers or be able to access your internal network through company workstations. This type of testing offers you a thorough analysis of all your weak points by actually exploiting them and providing you “proof-of-concept.” It will list all of the vulnerabilities in your existing physical security with details of how we were able to take advantage of them.
It is well known that once an intruder has “inside access” to your systems and network(s), the level of damage and theft is exponential in nature. All your cybersecurity defenses, such as firewalls or intrusion detection systems, amount to nothing if an intruder can simply walk inside and, for example, plug in a USB stick and compromise your entire network. Therefore, physical security needs to be taken very seriously, but often it is lax and overlooked, which provides easy access to intruders. Attackers who steal, aka “thieves,” do not just rely on digital means to steal your information. Increasingly, physical penetration goes hand-in-hand with digital theft, as attacking your systems from the inside makes things a whole lot easier.
Physical Penetration Testing Shows You the Real Threats against All Access Points
After physical penetration testing, you will learn the real threats to your organization’s physical security. You will realize the possibility of an intruder entering a secure facility or restricted area. You will also know if it is possible for a trusted insider or an intruder to steal a protected asset from your organization. You will know how these threats will affect your assets and the extent of potential damage and loss. You will also know the probability of these threats materializing. We will identify for you the “good” and “poor” physical security practices followed in your organization. You will also understand the latest, most sophisticated attacks of today used against the most common vulnerabilities you may possess. The results will include a detailed explanation of all successfully exploited vulnerabilities. We will show how our team gained access to secure areas or protected physical resources. With the extensive information provided, you will have the decision metrics to decide on which actions should be taken, and in what order, toward remediation of current physical security flaws within your organization. Normally, Mitnick Security is asked to provide actual solutions on how to HARDEN physical security against potential intruders for your consideration for implementation.
From an executive’s point of view, this testing will allow you to see if your security policies are actually being implemented and followed. You will know whether your organization’s security staff grasps the “bigger picture” of security during operations. Physical penetration testing is more than just a means of ensuring compliance with international security standards; this testing should be conducted in your organization’s highly valued facilities at least once every year, because it matters.
Important Note for Work in Hazardous Environments
Some of our physical penetration testing occurs in hazardous environments (e.g., power, chemical, or biological installations). In case of hazardous environments, we are extremely careful not to take any actions that may cause harm to the environment, employees, or ourselves. We will follow all organizational guidelines and industrial safety practices.
Mitnick’s Advanced Infiltration Approach for Physical Penetration Testing
Mitnick Security’s physical penetration testing follows professional practices and proven methodologies, advanced and adapted through years of experience. This includes concentration in the following six phases: Planning Phase, Intelligence-Gathering Phase, Coordination Phase, Execution Phase, Analysis Phase, and Reporting Phase.
Due to the nature of this assessment, the targets, scope, and “rules of engagement” are thoroughly laid out. Safety is, first and foremost, the most important rule. We establish goals to be pursued while testing your physical security infrastructure.
One goal is to gain unauthorized access to a secured area or to retrieve a protected (dummy or real) asset, defying any physical security restrictions your organization has in place. A dummy “agreed upon” object can be retrieved as part of the physical penetration test because we understand your concern against retrieving an actual protected production asset.
A different type of goal can be established to test your facility to see if it is possible to “leave” objects (representing threats such as recording systems or even bombs) in restricted areas.
With either goal, we not only test the possibility of gaining access to the object inside the secure facility but also to exit your organization undetected—and possibly monitor the object left behind.
A contact person within the organization is assigned to assist the Global Ghost Team™ in case an alarm is raised or your security personnel take action against the intrusion attempt. This is done to avoid unnecessary complications with your staff, bystanders, or even local law enforcement while the Global Ghost Team™ carries out the physical penetration testing. To date, because of proper planning in this area, Mitnick Security has not experienced any staff or public relations issues.
This is the reconnaissance phase. During this phase, the Global Ghost Team™ observes the target facility for the purpose of intelligence gathering, using two approaches. Remote Intelligence Gathering: The Global Ghost Team™ does not come in direct contact with the site. The team gathers relevant intelligence about the target by searching public records and using satellite imagery. Onsite Intelligence Gathering: The Global Ghost Team™ scouts the site’s outer perimeter (our team is “invisible” during this recon) and takes note of physical security procedures and practices being followed.
After scouting the area, our team proposes certain attack scenarios to the “coordinator” from your organization. The coordinator agrees that proposed attack scenarios are within the scope and agreed-upon rules of engagement. This is to seek your explicit approval on the proposed attack scenarios and procedures before proceeding with the physical penetration testing. This is done to ensure we do not inadvertently cause any disruptions to your business or assets during the testing process. Our team then begins with the execution of the attack scenarios.
During this phase, the Global Ghost Team™ hunts for vulnerabilities in physical security throughout your organization and its environment that would allow us to access restricted areas or retrieve a protected object.
Our team performs a thorough inspection of surroundings to locate any weaknesses. This scan includes: exploiting landscaping to get in undetected, dumpster diving, exploiting weak building security during non-work hours, exploiting ignorance of a clean desk policy, exploiting improper lightning over entrances, exploiting accessible and insecure doors and windows, and so on. These are only some of the activities our team performs during environmental scanning.
Evading Monitoring Systems
The Global Ghost Team™ evades monitoring systems such as closed-circuit television (CCTV) to get in undetected. This includes exploiting exposed video cables to interfere with video feed, blocking camera view, penetrating sensitive locations with inadequate surveillance cover, and so on. During this test, the Global Ghost Team™ determines how effective your monitoring systems are and how they should be improved.
Exploiting Vulnerabilities in Electronic Access Control Systems
The team determines vulnerabilities in the electronic access control systems and then proceeds to exploit the same. This includes activities such as exploiting known weaknesses in products of certain access control system vendors, exploiting systems that are not on uninterrupted power supply (UPS) in the event of a power loss (lack of failsafe security), exploiting sensitive areas that rely on single factor authentication, taking advantage of improper card termination procedures, and so on. During this phase, we also conduct specialized testing using special state-of-the-art penetration testing devices. For example, in case your organization relies on using electronic ID access cards (the most commonly used brand name is HID Cards), we make use of wireless remote electronic card readers able to read the cards carried by your staff (even in their wallets!), just by being within a couple of feet of them. Then a “card-cloner” device is used to create a duplicate card and access secured physical areas, which allows us to explore new vulnerabilities behind seemingly locked doors.
Exploiting Locks and Keys
The Global Ghost Team™ inspects manual locks and keys used within your organization for security weaknesses, including activities such as exploiting the lack of commercial grade security lock cylinders, recovering master keys kept in an insecure storage, exploiting key return procedures, orsimply “lockpicking,” among others.
Once the Global Ghost Team™ has discovered and exploited vulnerabilities in your physical security, it will begin with an in-depth analysis. The team will determine how these exploitations threaten your assets and the associated impact on your organization. This analysis is done to provide you a clear picture about which vulnerabilities exist in your physical security and how they can be exploited.
The Global Ghost Team™ prepares a thorough report that contains a prioritized list of all the vulnerabilities discovered in your physical security. It gives you information about our failed and successful attempts at intruding physical areas in your facilities. It also gives you proof-of-concept material (e.g., the retrieved dummy object) to corroborate successful exploitation. Our team gives you independent, informed advice on improving the level of physical security in your organization. It also contains remediation measures that should be used to HARDEN your physical security against potential intruders. It also realizes the important role played by your personnel in physical security. The report tells you which employees to TRAIN for the purpose of improving physical security.
Wireless penetration testing identifies and exploits security vulnerabilities in your wireless environment. It is meant to improve your network’s wireless security posture. It carries out extensive security testing over the wireless devices and protocols detected in your organization, records the presence of vulnerabilities, and informs you of the threats they pose to your network by active exploitation. It draws you a practical picture of what will happen if a real attacker exploits these vulnerabilities. During wireless penetration testing, the Global Ghost Team™ also offers corresponding remediation steps you should take to enhance wireless security.
The Many Benefits of Wireless Penetration Testing
Wireless penetration testing provides details of weaknesses in the current wireless network implementation in your organization and how it could be exploited by attackers. Wireless penetration testing will help you mitigate threats to your wireless networks and clients. You cannot plug holes you are not aware of; therefore, wireless penetration testing is meant to discover security holes in your wireless environment. During wireless penetration testing, the Global Ghost Team™ goes ahead and actually exploits detected weaknesses. This is to provide you a complete picture of what the actual wireless attack on your network will accomplish. Wireless devices are not inherently safe out of the box. Hence, wireless penetration testing will discover wireless configuration flaws in your network. Unlike other assets that lie within your organization, wireless data packets cannot be restricted within your organization’s perimeter. This means that anyone within the vicinity is able to eavesdrop on the wireless traffic flowing across your organization.
Wireless penetration testing will help you ensure such eavesdropping (and other active attacks on your wireless networks) does not lead to security compromises. You will receive a well-researched list of vulnerabilities that exist in your wireless devices, wireless clients, and access points. Tools for wireless hacking are now full-blown “suites” that are easy to use (point and click). Therefore, these are used not just by elite focused hackers but also by “script kiddie” hackers who are not as skilled. If your organization is a high-value target, attackers will try to penetrate your wireless networks, as they are the most exposed. Wireless security experts within our team will simulate these attacks before they actually occur and provide you with relevant solutions that will HARDEN your wireless security. This will help you mitigate security risks in your wireless environment.
Mitnick’s Extensive Approach
Mitnick Security’s Global Ghost Team™ consists of experts who perform wireless penetration testing for standard wireless networks as well as specialized wireless solutions. Our team performs thorough wireless penetration testing for your network using proven methodology. It includes Wireless Traffic Sniffing, Cracking Weak Encryption, Dictionary attacks on WPA handshakes, Attacking Access Points with Default Authentication, Exploiting Hidden SSIDs, Exploiting MAC filtering, Deploying Rogue Access points and Wireless Client Exploitation.
Wireless Traffic Sniffing
Wireless packet sniffing is used to locate any confidential information leaks. This test exploits the possibility of existing confidential data leaks via wireless channels. If sensitive applications within your organization are using unencrypted channels over wireless networks, then this will lead to information disclosure. We will identify (and exploit) such applications (or users) within your environment that are using unencrypted channels for transferring sensitive information over wireless mediums.
Cracking Weak Encryption
Older encryption protocols (such as Wired Equivalent Privacy or WEP) have known encryption weaknesses such as “hash collisions.” A hash is a one-way function that takes a bit sequence as input. For security purposes, it is desirable that each unique message creates a unique hash value. However, a hash collision occurs when two different messages generate the same hash value. This leads to a severe security weakness in the WEP standard, which the Global Ghost Team™ exploits to gain access to the wireless network.
Dictionary Attacks on WPA Handshakes
Your organization is probably using WPA/WPA2 for the purpose of wireless security. A WPA four-way handshake is used to establish authentication and association between the client machines and the wireless access point in your organization. Using wireless sniffing techniques (and using tools such as Aircrack-ng or Wireshark); it is possible to capture this “airborne” WPA four-way handshake. This handshake is susceptible to offline dictionary attacks. Our team performs a dictionary attack on the captured WPA/WPA2 four-way handshake. A poor password used to secure your WLAN is found in a dictionary deployed by the attacker, leading to a wireless security breach.
Attacking Access Points with Default Authentication
Once the Global Ghost Team™ gains access to your WLAN, we gain control of the access point or wireless router, if your network administrators have left defaults credentials unchanged (e.g., Netgear wireless routers have default “username:admin” and “password:password”). This administrative access to your wireless router enables us to construct further attacks by manipulating the configuration parameters of your access points.
Exploiting Hidden SSIDs
Your organization may be “hiding” the SSID to ensure wireless security (if it can’t be seen; it can’t be attacked). However, these hidden SSIDs are easy to discover using tools such as Aircrack-ng and offer no protection to your wireless network. The Global Ghost Team™ will hunt for such practices within your wireless environment that depend on ‘security by obscurity’ and exploit them.
Exploiting MAC Filtering
Your network administrators sometimes use Media Access Control (MAC) filtering techniques to allow only specific client devices to establish a connection with the access point (or to ‘disallow’ certain devices from associating). MAC addresses (hardware addresses) can be “spoofed” (altered). This allows our team to bypass MAC filtering and gain access to protected wireless resources.
Deploying Rogue Access Points
Rogue access points are set up by the Global Ghost Team™ in the vicinity of your organization with the same SSID used by your organization (evil twin attack). This causes employees to connect to the rogue access point that brings their workstations or laptops within our network. This allows us to penetrate a workstation inside your network. If the employee is connected to your wired local area network (LAN at the same time, then we use his or her workstation or laptop as a “pivot point” to gain access to other systems on your wired LAN. This leads to severe security threats to your protected systems and resources within the internal network.
Once the Global Ghost Team™ has penetrated your wireless network, it unleashes a host of client exploitation modules (using frameworks such as Metasploit). Our team knows that most Windows clients cache a copy of the wireless WEP or WPA2 keys corresponding to the access points they have previously authenticated (this is known as “Pairwise Master Key caching” or “PMK caching”). Once we successfully penetrate your wireless client, we pull out these caches keys (they are stored in plain text). These keys then allow access to a new WLAN.
Wireless networks are deployed in your organization to facilitate mobility. It is not possible to restrict wireless packets/beacons within your organization’s perimeter. This opens up new possibilities for the attacker hunting for weak wireless networks (war-driving). Wireless penetration testing is required to test your wireless environment and eliminate security vulnerabilities before an attacker takes advantage of them.
SCADA Penetration Testing
Mitnick’s Penetration Testing for Supervisory Control and Data Acquisition Systems
SCADA penetration testing is the simulation of real attacks against your organization’s Supervisory Control and Data Acquisition (SCADA) systems. Undergoing penetration testing allows you to minimize the risk to your critical infrastructure by discovering and getting rid of security vulnerabilities before the actual intruders can exploit them. Mitnick Security’s Global Ghost Team™ tests your SCADA systems for weaknesses in architecture, signal manipulation, application security, and hardware. The team includes actual exploitation of the discovered vulnerabilities to gain control of your SCADA systems. At the end of the SCADA penetration testing, you receive a report that details the security vulnerabilities and threats to your SCADA systems. The SCADA penetration testing report will also tell you how to mitigate these security risks and HARDEN your SCADA systems against the most targeting of threats.
The Benefits of Using a Highly Skilled SCADA Penetration Testing Team
Due to the criticality of your SCADA systems, it is incumbent they be analyzed for any weaknesses before actual intruders locate and exploit them. Highly skilled cyberattackers have been steadily increasing their focus and efforts towards your SCADA systems, as they are well aware of their importance. SCADA systems have become a known focus of cyber threats by hostile nations, as well as industrial espionage and financial crimes. The number of attack vectors for SCADA systems increases as newer products make your SCADA systems more modern and intuitive. These systems offer you increased functionality and involve inter-system communications, which leads to a greater risk of compromise. SCADA penetration testing ensures that your crucial industrial systems are well protected against these constantly emerging cyber threats.
SCADA penetration testing will reveal the level of risk your SCADA systems face today. Mitnick Security will provide you a detailed list of vulnerabilities discovered in your SCADA network. You will also receive actual proof-of-concept evidence of exploitation of these vulnerabilities in your network. A realistic picture will emerge of how resilient your existing SCADA systems are from attacks and malicious intent. Our team will also guide you on how you can HARDEN the security of your SCADA systems and mitigate vulnerabilities. SCADA systems control some of the most vital industrial systems (e.g., power, water, telecommunications, and transportation) in our society, so regular SCADA penetration testing, beyond just vulnerability assessments, is highly recommended. Constant SCADA penetration testing at regular intervals will keep you protected against even the most focused, skilled, and dedicated attackers.
The Extensive Expertise Shown in Our Approach to SCADA Penetration Testing
Mitnick Security’s Global Ghost Team™ includes a specialized group of experts well versed in extensive and intrinsic details of the varying SCADA infrastructure. They know these systems are critical, and they leave no mark. Your SCADA systems are accessed for testing purposes only, and special care is taken to ensure there are no disruptions to your routine business operations.
Our team uses a tested and documented approach towards penetrating your SCADA systems. Our team follows a highly flexible approach to testing, which adapts to the details of your SCADA infrastructure. This involves the following techniques: Network Communication Testing, Serial Communications Testing, Radio Frequency (RF) Communications Testing, TCP/IP-based Industrial Control Systems (ICS) Protocols Testing, ICS Device Technician Interface Testing, ICS Device Circuit Testing, ICS Device Electronics Testing, and Bus Snooping.
Network Communication Testing
The Global Ghost Team™ tests your network communication channels and network protocols (which your SCADA systems are using) for security weaknesses. The team also tests the defenses (such as firewalls, IDS, DMZ, etc.) that you have in place and circumvents them.
Serial Communications Testing
RS-232 (the “RS” stands for Recommend Standard) and RS-485 are widely deployed as serial interfaces. One of oldest serial interfaces is generically called RS-232. These interfaces are used to provide standardized logic levels from transmitters to receivers. Our Global Ghost Team™ hunts down security vulnerabilities relevant to the use of these serial interfaces. The team also tests your Modbus RTU (remote terminal unit). Modbus is used to connect your supervisory computer with the RTU in your SCADA system.
RF Communications Testing
The Global Ghost Team™ looks for vulnerabilities in RF communications between your master servers and field devices. The team analyzes your RF spectrum and extracts network traffic such as interactions between your master servers and field devices. The team demodulates signals using a GNU radio (GNU stands for “GNU’s Not Unix”; GNU is a free software, mass-collaboration project). Demodulating reveals the digital signal carrying data that leads to communication disclosure. Our team takes note of all vulnerabilities discovered during these procedures.
TCP/IP-based ICS Protocols Testing
The industrial control system (ICS) protocols that are based on the standard transmission control protocol/Internet protocol (TCP/IP) communication model inherit its weaknesses. The Global Ghost Team™ observes the protocols deployed in your SCADA systems and takes note of the ones based on the TCP/IP stack. Any unknown protocol encountered is also tested for security weaknesses by using techniques such as Reverse Engineering. “Fuzz testing” is also performed over these protocols. During these fuzz tests, unknown, random and nonsensical input is sent to the protocols and the behavior of the system is observed to locate security weaknesses.
ICS Device Technician Interface Testing
The SCADA technicians in your organization come in direct contact with your SCADA systems on a routine basis. The Global Ghost Team™ performs a functional analysis of the technician interface of your SCADA devices to check for security weaknesses that allow for privilege escalation. The team also intercepts USB communications to the technician interfaces. Impersonationattacks allow the team to act as endpoints in technician interface communications. Fuzz tests are also carried out on the technician interface to observe your SCADA system’s behavior to random inputs (received from the technician interface) and then locate security weaknesses based on your SCADA system’s response.
ICS Device Circuit Testing
The Global Ghost Team™ tests embedded circuits in field and floor devices. The team performs on-site attacks through physically “exposed” devices. For example, in the lack of proper physical security, our team is able to connect directly to the exposed device. As a result, data resting on the embedded circuits is dumped and analyzed.
ICS Device Electronics Testing
This includes disassembling the ICS devices followed by a detailed component analysis. The team studies the target components, along with their documentation, to locate security vulnerabilities that may be exploited. We carefully test the target components for design flaws that lead to security holes. The test involves direct component analysis, as well as indirect component analysis, using appropriate documentation.
A bus is a data connection between two or more devices. Bus snooping is used in shared memory systems for the purpose of cache coherence. The Global Ghost Team™ discovers security weaknesses by performing bus snooping on embedded circuits in the ICS field and floor devices.
From our testing, you will receive a report that identifies vulnerabilities in your SCADA infrastructure. It will elaborate on your resources that we exploited and which specific vulnerabilities were exploited as well. The report also includes ‘proof-of-concept’ material that will demonstrate the exploitation of your protected SCADA resources. It will include an analysis of our findings. It also details the steps you are required to take to HARDEN your SCADA security. The report is well documented. You will also receive log files from tools as supporting evidence of our findings. The report also mentions any positive security implementation encountered during the test. As the final step of the SCADA penetration testing, this report is handed over to the appropriate staff in your organization. We understand this report may have multiple audiences and hence it includes an executive summary of our findings.
Application Penetration Testing
Understanding Application Penetration Testing
Application penetration testing simulates real world attacks on your applications to reveal security vulnerabilities applications’ design, development, implementation, and actual use. The goal is to reduce and eliminate security flaws before you are actually attacked by external intruders, or insiders with nefarious intentions. All software applications should be analyzed using penetration testing, including: web applications (Internet-facing applications), applications that run on internal networks, and the applications that run on end-user devices and remote systems. The Global Ghost Team™ tests for vulnerabilities in your proprietary commercial software products, custom management systems purchased from vendors, and mobile and web-based applications. The discovered vulnerabilities are actually exploited to mimic the actions of an attacker and the evolution of an attack. At the end of the application penetration testing, you receive extensive reporting that details the vulnerabilities discovered, exploitation specifics (which includes the steps we took to exploit the discovered vulnerabilities), and our recommended steps for mitigation.
Application Penetration is the Ultimate Step toward Knowing Your Level of Security
Application penetration testing is the ultimate, indispensable method for ensuring application security in the modern age of targeted cyber threats against software. Application penetration testing plays the critical role to HARDEN any application against potential attacks. Until you have a third party, with no ties to the development or business attack it “full out”, like a thief going for it all or siphoning off a piece of everything, or a saboteur who just wants to bring you down entirely and “erase” you. . . . Until you undergo these mock attacks, you will never know how well (or if) you will survive a targeted attack.
Our expert software security specialists will uncover the security design flaws in your application. Application penetration testing will expose any security weakness that is the result of your application’s interaction with the rest of your IT infrastructure. You will be shown how our team exploited vulnerabilities to gain unauthorized access and violate security. You will also receive strategies and recommendations on the steps that you should take to mitigate these vulnerabilities.
One of the most important organizational goals you will achieve is security awareness regarding your software development. We consistently find that the well-earned confidence of your internal development team at making impressive software, with a great user experience, tends to lead to an overestimation of the development team’s (or an application’s) security capabilities. Software security is in itself a highly specialized field of study. After your application passes through our application penetration testing process, and the normal depth and breadth of security flaws are uncovered, your team will gravitate to a better understanding of up-to-date security requirements. We will help your team understand the flaws of your software development lifecycle (SDLC), how we exploited them, and then instill better development and deployment practices moving forward. They will learn that application penetration testing, just like bug testing and user acceptance testing, should be conducted with each new release to ensure safety against malicious attacks.
The Big Differentiator, Our People—Scanners Alone Don’t Cut It
Mitnick Security does not just use application security scanners, because they only find 15% of the problems in software code (which is even less than the maximum 45% that automate scanners reveal for network vulnerability assessment). Therefore, this is only the extreme low-hanging fruit. If you have anything of true value, you could have thieves or saboteurs actually target you specifically with intense focus and this type of security review is simply not enough. Our Global Ghost Team™ mimics this intense, targeted focus and performs manual scans, reviews, and research to look for vulnerabilities buried deep within your application. The team also creates manual exploit codes to target specific vulnerabilities we find in your application.
Our Team Consists of Global Experts Who Draw Upon the Best Methodologies
Our Global Ghost Team™ has the finest software security specialists in the world. Due to the reach and positioning of the Mitnick brand across the globe, we are able to attract the finest security specialists and researchers for specific tasks. The people on the team make all the difference. Being elite “white hats,” they are chosen also for their professionalism to use safe, industry-standardized practices for Black, Gray, and White Box Penetration Testing as well as unique methods (such as manual web application security research) specific to web applications. From not knowing anything about your application to going line-by-line through your source code, we find all vulnerabilities and use exploits to understand the risks to your organization and users, and then assist your team in remediation. We draw upon the best methodologies on assessing software security from the Web Application Security Consortium (WASC) and the Open Web Application Security Project (OWASP).
The Major Steps We Combine into the Mitnick Methodology
Some of the main steps in our methodology include (but are not limited to) Application Reconnaissance, Application Authentication Testing, Application Authorization Testing, Application Data Validation Testing, Application Logic Testing, Application Session Management Testing, and Reporting.
This is the application discovery step where our team collects as much information as possible about your application. Our team studies the data your application handles and the input parameters. It also collects information about the security policies in use within your application. Our team follows a “spider” approach while doing recon on your application. New dimensions or components of the application, discovered during the information-gathering step, are added to the framework of the testing. The team also analyzes the error pages generated by the application in response to incorrect input. During this step, our team creates a map of the application that lists all of the possible gates (entry points) to the application, and these entry points define the “attack surfaces” to the application. More entry points means more attack surfaces and the more exposed is your application.
Application Authentication Testing
Your application follows logic to confirm or deny the identity of a user. The Global Ghost Team™ tests this logic for security flaws that allows us to bypass the authentication procedures, or cause a Type II error (allowing entry to unauthorized user). This step would include activities such as: testing for the presence of guessable usernames (like “admin,” “test,” “guest,” etc.), testing for the unencrypted transportation of user credentials over the network (susceptible to sniffing), testing authentication bypassing, testing browser cache management, testing “lost password” recovery procedures, and so on.
Application Authorization Testing
Authorization procedures in the application determine if a user has sufficient privileges to perform a specific action or request certain information. For example, a normal user of the application is not allowed to delete another user’s account or view his or her data. During this step, the Global Ghost Team™ also performs privilege escalations attacks to determine weaknesses in authorization procedures. This step includes activities such as testing path traversal, testing authorization schema bypass, privilege escalation, and so on.
Application Data Validation Testing
It is critical that your application validates input data before processing it. This is because the input to your application acts as an entry point for the attacker’s malicious data. During this step, the Global Ghost Team™ performs extensive data validation testing. Our team simulates the following attacks on your application: SQL injection, Cross Site Scripting, File System attacks, Buffer Overflow attacks, and Command Injection attacks. Our objective is to discover how well your application handles improper or malicious input.
Application Logic Testing
This is a thorough manual test of your application’s business logic. Our experts test your application’s logic manually by understanding the overall purpose and reason for existence of the application. We believe in this as a holistic approach to testing, where our team analyzes the functional requirements of your application. Our team studies ‘use cases’ and application manuals to gain a thorough understanding of the business logic that is relevant to your application.
Application Session Management Testing
Once a user successfully authenticates to your application, he or she is allotted a user “session.” Your application maintains the user’s session information until the time he or she logs out. This is known as session management. In cases of mismanagement, the user will suffer data loss or the application would suffer from security vulnerabilities. The Global Ghost Team™ tests your application extensively for improper session management. Application session management testing involves tasks that may include Testing Cookie Attributes, Testing Session Variables, Testing Session Management Schema, Testing Session Fixation, and so on.
The Global Ghost Team™ prepares a report that lists the details of the vulnerabilities discovered in your application (in order of highest or the most critical first). It contains an “executive summary” and an analysis of our findings. It also contains proof-of-concept material to corroborate successful exploitation. This provides you a realistic picture of how vulnerable your application is to potential attacks. The report also contains details of mitigation measures you should undertake to minimize the security risks in your application. You will also receive log files from tools as supporting evidence of our findings. The report also contains mention of any positive security implementation encountered during the test.
Black, White, and Gray Application Security Testing
Mitnick Provides the Right Box Testing to Meet Your Goals
Application penetration testing is done to HARDEN your applications against security threats. Box testing is a method of testing software applications for security weaknesses that exist in the internal structure, or workings, or interfaces of the application. Box is a loose term used to refer to the application, and the “color” of the box refers to the conditions in which the testing is done. Application penetration testing is categorized into Black Box Testing, White Box Testing, and Grey Box Testing. We at Mitnick Security are experts with each type of box testing, and we are able to assist you in choosing which is the most prudent to meet your security goals for your business.
Black Box Application Security Testing
Black box testing is when we simulate real-world attacks of a skilled hacker on your application. It will provide you a view of your application’s security from the “outside looking in.” This testing will uncover a variety of vulnerabilities in your application that an attacker will target. With no knowledge of why or how an application works, and without having access to your application’s source code, the Global Ghost Team™ will be penetration testing the unknown “black box.” Black box testing is essentially done “blind” (hence the term black), as the Global Ghost Team™ is not given detailed information about your system or infrastructure. Black box testing requires user credentials, provided by you, that are used to test the software system’s security without actually having access to the source code or any other detail. The black box test starts with valid credentials on the system. It then explores the possibilities of privilege escalation or unauthorized access.
A black box test will provide you the “real picture” of how secure your application is against actual attacks by hackers. It is able to review the security state of the environment in which your application resides. It will reveal security risks derived from third-party components and the resources that exist outside of your application. It is able to reveal injection vulnerabilities that exist in your application, such as SQL injection and command injection. It will also reveal hidden “back doors” in your application that were ‘hard-coded’ into the application. Black box testing will detect any possibilities of bypassing cryptographic algorithms used in your application that protect against unauthorized information disclosure. It will also reveal possibilities of bypassing authentication mechanisms and taking over other user accounts. Black box testing will identify Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities in your application (the most hunted web application vulnerabilities in the world today). It will reveal potential Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities that exist in your application. Black box testing is also able to examine problematic interactions between subsystems that lead to security holes, such as unencrypted transmissions of sensitive information over an insecure medium.
All organizations deploy some type of access control (such as user accounts and passwords) that determines if a user has use of particular resources and what level of access is allowed for a particular user. Black box testing helps determine how effective these access controls are against a determined, yet “blind,” hacker targeting the network from the outside. Any organization deploying applications in a hostile environment (such as the Internet) requires, as a bare minimum, black box testing to understand the application’s defenses against attacks from unknown, unrelated parties.
White Box Application Security Testing
White box testing is a complete application source code review. It involves detailed application source code review to identify the difference between what security was designed in your application and what was actually built.White box testing reveals much deeper vulnerabilities in the underlying code that the black box tests may not be able to reach. Our team is given access to detailed information about the system under examination, including the complete source code. This allows us to examine parts of the system that are not accessible, or testable, using the common user interface (UI). White box testing can be undertaken before the system is actually complete and in production (e.g., in the design step itself, very early in the SDLC).
White box testing is able to identify exactly where the vulnerabilities exist in your application’s source code and why they are there. White box testing helps you determine whether the code design is actually implemented in the source code.After a white box test, it will be easier to take remediation measures to mitigate vulnerabilities. This is because it reveals the exact location of the vulnerabilities in the source code. White box testing is able to examine the extensive dimensions of a system’s programming such as audit log information, flaws in cryptographic procedures, and backend system hardening, etc. Developers with ill intent may embed back doors in the code, using “Easter eggs” and other nefarious threats, including kleptographic attack mechanisms, that aim to steal information subliminally and covertly. Access to intricate information during this testing saves time. For example, our team may not need to simulate SQL injection attacks, if we can see that dynamic parameters are used in a safe manner throughout the code. White box testing provides you with a thorough “inside view” of your application’s overall security.
Due to its nature, white box testing requires highly skilled and specialized experts. Even leading security software developers engage Mitnick Security for white box testing of their security software product applications because they know our team has the programming security experts required for the intricacies and complexities this highly specialized field requires. Mitnick Security has programming language experts with an intricate understanding of secure coding practices.
If you require an in-depth analysis of your application’s security, white box testing is indispensable, as it involves a full application source code audit to discover and remove all security weaknesses by the “root.”
Gray Box Application Security Testing
This type of testing is the performing, or combination of both white, and black box testing. Therefore, it is “gray.” During the gray box testing, our team has access to the source code. However, unlike white box testing, we are not doing a full source code review. We are looking at specific parts that are relevant to security weaknesses, such as input parameters, work flows, proper sanitization, and so on. The team may also interview developers of the application if needed. Gray box testing is essentially black box testing, but it goes much further than that, since it also includes a security audit of the application’s source code from a developer’s perspective. Our team combines auditing (hunting for insecure code in your application) with the attacks ofa skilled hacker.
Gray box testing provides you a full application inspection from the perspective of a developer and an attacker. It will be able to reveal injection vulnerabilities in your application, such as SQL injection and command injection. It will also reveal hidden back doors in your application that were “hard-coded” into the application. Gray box testing will detect any possibilities of bypassing cryptographic algorithms used in your application that protect against unauthorized information disclosure. It will also reveal possibilities of bypassing authentication mechanisms and taking over other user accounts. Gray box testing will identify XSS and CSRF vulnerabilities in your application (the most hunted web application vulnerabilities in the world today). It will reveal potential LFI and RFI vulnerabilities in your application. Generally, black box testing is faster but generates limited conclusions about the system (as we simulate attacks on the application from the “outside” only). On the other hand, white box testing generates deeper conclusions about security by examining the source code but can become very time-consuming as the source code increases in length. Gray box testing is the best approach, as it offers the best of both, that is, it generates more conclusive results than a black box test (simulation of attacks by a hacker) but takes less time and effort than a white box test (source code security audit).
During gray box testing, the team uses a variety of methodologies, tactics, technologies, and research available to any real-world attacker. The team starts by deploying automated scanning for finding the low-hanging fruit. The team attacks the most common vectors used by those with malicious intent. Attacks vectors include, but are not limited to, cross-site scripting, cross-site forgery, security misconfigurations, sensitive data exposures, and SQL injection. The team goes much further and relies mainly on manual methods of analysis, research, and custom exploitation, which uncovers the most vulnerabilities and provides optimal results for our clients.
Gray box testing offers you the best of both—white box testing and black box testing. It will provide you a perfect combination of application source code review (“inside look” at security) and simulation of attacks by an attacker (“outside look” at security).
Mobile Application Penetration Testing
Specialized Mobile Application Penetration Testing
Mobile application penetration testing is the simulation of real-world hacking attacks on applications designed for mobile devices. It starts with the discovery of security holes in your mobile applications and then goes on to exploit them to generate proof-of-concept. Mitnick Security’s Global Ghost Team™ discovers vulnerabilities in your mobile applications posing as both a registered user and an anonymous guest user. Our team conducts mobile application penetration testing for a variety of platforms, which include iPad, iPhone, Blackberry, Windows Phone, Nokia, and Android.
Benefits are Exponential
Mobile application penetration testing will make your mobile applications more resilient toward attacks from hackers, and it will help you secure personally identifiable information (PII). This is of immense importance if your mobile application handles private user information, as the concern for user privacy is constantly growing. Mobile application penetration testing will also help you secure user financial information (such as credit card details). It will also provide you a thorough understanding of the technical threats and attack vectors targeting your mobile applications. You will learn the overall security stature of your mobile application. After your mobile applications pass our mobile application penetration testing, users will enjoy increased confidence in the security implementation. When you design and bring a mobile application to the users, the responsibility for ensuring information security rests on you. Mobile application penetration testing will help you fulfill this responsibility by thoroughly testing your mobile applications and providing you with detailed information on mitigating security vulnerabilities before hackers can target them. This will help raise the threshold for possible information leakage or fraud.
Mitnick’s Senior Mobile Specialists and Methodologies
The world-renowned experts on our Global Ghost Team™ use the most advanced technologies to test your mobile applications thoroughly for security holes. Our team has a diverse set of skills over various mobile platforms. As iOS and Android are the two most popular mobile platforms today, we have dedicated people who intensively test applications belonging to these environments. Our testing procedures agree with the OWASP mobile security project. Our team goes through certain phases while testing your mobile application. These include, but are not limited to, Reconnaissance, Authentication Testing, Authorization Testing, Data Storage Testing, Testing for Information Leakage, Data Validation Testing, Session Management Testing, Communication Protocols Testing, Cryptography Testing, File System Testing, and Reporting.
The Global Ghost Team™ gathers as much information as possible about your mobile application. Information gathered in this phase better prepares us for future phases in the testing process. Your mobile application goes through extensive research that provides us with a solid understanding of how your application “should” work. This phase includes activities such as manual navigation of your application to understand the basic functionality and the workflows, understanding application’s interaction with data carriers like 3G, 4G and Wi-Fi, determining whether the mobile application handles financial information (In-app purchases and credit card transactions), identifying application’s interactions with hardware (GPS, microphones, sensors, Bluetooth, etc.), understanding the application’s interactions with other applications or services in the mobile device (contacts, e-mail, Dropbox, social networking sites, messaging, etc.), determining the network protocols the mobile application uses, gathering information about your mobile application’s server-side environment, and so on.
Our team locates the authentication procedures that handle user authentication through the application’s UI. We exploit these authentication mechanisms using brute-force techniques, replay attacks, and parameter tampering. If the mobile application depends on Single Sign On (SSO) using a Facebook or Google account, we exploit this condition to gain access to this SSO account and hence compromise the mobile application. If your application interacts with the SMS service, we spoof the identity of the sender to exploit the application. We exploit remote login procedures in your mobile application to gain remote access to your application and its data. The Global Ghost Team™ also exploits any other information used in your mobile application for the purpose of authentication (in place of passwords). These may be digital certificates, tokens, or contextual information.
Authorization procedures within your mobile application are responsible for determining if a certain user has access to a certain resource or service. The Global Ghost Team™ exploits weak file permissions to gain unauthorized access to an application’s files. Our team exploits weak authorization procedures to access “functionalities” within your application not intended for a certain role. We directly access areas within your mobile application (defying the application’s workflow) by hunting down poor authorization practices.
Data Storage Testing
The Global Ghost Team™ tests to discover if an application stores the associated data in plaintext or encrypted form. We exploit the lack of secure encryption procedures to gain access to sensitive application data. In case your mobile application does use encryption, we exploit weak key generation and key storage procedures to obtain the encryption key. We follow your application’s logic used for data storage and retrieve unprotected application data from external or internal storage areas. External storage includes SD cards, Cloud storage, temporary directories, iTunes backup, and so on. Our team tests whether your mobile application is storing sensitive user data (patient information, financial information, user credentials, etc.) in an insecure location.
Testing for Information Leakage
Mobile applications are known to inadvertently leak seemingly benign information that proves to be of use to an attacker looking for a weakness. Our team tests for such inadvertent information disclosures by searching temporary locations and log files. If your mobile application generates log data, then we exploit unprotected log files to discover sensitive information. “Caches” store a wealth of frequently used information. Some of the caches we search through are predictive texts, browser caches, copy and paste clipboard, and other nonstandard cache locations. In case your mobile application allows access to third-party apps or application programming interfaces (API) to access data, we exploit weak permissions and access control.
Data Validation Testing
It is critical that your mobile application validates input data before processing it. This is because the input to your mobile application acts as an entry point for the attacker’s malicious data. During this phase, the Global Ghost Team™ performs extensive data validation testing. Our team simulates the following attacks on your application: SQL injection, File System attacks, Buffer Overflow attacks, Command Injection attacks, and so on. Our objective is to comprehend how well your application handles improper/malicious input.
Session Management Testing
Once a user successfully authenticates to your mobile application, he or she is allotted a user session. Your application maintains the user’s session information until the time he or she logs out. This is known as session management. In cases of mismanagement, the user will suffer data loss or your mobile application would suffer from security vulnerabilities. During this step, the Global Ghost Team™ tests your application for improper session management. We test to see if the session times out locally as well as on the server-side. We retrieve sensitive user information not flushed out by your mobile application upon user session expiration.
Communication Protocols Testing
Your mobile application depends on certain network protocols for communication purposes. In this phase, the Global Ghost Team™ takes note of all of the communication protocols used by your mobile application. These are then heavily scrutinized for suitability toward certain data transfer. For example, using HTTP protocol is not suitable for transferring user credentials over the network, as it does not encrypt the data in transit. The same goes for File Transfer Protocol (FTP) and Secure Shell (SSH) version 1. Our team also hunts for (and exploits) known issues with specific libraries used by your mobile application to implement the protocol.
The Global Ghost Team™ implements brute force attacks against cryptographic keys and password hashes (a hash is a one-way function that takes the plaintext password as its input). We reconstruct encrypted data, exploiting key recovery procedures and making use of hard-coded credentials (“back doors”) in your mobile application.
File System Testing
The Global Ghost Team™ thoroughly studies the relationship between the application and the mobile file system environment. We hunt for any artifacts left by your application on the mobile device file system. We look for the existence of data backups on the file system. Our team makes use of forensic techniques to “un-delete” (recover) data that has been deleted by your mobile application on the file system. The team also searches for the presence of username/password pairs stored by your mobile application on the file system.
After completion of the mobile application penetration testing, you will receive a detailed report of all the security weaknesses in your mobile application. The report will contain evidence in the form of proof-of-concept snapshots that corroborate successful exploitation of your mobile application. It will also provide you with details of the steps that our team took to exploit vulnerabilities existing in your mobile application. This provides you a realistic picture of how vulnerable your application is to potential attacks. It will also provide you with mitigation strategies to fix the security issues and minimize risk to your mobile application. The report will highlight security vulnerabilities that demand immediate attention and would have the greatest impact if exploited successfully by an attacker.
As mobile devices and platforms are becoming extremely popular, they are attracting a plethora of new threats and attackers. It is incumbent to get the application thoroughly tested through mobile application penetration testing procedures before making it available for users.
An Overview of Vulnerability Assessments
Vulnerability assessment is when we locate, quantify, and prioritize (“most critical” to “probable”) the vulnerabilities in your systems and network. It includes discovering deeply embedded vulnerabilities in your systems, network, infrastructure, and processes. The purpose is to mitigate, minimize, or eliminate the discovered vulnerabilities before the “bad guys” find them and exploit them to cause harm.
The Benefits Are Universal
Vulnerability assessment is an extremely crucial and proactive practice for determining the level of exposure to, and the susceptibility of, your organization toward security threats. Identification and classification of security holes in your systems and communication infrastructure occur. Strategies and solutions may be provided based on the vulnerabilities found, so that your organization is able to HARDEN its defenses by eliminating found “holes” in the security. With automated scanning tool and exploit frameworks freely, and readily available to not only seasoned “black hat” hackers but also amateur (“script kiddies”) hackers as well. It is essential that organizations stay abreast of the latest threats and related countermeasures. Although certain industry qualifications require organizations to conduct regular automated scans, which everyone should, it has become ever increasingly clear that organizations MUST move beyond automated scanning to assess their true exposure to vulnerabilities. External threats from focused attackers comprise more intense manual analysis and custom vulnerability research of their targets. This is why organizations choose Mitnick Security, as we are able to mimic these focused, targeted attacks so well.
How Mitnick Security is Superior at Vulnerability Assessments
Though Scanners Are Good, They Only Find Less than Half of the Vulnerabilities
Though Mitnick Security’s team intensively performs extensive automated scans using a multitude of automated tools where appropriate, people clearly make the difference in finding vulnerabilities. With Mitnick Security, it is all about the experienced people we have on our team. Why? The following is extremely important to understand:
According to OWASP, MITRE Corporation (a not-for-profit organization that operates research and development sponsored by the US government) “found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE). They also found very little overlap between tools, so to get 45% you need them all (assuming their claims are true).” CWE is the Common Weakness Enumeration, which is a community-developed formal list of software weakness types, given by MITRE.
Our People Cannot Be Matched by Technology
This is why our Global Ghost Team™ stands out high above the crowd. We have creative masterminds, the world’s leading “white hat hackers” who have the knowledge to discover all of the related vulnerabilities during the manual scan. For specific types of networks, because of our unique global reach, we can bring in specific specialists. Our team uses “lateral thinking” to discover chains of vulnerabilities. This is done to ensure we reach deeply embedded vulnerabilities that an automated scan simply cannot find. Ultimately, we give you a thorough and well-researched analysis into how vulnerable your assets are to security breaches. Others just give you 45% of what you should know, at best.
Mitnick Security’s people discover vulnerabilities that automated tool-based scans simply cannot identify. Furthermore, these real people provide a “quantity” to the vulnerabilities using a suitable scale, and prioritize them, beyond what automated toolsets provide, with human reasoning. This helps us provide you the clearest view of a prioritized list of the vulnerabilities you have, so you are able to make informed decisions on what actions to take next.
The Steps We Take to Make Vulnerability Assessments
An exhaustive list is prepared of your protected resources, which lie within the scope of the vulnerability assessment. This includes all of the types of systems and network resources in your organization.
We identify the criticality of these resources to your organization. Some resources are more critical to your business operations than are others. These are arranged in order of decreasing priority.
We start with an automated scan, using industry-standard tools, to locate the most common and easily discovered vulnerabilities—the low-hanging fruit. During automated scanning, we use both open-source scanners (such as OpenVAS) and proprietary scanners (such as Nessus). Our team then moves on to perform extensive manual scanning. Next, our security experts, who are deft at uncovering even the most deeply hidden and hard-to-locate vulnerabilities, manually review, probe, analyze, research, and identify. This will expose the most concealed vulnerabilities in your systems and networks. These are the ones that matter; as they are what actual hackers hunt for, ones where they can compromise your system entirely, and for great lengths of time.
Our team now allocates a quantity to each of the discovered vulnerabilities on a suitable scale. The quantity attached to each discovered vulnerability gives a measure of how severe it is against your systems and networks. The quantity depends on how well-known the vulnerability is, the level of complexity involved in exploiting it, whether it can be exploited remotely or locally, and the extent of damage caused after successful exploitation.
The vulnerabilities are now prioritized in order of the most critical first. This is to help you understand which vulnerabilities are the most severe and need to be addressed first.
Developing Migration Strategy
Our team has security solutions specialists that will provide you with the most suitable mitigation strategies to deal with existing vulnerabilities.
The Multiple Types of Vulnerability Assessments Mitnick Security Provides
Finding Vulnerabilities in Your Voice Over IP Systems
A VoIP vulnerability assessment discovers security vulnerabilities and risks present in your VoIP (Voice over IP) network. VoIP is the technology that enables you to use IP networks (such as the Internet) as transmission mediums for voice calls and multimedia sessions. After the VoIP vulnerability assessment, Mitnick’s Global Ghost Team™ will provide you a complete list of all the discovered vulnerabilities. Our team also quantifies and prioritizes these vulnerabilities. This is done to highlight critical vulnerabilities, so you can prioritize those you need to address first.
Why This Type of Assessment Is of Particular Importance to Any Organization
Assessing VoIP security ensures that the requirements of confidentiality, availability, and integrity are being satisfied. As no dedicated network is used in the case of VoIP, you are completely exposed to a variety of viable attacks. VoIP security assessments will help you with prevention and avoidance of identity spoofing of caller or the receiving party, manipulation of calls or transported data, manipulation of billing data or time of arrival of voice mails or the state of communication participant, billing fraud, and covert communication channels. A VoIP vulnerability assessment will allow you to comply with regulations (such as protection of privacy or lawful interception). As it will provide you a prioritized list of analyzed vulnerabilities and the relevant risk involved with each, you will have a basis for risk evaluation, risk treatment, and risk acceptance. In most cases, risk treatment is the best approach, but if the cost of risk treatment outweighs the cost of the asset itself, risk acceptance is a better choice.
In addition, VoIP security assessment will help you counter threats present at the protocol level, connection level, gateway level, and endpoint level. Threats at the protocol level include flawed implementation within your network that suffers from buffer overflow vulnerabilities, bad firewall configuration resulting from protocol complexity, and poorly designed protocols. Threats at the connection level include eavesdroppers who are monitoring your calls (loss in confidentiality), unauthorized modification of your VoIP data (loss of integrity), and denial of service resulting from a malicious attack or by misconfiguration (loss of availability). Threats at the gateway level include the threats that are prevalent on central components such as call managers, SIP proxies or session border controllers, and so on. Threats at the endpoint level include use of covert communication channel, system security compromise, use of your VoIP softphones to spread malicious malware, and so on.
VoIP has gained popularity in recent years because of the low cost and the flexibility to integrate other services such as video calls and instant messages. This flexibility, in turn, allows for a variety of security threats to exist, especially because VoIP uses a public medium such as the Internet. Attacks that will occur against VoIP include DoS, Hijacking, Eavesdropping, Spam over IP Telephony (SPIT), and Identity Spoofing. Regular VoIP vulnerability assessments will significantly help you mitigate security risks posed by the aforementioned threats by enabling you to be proactive in hardening your VoIP system.
Our Approach and Tasks for VoIP Vulnerability Assessments
The Global Ghost Team™ performs internal and external VoIP vulnerability assessments (inside or outside your organization’s network), so you have a complete understanding of your situation. VoIP is commonly used in organizations these days for communication purposes, and due to the sensitivity of information, it is imperative to have a VoIP vulnerability assessment performed to understand the accurate status of the security of this information.
VoIP security assessments includes the following tasks: Understanding the VLAN configuration and network design, Testing physical voice port, Gaining access to Voice VLAN, Testing for the possibility of “VLAN hopping,” Bringing in a rogue IP phone into the environment, Defeating MAC Address filtering, VoIP corporate directory theft, Testing the possibility of bypassing 802.1x, and Testing the possibility of VoIP eavesdropping.
Understanding the VLAN Configuration and Network Design
Your VoIP may be running on a flat network or segmented with distinct VLANs for Quality of Service. As our team’s purpose is to test only VoIP infrastructure, we will gain a thorough understanding of your VLAN configuration and the design of your internal network. This helps us logically separate your VoIP infrastructure from other network devices during the test.
Testing Your Physical Voice Port
Any trusted insider (such as an employee) will have physical access to your voice port. The lack of strong physical security controls means the attacker will attach a laptop directly to your voice port. As part of the internal assessment of your VoIP network, we test for the existence of “Ethernet locks” that are used to prevent such scenario.
Gaining Access to Voice Virtual Local Area Network (VLAN)
The “Voice VLAN” feature allows IP phones to easily autoconfigure and is most likely used in your VoIP network. To test for the presence of Voice VLAN, the Global Ghost Team™ uses sniffing techniques. Sniffing is an eavesdropping technique that involves unauthorized interception of communications. Directly plugging the laptop into the network: After plugging our laptop directly into the voice port, our team runs Wireshark (a sniffer) and observes the traffic. The Global Ghost Team™ now dissects the CDP packets to learn if Voice VLAN is used. Sniffing for LLDP-MED allows the team to learn the Voice VLAN ID. Using a hub: In this case, the Global Ghost Team™ plugs a hub into your network and our laptop and IP phone share a connection to the hub. This allows the team to understand how your Voice VLAN is implemented and the IP addressing of your IP phone VLAN.
Testing for the Possibility of “VLAN Hopping”
Your systems may “hop” from a certain VLAN into another VLAN. “VLAN Hopping” will allow your IP phones to be attacked directly. It also enables eavesdropping, denial of service, and firewall evasion. So our tests determine whether it is possible for our system to hop from one VLAN to another and attack a target IP phone in that VLAN.
Bringing in a Rogue IP Phone into Your VoIP Environment
This allows us to determine if the rogue IP phone is successful in registering to your call server. This will eventually result in toll fraud, if not addressed.
Defeating MAC Address Filtering
Your network administrator normally only allows specific Media Access Control (MAC) addresses (the unique hardware address of a device) of IP phones to pass traffic on the voice VLAN. However, this security is easily defeated by spoofing the MAC or hardware address of the IP phone. Therefore, we test whether MAC filtering is being used in your VLAN to allow only specified IP phones to pass traffic.
VoIP Corporate Directory Theft
VoIP corporate directory is a great utility for your staff and is easy to use. Unfortunately, it is also an excellent source of information for nefarious purposes. While conducting a remote VoIP vulnerability assessment, the Global Ghost Team™ obtains your VoIP corporate directory. This involves spoofing the CISCO Discovery Protocol (CDP) to obtain the Voice VLAN Identification (VVID), sending Dynamic Host Configuration Protocol (DHCP) requests tagged with the VVID, sending Trivial File Transfer Protocol (TFTP) requests for the IP configuration file (and hence obtaining your corporate directory URL), and finally sending an HTTP request for your corporate directory.
802.1x is the wired standard commonly used to mitigate VLAN hopping. It is vulnerable to a dictionary attack. Therefore, we test whether our team can gain access to the dedicated access VLAN in your VoIP infrastructure that is using 802.1x. If 802.1x and voice VLAN are in use in your environment, then the team will gain access to the IP Phone VLAN by spoofing the CDP and MAC address.
The Global Ghost Team™ will intercept your VoIP signaling data and Real Time Protocol (RTP) media. The team will also check whether your voice mail passwords can be stolen through interception of VoIP signaling.
Telecommunication vulnerability assessments identify and analyze weaknesses within the telecommunications systems. Weaknesses are then quantified and prioritized. The goal is to proactively address all vulnerabilities in the telecommunication systems, before they can be exploited, and your organization is compromised. The telecommunications vulnerability assessment will normally go beyond reporting vulnerabilities and will state the overall consequences. Mitnick Security will provide strategies to aid risk mitigation, including immediate areas that require remediation.
This Assessment Reduces the Risk and Threat Emulating from this Critical Infrastructure
Our Global Ghost Team™ will illuminate and illustrate your overall telecom security. You will learn about the increasing number of attacks on vulnerabilities across all telecom technology platforms, as well as where you are susceptible. For organizations, it has become increasingly difficult to ensure critical elements of your telecom network are not at risk. With a variety of constantly new end-user devices connected to your telecom network, this has added to the complexity and risks.
Therefore, it is imperative that you must go through a robust external party telecommunications vulnerability assessment, so that you have a thorough understanding of the level of your vulnerability to attacks from both internal and external sources. It is crucial that you continuously perform a telecommunications vulnerability assessment to identify and mitigate vulnerabilities before a security breach can occur.
Proven Methodical Approach
Mitnick Security’s Global Ghost Team™ uses proven and tested methodology to find weaknesses in your telecom systems and network. This includes Detailed Reviewing, Vulnerability Discovery and Analysis, Vulnerability Validation, Telecom Equipment Inspection, Telecom Equipment Inspection, Fuzz Testing, Remedial Activities, and Reporting.
This is an inspection technique in which our team will inspect your applications, systems, networks, policies, and procedures. The goal is to locate vulnerabilities that require manual inspection. During this review, we will study documentations, rule-sets, logs, and configurations.
Vulnerability Discovery and Analysis
During this phase, the Global Ghost Team™ discovers vulnerabilities using a combination of automated and manual scans. This will include network discovery, port scanning and service identification, vulnerability scans, wireless scans, and application security inspection. The discovered vulnerabilities are then analyzed. During analysis, the team will quantify the vulnerabilities using a suitable scale. A quantity attached to the vulnerability will aid in prioritization of vulnerabilities during the reporting phase.
After scanning and vulnerability identification, the team will test the presence of the discovered vulnerabilities. This is vulnerability validation and is done to ensure the vulnerability actually exists and is not in doubt. All vulnerabilities are validated before reporting.
Telecom Equipment Inspection
Your organization has a mix of heterogeneous telecom equipment from a variety of vendors (diverse equipment such as modems, landline telephones, multiplexers, local loop, answering machines, teleprinters, etc.). The Global Ghost Team™ conducts a thorough assessment of the equipment software, firmware, and hardware implementation. We look for security weaknesses in the individual equipment and vulnerabilities in the way these are integrated and interfaced with each other.
“Fuzzing” is entering random and nonsensical input to a system and observing the behavior of the system. The response to this bizarre input helps our team in locating weaknesses in the system. Fuzz tests are performed to determine unknown vulnerabilities in complex environments such as your telecom network. Model-based fuzzing: During this approach, our team will use protocol specifications to test protocol areas most susceptible to weaknesses. Traffic-capture fuzzing: In this technique, the team makes use of traffic captures to create “fuzzers” (tools used for generating the random input) that are deployed for testing.
After identification and categorization of vulnerabilities, we will develop a mitigation strategy that you are able to implement. Remediation activities are formulated based on the results of vulnerability identification and analysis. Remediation is both nontechnical and technical in nature. Non-technical remediation includes modifications in your security policies and procedures. Technical remediation includes activities such as deployment of new security technologies, OS or application patching, and so on.
Once the Global Ghost Team™ is done with analysis, a report is generated that identifies vulnerabilities in systems, networks, policies, and procedures in your organization. It also includes results of the “Remedial Activities” phase. The report will be presentable for both technical and non-technical audiences, with an executive strategic summary.
The security of your telecom infrastructure is an area of your organization that must constantly be checked for vulnerabilities. If a compromise occurs in this area, it can unknowingly lead to continual consequences on multiple levels. By undergoing a vulnerability assessment now, your team will know how exposed you are to current threats, how to deal with the vulnerabilities, and how to put in place strategies to mitigate future threats.
Physical Vulnerability Assessments
Assessing Your Physical Vulnerabilities
Physical vulnerability assessments determine vulnerabilities present in your organization’s physical security controls. You will learn if intruders break into your buildings, your data centers, or are able to access your internal network through company workstations. This type of assessment offers you a thorough analysis of all your weak points and a list of all your vulnerabilities in your existing physical security. It is well known, once an intruder has “inside access” to your systems and network(s), the level of damage and theft is exponential in nature.
The identified vulnerabilities will be quantified and prioritized. This provides you decision metrics for the steps toward remediation of the current physical security flaws in your organization. As well, normally we are asked to provide solutions on how to HARDEN physical security against potential intruders for your consideration for implementation.
All your cyber security defenses, such as firewalls or intrusion detection systems amount to nothing, if an intruder can simply walk inside and, for example, plug in a USB stick and compromise your entire network. Therefore, physical security is to be taken very seriously, but often is lapse and overlooked, which provides easy access to steal. Attackers who steal, aka “thieves,” do not just rely on digital means to steal your information. Increasingly, physical penetration goes hand-in-hand with digital theft as attacking your systems from the inside makes things a whole lot easier.
You Will Understand Real World Threats on Multiple Levels
After a physical security assessment, you will learn what real threats to your physical security exist. You will know how these threats will affect your assets, and the extent of potential damage and loss. You will also know the probability of these threats materializing. We will identify for you the “good” and “poor” physical security practices followed in your organization. You will also understand the latest and most sophisticated attacks used today against the most common vulnerabilities you may possess. We are also able to provide detailed solutions and strategies to HARDEN your physical security controls.
From an executive point-of-view, this assessment will allow you to see if your security policies are actually being implemented and followed. You will know whether your security staff grasps the “bigger picture” of security during operations. Physical vulnerability assessments are more than just a means of ensuring compliance with international security standards, this assessment should be conducted in your organization’s highly valued facilities at least once every year, because it matters.
Mitnick’ Professional Practices for Physical Vulnerability Assessments
Mitnick Security’s physical vulnerability assessments follow professional practices and proven methodology. This includes the following five phases: Planning Phase, Intelligence Gathering Phase, Execution Phase, Analysis Phase, and Reporting Phase.
Due to the nature of this assessment, the targets and scope are well laid out. The goal of physical vulnerability assessments is to determine if it is possible for an intruder to enter a secure area or to retrieve a protected asset. A contact person within the organization is assigned to assist unhindered movement of the Global Ghost Team™ within your perimeter during the assessment. This is done to avoid unnecessary complications while we are hunting for physical weaknesses.
Intelligence Gathering Phase
This is the “Reconnaissance” phase. During this phase, the Global Ghost Team™ observes the target facility for the purpose of intelligence gathering, using two approaches. Remote Intelligence Gathering: The Global Ghost Team™ does not come in direct contact with the site. The team gathers relevant intelligence about the target by searching public records and using satellite imagery. Onsite Intelligence Gathering: The Global Ghost Team™ scouts the site (either on our own or via a tour by the contact person) and takes note of physical security procedures and practices being followed.
During this phase, the Global Ghost Team™ hunts vulnerabilities in physical security throughout the organization and its environment that would allow an intruder to access restricted areas or retrieve a protected object.
Our team performs a thorough inspection of surroundings to locate any weaknesses. This scan includes accounting for vehicle barriers at entrances, ensuring that landscaping does not allow intruders to get in undetected, checking dumpster security, checking building security during nonwork hours, taking note of clean desk policy, checking for proper lightning over entrances, checking for secure doors and windows, and so on. These are just a few of the activities that our team performs during environmental scanning.
Assessing Monitoring Systems
The Global Ghost Team™ inspects monitoring systems such as Closed Circuit Television (CCTV), for presence of vulnerabilities. This includes checking to see if the video cables are exposed, ensuring camera view is not blocked, checking if surveillance covers sensitive locations, inspection of video footage during and after business hours, and so on. During this assessment, the Global Ghost Team™ determines how effective your monitoring systems are and how they should be improved.
Assessing Electronic Access Control Systems
The team determines vulnerabilities in the Electronic Access Control Systems. This includes activities such as Integrating with the Access Control System vendor, determining if the system is on Uninterrupted Power Supply (UPS) in the event of a power loss, determining if sensitive areas have two-factor authentication, checking card termination procedures, checking if console access is limited to specific personnel, and so on.
Assessing Manual Locks and Keys
The Global Ghost Team™ inspects manual locks and keys used within your organization for security weaknesses. This includes activities such as checking for commercial grade security lock cylinders, determining if master keys are kept in secure storage, checking key return procedures, tracking keys that are issued to employees, and so on.
Once the Global Ghost Team™ has discovered vulnerabilities in your physical security, it will begin with an in-depth analysis. The team will determine how these vulnerabilities threaten your assets. It will also calculate the extent to which your assets are damaged when these threats will materialize. The vulnerabilities are quantified. A quantity of measure will tell you the level of risk. A suitable scale is used for this purpose. The vulnerabilities are accordingly classified as Critical, High Severity, Medium Severity, Low Severity, and Probable. This is done to provide you a clear picture about which vulnerabilities need to be addressed first, so that you are able to prioritize your remediation.
The Global Ghost Team™ prepares a thorough report that contains a prioritized list of all the vulnerabilities discovered in your physical security. Our team gives you independent and informed advice on improving the level of physical security in your organization. It also contains details of vulnerabilities and remediation measures to HARDEN your physical security against potential intruders. It also realizes the important role played by your personnel in physical security. The report tells you which employees to TRAIN for the purpose of improving physical security.
Mobile Application Vulnerability Assessments (update coming soon)
Update Coming Soon
Risk and Threat Analysis (update coming soon)
Update Coming Soon
Product Claims Testing
Verifying Products and Services for Security Claims
Mitnick Security can test products and services to secure the validity of claims. We provide accurate measurements of the security of products and services against intentional attempts of intrusion. Unfortunately, we encounter cases of gross overstatements with regard to the security of products and services. After Mitnick Security’s product testing, these statements have been revealed to be mere marketing tactics, and the claims were discovered to be false.
Our Global Ghost Team™ provides extremely qualified penetration testers who are highly skilled at breaking security mechanisms and procedures to identify weaknesses and to defeat and evade security procedures. We will unearth security vulnerabilities and provide you with the evidence that will validate or nullify a security claim.
Some of our clients want to know whether products and services perform as advertised, whereas others need supportive evidence prior to making a business decision. Our testing services will provide confidence in the quality, performance, and safety of security mechanisms implemented in a product or service.
Depending on the nature of the product or service, we configure and deploy the Global Ghost Team™ with the right specialists for maximum penetration and analysis specific to your industry. Whether it is for a business decision, such as a purchase, or if you feel negligence has occurred, and you are headed toward court, you will receive comprehensive reporting containing details of the tests we conducted and whether a claim “passed” or “failed” a test. Ultimately, we will reveal and prove the truth.
At Mitnick Security, we design and set up sophisticated experiments that are meant to rigorously test a product according to its claims. We follow a unique combination of industry standard testing procedures and proprietary penetration testing techniques. We will conduct tests in a way that resembles actual intruder attacks. The product or service will undergo both “black box” and “white box” testing. During black box testing, we will conduct tests from the outside, mimicking the techniques of an external attacker. During white box testing, our experts will perform a thorough analysis of the internal workings of the product or service. Our experts may also review source code if applicable. For more information on these services, please refer to Application Penetration Testing in the Mitnick Security Knowledge Base.
Why People use Mitnick
Try and Break it
People, companies, lawyers, and even governments come to Mitnick Security when they want to know whether something works as advertised. Before a big launch of your product or service, you will want to make sure security mechanisms are effective and ensure they will stand against intentional attempts of abuse and attacks. Enlisting the world-renowned experts at Mitnick Security to perform a thorough analysis of the product or service will give you the greatest peace of mind.
True or False
We will give you thumbs-up or thumbs-down for each security claim made. The product or service will undergo extensive testing to determine whether there is evidence to accept or negate a claim of security. This is done for you to reach an effective understanding of how secure a product really is. When true, we will provide you with details of the security testing procedures that the product underwent without yielding to our penetration attempts. When false, we will provide details of how we were able to break or evade a security mechanism and how we were able to gain unauthorized access to a protected asset.
Acting upon Results
When the testing reveals vulnerabilities in your product or service or allows exploits to be used, we will recommend strategies or solutions to remediate them. In cases of suspected false claims, you can use our testing services to determine whether these were fraudulent in nature, and we will provide you the legal support you need through our Expert Witness services.
Understanding What Incident Response Is—When You Have Been Attacked
How an organization identifies, reacts, and recovers from security incidents by hackers or anyone else with malicious intent, is referred to as “Incident Response.” Mitnick Security has an organized approach toward managing the aftermath of security violations of your organization. If there is evidence to suggest a violation of your organization’s security posture, then a security incident has likely occurred and requires a response from you, or a qualified team such as the one Mitnick Security will provide. Security incidents can range from a simple policy violation, scans, compromises, denial of service attacks, and malware infestations, all the way to an insider stealing thousands of credit card numbers. Until investigated thoroughly, it is never clear what has truly occurred. Many organizations keep Mitnick’s Incident Response Team (a specialized subset of our Global Ghost Team™) on retainer, so that we have preknowledge of your environment and people, which allows for faster response times and fixes.
Why You Should Consider Using Professional Incident Response
Mitnick’s Incident Response Team manages security incidents using a safe, thorough approach. When a suspected security incident takes place, our Global Ghost Team™ handles it in a professional manner that is consistent with your organization’s security policy, and consistent with local laws and regulations. We concentrate on gathering and maintaining quality evidence for any future legal action. However, the main overall goal of our Global Ghost Team™ is to allow your organization to control costs and damage associated with the incident, as well as recover in the least possible time. We will help you understand what happened and help you to ensure it does not happen again.
You will learn the amount and scope of the damage done to your assets and if they are recoverable. You will know how the incident should be contained so that other resources in your organization are not affected. You will be provided with a report that will help you understand the course of events that led to the security violation. You will know if any confidential information has been compromised during the incident. Our incident response team will provide you remediation in the form of recovery procedures that you should use to restore security and recover from the damages. We will perform forensics on the event so the details of the events that led to the security incident might be uncovered. The incident response team will also supervise the implementation of any additional security controls that are necessary to fill gaps identified during the analysis of the incident. By utilizing Mitnick’s Incident Response Team you will be a learning organization that will HARDEN your organization’s security with each such incident to prevent similar incidents in future.
Mitnick Security’s Approach to Incident Response
An Expert Team at Your Disposal
Our incident response team comprises a cross-functional group of individuals who are experts in security incidents, and the individuals on your specific team are tailored for your organization’s technology and industry. There is little doubt about the fact that your organization will face a security incident at some point in time. In fact, you may be compromised currently and do not even know it. However, when a security incident occurs, our incident response team follows methodologies for responding to the incident, which include Detection and Identifying Security Incidents, Responding to the Incident, Reporting facts and Conclusions, and Recovery and Remediation.
Detecting and Identifying Security Incidents
The incident response team has two main objectives during this phase: To identify any security violations that are yet undiscovered (in fact, “sweeping” is important, incident or no incident); and to notify them to the appropriate personnel within your organization. Security incidents contain chains of several events. Our incident response team will locate all events related to the incident to provide you a complete picture. We closely inspect logs for suspicious or abnormal activities that may constitute evidence of an incident. Experienced intruders are well versed with the art of ‘invisibility’ and will cover their tracks. Our Global Ghost Team™ contains leading experts who are familiar with antiforensics “cloaking” activities of these intruders, if they have attempted to “hide their tracks.” The team will uncover any suspicious activity that does not normally occur in your systems and network(s). Our team inspects multiple sources of data during this phase, including Intrusion Detection Systems, Antivirus logs, Firewall logs, Physical Security Systems, and so on.
Responding to the Incident
After all security incidents are identified, the Global Ghost Team™ determines an appropriate response. The team will also refer to your organization’s security policy before determining the best steps to be taken. This is done to ensure the steps we take, while responding to the incident, are compliant with your organization’s security policy. The team always proceeds with the assumption that the evidence collected during the process will end up in a court of law. Therefore, the team maintains the Chain of Evidence. Our team ensures that evidence is not tainted and will pass all tests of admissibility.
Our team will ensure the problem is contained as quickly as possible and causes the least possible damage. For example, if the team discovers evidence of a worm infestation, the infected systems will be isolated from the network. If our team discovers that backdoors were installed on your systems during the compromise, we will isolate these machines from your network. After isolation, we would obtain a “bit-by-bit image” of the affected system for detailed analysis in our laboratory to detect root causes and perform “back-tracking.” The actual machine is isolated from your network to promptly contain the problem before we implement more permanent solutions. Our team will ensure the compromised resource does not affect other resources on your network.
Reporting Facts and Conclusions
Once the Global Ghost Team™ has finished detection of all security incidents and has responded appropriately to contain the incident, it analyzes evidence to determine the course of events that led to the security violation in your organization. The team specifically looks for the root cause of the problem. Once we locate this cause, we develop the most suitable solutions to mitigate security risks and avert further incidents in the future. We determine the level of damage already done and the assets that were affected. We take immediate steps to “contain” the problem and prevent further damage. The Global Ghost Team™ presents a summary of these findings and actions to your management in the form of a written report. In the report, our team is careful in making the distinction between facts and opinions. The Global Ghost Team™ will provide you conclusions that are based on both facts and expert opinion.
Recovery and Remediation
The Global Ghost Team™ will restore your systems and network(s) to their normal operational status and help you prevent future incidents. Restoration: The Global Ghost Team™ will remediate any damages to your organization by restoring compromised systems. The team takes special care in remediating any vulnerability that led to the security incident. The team will help you make informed decisions on whether to restore from existing backups or replace. If your backups are of questionable integrity, our team will perform replacements. Remediation: The Global Ghost Team™ will also tell you how to supplement existing security procedures to improve security and avoid further incidents.
Always Have an Incident Response Team at the Ready!
What “learning” organizations have found extremely useful after going through an incident, is to then put in place better controls and decrease response times for future incidents, by having an “Incident Response Team” at the ready. Mitnick Security can assist you in assembling your own team with strategies, technologies, and tasks. As a part of this assemblage, you are even able to place parts of our Global Ghost Team™ in an ongoing retainer situation with ultrafast response times and skillsets to be at the ready when you need them the most. Having this proper foresight of the inevitable attacks and intrusions provides optimal results and minimal losses.
Compare this to something that you know all too well: not “getting burned.” Having a completely prepared team for incidents that is ready for your situational emergencies is just like having the fire department coming to do inspections at your building or running drills. Like the fire department, you do not want the first responders for cyberthreat emergencies to be entering your building for the first time, and not knowing what they will face in terms of your infrastructure, people, and policies. Just like every building has a fire plan, map, and fire department controls in place, the same principles apply to security incidents. It is vital to be up to speed on unorganized or possibly unexpected things that could be easily reviewed and strategic planned for, so, in an emergency, no response time is wasted. Let us show you how easy it is to be prepared for emergencies.
Computer forensics is the collection and analysis of digital information used as evidence in the court of law. This evidence is used in administrative, civil, and criminal cases. During forensics investigations, Mitnick’s Global Ghost Team™ employs proven scientific methods to collect and analyze inculpatory and exculpatory evidence. The goal of computer forensics is to inspect digital media for the purpose of identification, preservation, and analysis of facts relevant to the case.
An extensive variety of computer crimes take place today. The cases are complex, and they require exceptionally skilled support specialists for legal professionals. Computer forensics has become a vital tool in the world, and misappropriated financial transactions are resulting in heavy losses as confidential information is being sold or maliciously leaked. It may be leaked to your competitors or general public.
The Benefit of Using the Best
Mitnick Security will help you build a solid case and provide you digital evidence regarding theft, policy violations, and the misuse of computing and other assets. Our team will gather and analyze digital evidence in a manner that agrees with the leading international standards. Mitnick Security only provides the top senior forensics experts who will solve digital crimes occurring within your organization. They are extremely thorough and make it a priority to cause as little interruption to your business and stress on your staff as possible during investigations. We have extensive forensic experience for crimes that include hacking activities, e-mail harassment, embezzlement, sabotage, industrial espionage, falsification of data, and more. The team will investigate signs of e-mail abuse and Internet abuse in your organization. The Global Ghost Team™ will help you locate obscure inculpatory and exculpatory evidence that is relevant to the case. The team will gather evidence from the suspect’s computer and determine whether the accused committed the crime.
We also work on behalf of the accused. They task us to gather evidence so they can prove they are being falsely accused. Mitnick Security has saved careers, reputations, and incarceration time for our clients through diligent forensic work.
In addition, Mitnick’s Global Ghost Team™ has an extensive international computer network and investigation experts to draw upon for almost any conceivable computing court case. These professionals provide expert advice in typical cases requiring knowledge of a specific application or system.
The Global Ghost Team™ approaches each case methodically and evaluates the evidence thoroughly. Objectivity, professionalism, and confidentiality are paramount during and after investigations. Our team discusses the case only with people who need to know about it. Mitnick’s forensics methodology involves the Data Imaging Phase, Extraction Phase, Identification Phase, Analysis Phase, and Reporting Phase.
Data Imaging Phase
The Global Ghost Team™ obtains an image of potential evidence data from appropriate devices in your organization. Our team makes at least two copies of the forensic image and never works on the original forensic data. This is done to maintain the integrity of the discovered evidence. While imaging, hardware “write-blockers” are used to ensure the evidence is not corrupted in any manner. Our team also generates a hash of the evidence images we collect. This is used to inspect the integrity of the images during later analysis.
The Global Ghost Team™ sets up and validates forensic hardware and software. The team then creates the system configuration as needed. Before commencing, the integrity of the forensic data is checked by using the previously generated hash. Next, we start with the extraction of data. All extracted data is added to our “Extracted Data” list.
In this phase, the Global Ghost Team™ processes all data from the Extracted Data list. The goal of our team here is to identify information that is relevant to the case. We filter out all data that is not relevant to the forensics request. Our team classifies the data as relevant, irrelevant, and outside scope. The data classified as “outside scope” consists of incriminating information that lies beyond the scope of the warrant or request. In this scenario, the team will notify you of this data immediately and await further instructions. All the relevant data is placed on the “Relevant Data” list. The Global Ghost Team™ then hunts for new potential data search leads; and, if found, they are listed under the “Data Search Lead” list. Our team also looks for possible new sources of data; if found, these are listed under the “New Sources of Data Lead” list. At this point, any initial findings made by our team are reported to you.
The Global Ghost Team™ will analyze the data to find evidence to support or refute the case. Our team will search for the following information. Who: The team will gather knowledge about the user or application that created, edited, modified, sent, or received the file. We will also determine who the data is linked to and identified with. When: The team will determine when a data item was created, edited, modified, sent, received, viewed, deleted, and so on. Where: The Global Ghost Team™ will determine where the data was found and the place from which it originated. Our team will also analyze the data to comprehend where relevant events took place. How: The team will determine how data came to be on the media as well as how was it created, modified, transmitted, and so on. Associated Artifacts: The Global Ghost Team™ will inspect registry entries and system or applications logs for relevant information. The team will analyze metadata (i.e., the data that describes data) to look for relevant information. The objective is to determine whether there are links to another event and generate more corroborating information. Throughout the analysis phase, our team adds to the New Sources of Data Lead list and the Data Search Lead list wherever applicable.
All of the findings of the case are turned over to you in the form of a report. The report includes screenshots and bookmarked evidence. The report contains hyperlinks to pictures, documents, or artifacts for your easy navigation. We also highlight and export relevant data items into .csv or .txt files for your ease of use, for importing into other systems. The report will contain an “Overview” or “Case Summary.” You will receive relevant information about how the image was obtained, how the analysis began, and a summary of what we found. You will receive details of how our team handled the evidence and the steps we took to preserve the integrity of the evidence at each step.
Chain of Custody—We Know It Is of Critical Importance
The team would also provide you with a chain of custody document detailing who handled the evidence, when, and for what purpose. Chain of custody is the route the evidence takes from the time our team discovers it until the case is closed. The report also contains expert opinions and comments of Mitnick Security’s Global Ghost Team.™ These will help you better comprehend the case.
Mitnick's Expert Witness Services and Legal Support
Mitnick Security provides top information security specialists to serve as expert witnesses for legal discovery, cases, and disputes. We deliver our legal support to prosecutors, defense attorneys, private council, investigators, and proactive individuals. Our expert witnesses are fully qualified and have extensive legal experience providing opinions about cases in courts of law. Without any direct involvement in your case, our experts possess the detailed technical knowledge required to draw intelligent conclusions about facts relevant to anycase. From evidence gathering, forensics, analysis, and research to demonstrating reenactments or plausible scenarios, our experts will provide the support you require to come to reasoned opinions and conclusions on your efforts. Our professionals are careful to ensure proper handling of evidence and chain-of-custody procedures, so you can be assured that everything is admissible in court.
Providing Experts with Extensive Discovery and Trial Experience
We only provide expert witnesses who are capable of providing solid depositions and who are competent to provide testimonials in court for either the facts they’ve investigated or on a security niche area in which the witness is a subject-matter expert witness. In a court of law, evidence must be supported by testimony. Expert witness rules are subject to change based on jurisdiction. Article VII of the Federal Rules of Evidence dictate the rules pertaining to expert witness testimony in federal courts. There are three important aspects of testifying as an expert witness in the court: The expert is sworn in as an expert witness in the court of law, the court duly recognizes the expert witness, and the expert witness gives testimony in the court.
Our expert witnesses are professionals who remain neutral toward each case and the parties involved. These professionals have held critical positions over their professional careers; the experts are the elite figures of the security industry. It goes without saying that our expert witnesses have considerable experience pertaining to their fields.
Mitnick’s Expert Witness Services has been called upon on numerous occasions to give expert testimony in court. Our analysis has consistently proven to be scientifically sound and reliably holds up in a court of law. While drawing conclusions about your case, our experts follow the well-tested industry standard procedures of evidence evaluation and analysis. The expert witnesses we provide perform extremely well under cross-examination from the opposing counsel, as they all have extensive trial experience.
It is important to note that once an expert witness has been called to the stand in a court of law, the court has the authority to accept or reject him or her as an expert witness. The opposing counsel will have a chance to question the admissibility of an expert witness. Once the court has heard arguments from both sides, the judge will make the final decision on the admissibility of the expert witness. This is done in what is called a pretrial Daubert hearing. Mitnick Security only provides expert witnesses who are highly skilled, respected professionals. They are masters in their fields of knowledge, and they consistently succeed during these hearings.
Analysis of Evidence
Mitnick Security’s team of experts employs proven scientific methods to analyze inculpatory and exculpatory evidence. Inculpatory evidence is incriminating and proves a crime. Exculpatory evidence clears or absolves the suspect of a crime. The goal is to inspect the evidence for the purpose of identification, preservation, and analysis of facts relevant to the case.
Our team of experts will analyze the evidence to determine whether it supports or refutes the case. For example, our team may be asked to determine the following information in a typical scenario:
Who:The team will gather knowledge about the user or application that created, edited, modified, sent, or received the file. We will also determineto whom the data is linked and identified. When: The team will determine when data item was created, edited, modified, sent, received, viewed, deleted, and so on. Where: Our team will determine where the data was found and where it originated. Our team will also analyze the data to comprehend where the relevant events took place. How: The team will determine how data came to be on the media and how was it created, modified, transmitted, and so on. Associated Artifacts: The team will inspect Registry entries and system or application logs for relevant information. The team will analyze metadata to look for relevant information. The objective is to determine whether there are links to another event to generate more corroborating information.
Our team of experts will uncover the deepest facts relevant to your case. Each expert will approach each case methodically and will evaluate the evidence thoroughly. The team remains objective at all times while evaluating evidence.
Mitnick Provides Experts and Witnesses for All Your Legal Needs
Overview of Areas
We only provide leading experts who are well qualified to stand as expert witnesses, professionals, or consultants. Our prolific team of experts has consulted on a variety of cases that relate to many niche areas of information technology and security. Whether you are a victim of financial crime, property loss, or identity theft, our experts possess the rare combination of skills and talent required to assist you as you wade through the often cumbersome legal process. We employ individuals familiar with the intricacies of intellectual property rights and will provide you with expert legal guidance during intellectual property disputes. If you are a victim of illegal surveillance, we will help you determine the legal course of action that will best protect your right to privacy. We also provide legal expertise in cases that stem from criminal or civil negligence (a statutory offense). Due to the extensive knowledge and experience of our experts and their unique methodologies of case analysis, we are even able to revive cases that have gone cold.
Mitnick Security provides extensive legal support in a wide array of niche areas that require expert attention and an eye for detail.
Financial Crime and Property Loss
Financial crimes are “white-collar” crimes; they have substantially increased with the popularity of the Internet. Such crimes have a severe impact on financial corporations as well as individuals, companies, and organizations. Such crimes involve financial fraud, medical fraud, bank fraud, embezzlement, forgery, counterfeiting, tax evasion, corruption, extradition, and money laundering, among others. Our team of experts is experienced in dealing with the wide spectrum of financial crimes and will help you resolve such financial disputes.
Indentity Theft and Fraud
Identity theft and fraud cases are on the rise as sophisticated technology becomes more accessible. It is a big issue, and it can strike you anytime and anywhere. Identity theft occurs when someone steals your personal details to use them to commit fraud. The thief will use your information to obtain credit cards and bank statements, open accounts in your name, order products and services in your name, hijack your existing accounts, and obtain official documents in your name (passport or driver’s license). When you are struck by identity theft and fraud, our team of experts will help you take expedited action, as a quick response will stop an identity thief. We will then take you through procedures to repair the damage done during the identity fraud or theft. We will assist you with responsive measures, including filing reports on said identity theft or fraud, getting in touch with credit institutions that are relevant to accounts opened by the identity thief, and informing credit bureaus.
Intellectual Property Disputes
Intellectual property plays a crucial role in the progress of all organizations. In fact, the most valued assets of many multinational corporations are the unique brands that people know so well. We understand that many of your successful products depend on secret formulas or proprietary techniques. These intangible assets are vital for your business; they are your intellectual property, and you have the right to legal defense against intellectual property theft. Mitnick Security will provide you with experts who have comprehensive understandings of laws relating to intellectual property disputes, such as the Digital Millennium Copyright Act (DMCA), trademarks, patents, trade secrets, licensing (contractual license agreements, shrink-wrap license agreements, and click-wrap license agreements), the Uniform Computer Information Transactions Act, and the Economic Espionage Act of 1996, among others. Our team of experts can help you manage and understand the legal intricacies of protecting your intellectual property and the legal procedures to follow in cases of intellectual property disputes.
You have a right to privacy against prying eyes that unlawfully monitor your activities without your consent. There is no constitutional guarantee of privacy in the United State of America. However, various federal laws have been enacted to protect private information concerning individuals. These include the fourth amendment, the Privacy Act of 1974, the Electronic Communications Privacy Act of 1986, the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the Economic and Protection of Proprietary Information Act of 1996, the Health Insurance Portability and Accountability Act of 1996, and the Children’s Online Privacy Protection Act of 1998, among others. Our team of experts has a thorough understanding of these laws and will provide expert guidance during cases of illegal spying activities. For example, a spouse who monitors his or her spouse’s phone or computer is in fact violating a law. Nonconsensual use of your private images or images that depict you, such as sharing them over voyeurism websites, is also a violation. Industrial spying for the purpose of stealing confidential trade secrets or use of unfair means to gather intelligence about competitors are also cases of illegal spying. Furthermore, 18 U.S. Code §2510-2521 prohibits intentional attempts to monitor wire, electronic, or oral communication of an individual. If you have suffered an invasion of privacy, our team of legal experts will help you seek punitive and compensatory damages against such a breach.
Criminal and Civil Negligence
Negligence means a party has failed to exercise due care that may be expected from a reasonable person under a given set of circumstances. Negligence leads to a civil or criminal case against a party when said negligence has caused harm to another party. A gross deviation from reasonable action with disregard toward human life leads to a case of criminal negligence. Failure to perform one’s duty can also lead to a case of civil negligence. In such cases of civil or criminal negligence, our team of legal experts will guide you through the legal procedures and prescribe the best course of action.
You have the right to appeal a judgment made in a trial court or any administrative agency if you are a victim of any form of miscarriage of justice. Legal mistakes are not uncommon in the court of law, and you should not suffer for it. If the mistakes are notable, Mitnick Security encourages you to appeal to remand the initial decision of the court. Our experts have an eye for detail and will dig out any traces of deviation from justice. We will guide you through the procedures of building a solid appeal to reverse any injustice that has been done to you.
Cold Case Investigations
We investigate cases that have gone cold. These are cases in which all known leads have been investigated but the case has not been fully solved. If there is any possibility of retrieving new evidence via reexamination of archives, you can rest assured that our experts will locate it. Our experts are world-class professionals who stay on top of the latest investigative technologies and are naturally inquisitive problem solvers. Thanks to our team’s expertise, we are able to locate deeply rooted evidence or facts about cold cases that require fervent commitment.
Zero-day exploits target zero-day vulnerabilities. Zero-day vulnerabilities are those for which no official patch has been released by the vendor. This means that no days (zero days) have elapsed between the time the vulnerability was discovered and the time an official patch was made available. Therefore, the administrators have had zero days to fix the flaw. It ceases to be a zero day once a fix is available.