Penetration Testing Services
The JDBiggs & Associates Inc. FedRAMP Penetration Testing Methodology, is our structured approach for testing Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) accreditation boundaries. This evaluation is a controlled “ethical hacking” assessment on applications, virtual machine environments to include assets. Penetration tests range from a security overview of a network to attempting to use hacker techniques with the intent of obtaining critical information from the organization.
The JDBiggs & Associates penetration test will reveal to your organization:
- What information can be seen from the internet
- Which information is potentially at risk of a malicious attack
- What security measures should be implemented to protect your organization’s assets
A penetration test allows an organization to be subject to attacks selected and conducted by the JDBiggs & Associates security staff. The benefit of a penetration test is to identify critical vulnerabilities and fix them before an actual attack on the organization.
JDBiggs & Associates employees are degreed professionals, with 25+ years of experience in the corporate and federal space. Our penetration testing methodology is compliment with FISMA, HIPPA, FedRAMP, and DIARMF requirements. Our tests are finely tuned, using state of the art tools and techniques for a cost effective penetration test.
The PCI Standard requires security best practices that include implementing and maintaining a defensive infrastructure and incident response programs. Running controlled penetration tests to validate security measures is one of the easiest ways to comply with multiple PCI requirements.
Failure to comply with HIPAA requirements can be costly. Penalties can reach up to $25,000 per year per violation, and penalties for wrongful disclosure of information may fine up to $250,000 and up to 10 years imprisonment. In the event of a single transmission of data may trigger multiple violations resulting in multiple fines. Conducting a thorough assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability electronic protected health information held by the organization is the best way to avoid penalties.
According to NIST SP 800-39, SP 800-53, and 800-137, agencies are recommended to proactively test their network and IT defense mechanisms using assessment techniques that simulate the actions of a malicious hacker. NIST guidelines specifically demand penetration testing that goes beyond the use of scanners to exploit vulnerabilities and demonstrate how security controls have been tested against the same types of multi-staged attacks that are being aimed at their assets on a daily basis.
The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to establish and maintain security standards to protect customer data. Failure to comply with GLBA requirements may result in fines that can reach up to $100,000 per year per violation, and penalties for officers and directors of up to $10,000 per violation. Criminal penalties could result up to five years in prison and the revocation of professional license.
The Sarbanes-Oxley Act of 2002 mandates accurate financial auditing, reporting, and increased risk management. Penetration testing assists by maintaining SOX compliance by addressing key components of the COSO controls. Penalties for not complying with SOX can include fines of up to $5 million, and imprisonment of up to 20 years, as well as delisting from stock exchanges.
Pen Test Methodology
Investigation / Detection
JDBiggs & Associates will perform methodical queries of the various databases, mailing lists, search engines, etc, to obtain as much information as possible about the organization. These searches often disclose many Internet connections than the organization may know about. If part of the scope, it is important to start leveraging Social Engineering tactics
Once domain names and networks have been identified through the Investigation / Detection phase, the penetration tester will continue to gain as much information as possible about domain and network. This phase is more intrusive. This phase the penetration tester will identify hosts, services, usernames, known vulnerabilities, etc. This phase is limited by the scoping of the rules of engagement.
Vulnerability assessment is one of the most important of the penetration test exercise. The penetration tester will estimate the probable impact of the vulnerabilities to the organization and identify the attack paths and scenarios for exploiting.
The penetration tester will attempt to gain privileged access to a target system by exploiting the known vulnerabilities. If within the scope of the rules of behavior, this phase is used to maintain the access by planting a back door or a root-kit and cover their tracks.
- Nessus – Hardware components (Servers, Firewalls, Routers)
- Rapid 7 and App Detective – Databases
- Acunetix – Web Servers, Firewalls, Routers
- Rapid 7 – Firewalls, Router
The documentation phase is the penetration tester’s findings. The stakeholder will receive a detailed summary of the following:
- Executive summary of what vulnerabilities were found
- Methodologies and scope of the project
- Information gathering research
- Output of tests performed
- A list of all identified vulnerabilities and remediation recommendations