The D.A.E.R. Penetration Testing Methodology
“… cloud assets deserve a seat at the grown-up security table and a piece of your budget pie.”
According to Verizon’s 2021 DBIR, web applications are such a common target that they deserve as much attention, if not more, than on-prem assets. And the continued high number of publicized breaches of web resources such as databases and web applications make a great case for making security for your web-facing assets a top priority.
Do you know how many web-facing assets you really have? Are you able to objectively validate the security of each of those assets? When was the last time you had someone test for vulnerabilities?
While many cyberattacks are motivated by financial gain, espionage, or even FIGs (fun, ideology, grudges), the steps for prevention are the same: know what you have, update, or upgrade your items, and test your publicly viewable assets against real-world threats.
To secure against these threats, businesses need to have someone on their team who thinks like an attacker – What’s the path of least resistance? What path would they not expect someone to take? Are there any times when the potential victim is not aware?
With our experience in securing information systems by thinking like the attacker, we help you in the following ways:
- Identify IT vulnerabilities that expose your critical business assets to cyber criminals.
- Identify your IT vulnerabilities and proactively shore up weaknesses before an attack.
- Expose holes in your security before an attacker does, helping you address them before they become critical liabilities.
It’s easy to think, “It can’t happen to us – we’re too small/unimportant/under the radar.” Sadly, readily available technology allows cyber criminals to scan systems all around the world from anywhere in the world, and at any time. The bad guys have automated systems ready to scan the internet, they press “Go,” go to bed, then wake up to see what they found. They could have found you. And that’s why we’re here to help.
OUR TESTS
Web Application Testing
Web application penetration testing involves testing the security integrity of everything from APIs to websites. Web Application testing answer the following questions:
- What services are exposed to the internet?
- What ports are open that should be closed?
- What can researchers find out about your website simply by searching on Shodan?
- Does what is revealed by open-source intelligence investigation reflect what you want others to know?
- Is your web app vulnerable to any kind of SQLi, XSS, or other vulnerabilities noted in the OWASP Top Ten?
External Network Testing
Network Penetration Testing will uncover exactly how systems respond to an actual cybersecurity threat. These tests answer the following questions:
- What services do your servers expose to the internet?
- What firewall ports are open that should be closed?
- What can researchers find out about your external network simply by searching on Shodan?
- Using freely available research tools and techniques, what can anyone in the world see about your public-facing resources?
Vulnerability Security Assessment
Vulnerability scanning can help by pinpointing security vulnerabilities. Good scans categorize security risks, assign risk levels, and offer remediation suggestions.
OUR METHOD
Regardless of the security assessment performed (network, penetration, vulnerability, secure code review), our method remains the same.
With our knowledge-leadership and extensive experience of information assurance and cybersecurity, Cybersecurity Crusaders has formulated our own Security Assessment methodology to identify, assess, and report on the risks faced by an organization’s critical information assets. We assess the effectiveness of your organization’s security controls by subjecting IT systems to real-world attacks. By using Cybersecurity Crusader’s D.A.E.R. methodology, your organization receives verified information tailored to your organization’s needs.
D.A.E.R.
Our Approach to Security Assessments
Each company has different security needs, so each penetration test has to be crafted each time to produce relevant results for each organization. Perhaps you have just one web application page with one database behind it that need to be tested. Or perhaps you have both web and mobile apps. Whatever the case, our testing framework allows us to customize each and every test to a company’s needs, while maintaining the methodical approach necessary for a professional and technical security test.
Here is our methodology:
DISCOVER
The Security assessment cycle begins with the DISCOVER phase. During this phase, target systems, network ranges, ports and services, and vulnerabilities in running services and configurations will be identified through a series of reconnaissance exercises. Consequently, the objective of this stage is to identify your organization’s critical assets.
ANALYZE
During the ANALYSE stage, findings from the previous stage are analyzed from a business perspective to effectively translate the vulnerabilities into business risks.
EXPLOIT
Essence of security assessment lies in its approach, i.e., testing systems against real-world threats. Consequently, during the EXPLOIT phase, techniques used by hackers and crackers shall be simulated in a controlled environment to prove and verify the identified vulnerabilities and to assess the extent of their effects.
REPORT
The success of a Security Assessment exercise depends on the actions and steps taken by the organization to mitigate the risks. To ensure success of the entire exercise, comprehensive reports are presented and submitted to the management during the final REPORT stage. Additionally, a compliance report, a risk assessment report along with a strategic risk treatment plan shall also be developed specifically for your organization!
Cybersecurity Crusaders can assess the IT infrastructure of customer by performing Security assessments of all the channels, whether human, physical, wireless, or data networks.
The final report includes all attempts (both successful and unsuccessful) by the testing team to exploit the provided scope items.
What’s included in each test?
Whatever test you select, you can expect the following:
- On-budget
- A talented Security professional who will be part of your team for the duration of the contract
- Testing by certified ethical hackers
- Continuous communication so that you always know the status of the test
- Confidentiality throughout the entire process
- Discovery of at-risk technologies
- Identification of vulnerabilities
- Adaptive testing, where you determine what vulnerabilities are true risks to your org
- A comprehensive assessment report for management and C-suite presentations
- Actionable mitigation plan to guide your IT and Security teams
Benefits of Third-Party Penetration Testing
Every business needs to demonstrate ROI for their security testing. Here are some benefits:
- Increased Reputation – Customers receive confirmation that their confidence in both your security posture and your commitment to continually improving security is well placed.
- Compliance – Our Readiness Assessment receives attestation that your technical industry, state, and federal security requirements are met.
- Risk Remediation – The C-Suite and your Board receive objective reports regarding relevant risks and how they need to be remediated to reduce any current security vulnerabilities.
- Verification of Current Security Controls – Your IT and Security Management will be able to validate and/or adjust security controls after testing is completed.