SRM's Test & Exercise (T&E) team
What distinguishes the SRM team is the fact that our consultants have a wide experience in other areas of information security consultancy so the test and exercise programme is not conducted in isolation but within the wider context of a client’s business activity.
What is more, every project is fully bespoke, starting with a T&E scoping schedule which ensures precisely targeted cost-effective delivery which meets the wider legal and regulatory requirements within any given sector.
SRM’s T&E team includes consultants who hold the Offensive Security Certified Professional (OSCP) qualification. The OSCP training includes extensive practical work and getting into the mindset of a potential hacker. We consider this to be the very best qualification for advanced penetration testing because it enables our team to be proactive and innovative rather than simply reactive.
Through our detailed scoping process we ensure that it’s not just the elements that have been tested before that are scrutinised. As the world of test and exercise constantly evolves, the scoping exercise determines the widest range of risks and vulnerabilities which could potentially be exposed by an innovative hacker.
We are extremely proud of our high level of client retention. We have an unrivalled reputation for delivering excellent client service and many of our clients have worked with us for over five years.
SRM's consultants are not simply technically skilled. They also understood how our business operated and worked with us to scope the exercise to meet our exact requirements. They added genuine value uncovering previously missed gaps in our defences and provided a fast cost-effective solution.
We have used other test and exercise service providers in the past who imposed a test and exercise regime upon us, rather than scope one which was precisely targeted to our very specific regulatory requirements. We were never sure if we actually needed all the tests they ran and the final report was virtually impossible to understand. In contrast, SRM listened and then explained clearly what we required. The advice we received was meticulously detailed but presented in a jargon-free practical way.
We felt hugely empowered to have an OSCP qualified consultant working with us. Knowing the depth and extent of the training, it was like having the best and most ingenious hacker working on our behalf. They found a number of potential gaps which previous consultants had missed yet the whole process actually cost us less.
Within this section of the website, we detail the types of test and exercise we undertake on behalf of clients. While each can be seen as a service, we do not simply sell them as packages. What we provide is a full scoped client service which helps us work with clients to produce a completely bespoke test and exercise schedule delivering exactly what is required but with no unnecessary add-ons. This ensures that working with us is a rigorous but cost effective solution.
A vulnerability assessment is an analytical process that defines, identifies and classifies security holes (vulnerabilities) in individual computers, networks or communication infrastructures.
Effectively, a vulnerability assessment is a base level evaluation of an organisation’s information security posture. It provides coverage across a wide range of systems and a surface level assessment which identifies weaknesses and issues.
SRM utilises a leading web application and infrastructure scanning tool which automates the discovery of security flaws within network perimeters to quickly identify any required remediating actions. A full no-jargon report provides details of the assessment together with practical remediation steps.
A penetration test goes a step further than a vulnerability assessment. It simulates the actions of both external and internal attackers whose intention it is to breach the information security of an organisation.
Many tools and techniques are employed in a penetration test. AT SRM our team of highly qualified penetration testers hold, at company and individual level, qualifications including QSA, PA-QSA, GCIH, GCFE and the industry gold, OSCP. Our consultants are also CREST-approved ethical security testers using their skills and experience to exploit critical systems and gain access to sensitive data.
Our deliverable is a comprehensive but easy to understand detailed breakdown of results presented by a consultant in an easily interpretable report. It will identify the threats in a jargon-free manner and mitigation steps for the key risks are explained.
Advanced penetration testing
Not only does your system need to be secure; it needs to be seen to be secure. We work with you to understand your business requirements to develop a test plan which satisfies all stakeholders that your web and supporting infrastructure are secure.
Our service considers external and internal threats using proven tools to simulate attacks on your infrastructure.
- Websites and associated applications
- Third party applications
- Firewall, IPS & IDS Evasion
- Company and client wireless solutions
- Internet of Things (IOT) both devices and management infrastructure
- End user device testing including printers and other peripheral devices
- Mobile applications (IOS/Android & Windows), including OWASP Top 10 Mobile Risks
- Social engineering (to fully test your IS awareness policies) Telephony / VoIP systems (on premise and hosted solutions)
We hold a range of accreditations both at a company and individual level including QSA, PA-QSA, CISSP, Cyber Essentials (IASME), Tiger and the industry gold OSCP.
Our deliverable to you will be a comprehensive but easy to understand detailed breakdown of all your results presented by a consultant in an easily interpretable report. It will identify the threats in a jargon-free manner so that we can work together to mitigate the key risks to your business.
Web Application Testing
Testing a website is vital to ensure malicious attack attempts do not exploit poor configuration, out of date patching, cross-site scripting or injection vulnerabilities of the underlying web application.
SRM will undertake a website vulnerability assessment to include:
- Testing of web services for known vulnerabilities and configuration issues
- Identification of the website structure and active code (i.e. web pages providing functionality)
- Testing of functionality and web interactions to ensure that web vulnerabilities (such as the OWASP Top Ten issues) are not present
- Uniquely SRM will search for malicious web shells which we have uncovered from the numerous PCI PFI investigations undertaken
- We will test for the latest security vulnerabilities to meet the testing requirements of PCI DSS.
- Where applicable, SOAP/REST and similar API testing is also undertaken.
What is a Red Team Engagement?
In the world of information security which is riddled with acronyms, the deceptively simple ‘Red Team’ may take a little explaining. Breaking down the initial letters of industry terms usually provides a clear indication of the service provided. But the term Red Team has its origins in the US intelligence community and its actual meaning is a little more mysterious. In that context, a Red Team explores alternative futures, challenging an organisation to improve its effectiveness.
In our context, a Red Team provides real-world attack simulations designed to assess and significantly improve the effectiveness of an entire information security programme.
Where a normal penetration test focuses on identifying and exploiting issues within a specific system/clearly defined scope, the Red Team differs in that it is very much goal/objective orientated. As a result, this allows for a much larger attack surface for the penetration tester to target in an effort to reach the pre-defined goal/objective.
To put your network, applications, people and processes to the ultimate security test, you need to subject yourself to real-world scenarios that are designed to establish how well your defence and response processes measure up. This is achieved through a combination of simulated social engineering (physical and technical), network and application attacks from SRM.
The key difference between a penetration test and Red Team engagement is the extent of scope; thus replicating the wider view an actual attack would have. Whilst a penetration test is often focused on a key application or system, a Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data/solution – can you get access to it?’
Red Team engagement includes a wide variety of applications, systems, people and physical locations within the scope of testing. Naturally, the extent to which the Red Team will operate and engage will be defined by you, but it will take a wider view of potential attack vectors and mirror a persistent attacker. Consultants with OSCP qualifications have undertaken a rigorous training process to learn real-life hacking skills, helping them to think creatively and with the mindset of a genuine hacker.
A Red Team engagement will therefore have free rein in terms of attempting to gain access to the defined goal whilst ensuring a controlled approach.
The benefits of this approach are that it allows you to validate your protection, monitoring and response solutions or processes. This assists in ensuring your organisation can respond to an emulated ‘real-world’ attack where varying avenues of approach can be used, rather than a limited focus on a single system.
The ultimate goal is to use offensive techniques to enable you to identify areas for improvement and/or to validate the capability of your response. Even in the event of the objective not being wholly realized a number of recommendations/learning experiences will still be achieved, thus always assisting towards further improvement of your security capabilities.
Vulnerability scanning and identification
An independent inventory of devices which are currently attached to a network to ensure that adequate security is in place. Automated software scans a system against known vulnerability signatures.
Sometimes an automated scan does not include the full scope of the risk. Manual testing is an additional element to extend the range of the test for a particular risk or organisation.
Skilled ethical hackers undertake a virtual attack using existing or potential vulnerabilities and play out the impact on the organisation through a variety of social engineering exercises, including news and social media responses and escalation simulation. It is a useful practical test of remediation protocols and a valuable educational tool.
Business Continuity simulation
Similar to the Incident Simulation exercise, this tests the business continuity resilience of an existing remediation plan and helps to develop robust protocols for the future.
Network vulnerability exploitation identifies if a remote host is vulnerable to a particular attack, through developing testing and using a known exploit code. These automated scans are a useful tool where specific threats are a relevant factor. Correct scoping is key to an effective vulnerability exploitation scan.
The post exploitation phase of any type of penetration test is to determine the value of the machine compromised, the sensitivity of the data stored and the potential for compromising the whole network. This analysis enables an organisation to evaluate risk and mitigate the risk of further damage.
Web application testing
A web application performance tool (WAPT) is used to test web applications and web-related interfaces. These automated tools provide a quick method for finding many common vulnerabilities such as SQL injection and cross-site scripting (XSS). They are used to test web applications and web related interfaces, testing for performance, load and stress of web applications, websites, web API, web servers and other web interfaces.
Application Programming Interface (API) testing
In general terms, API is a set of clearly defined methods of communication between various software components. An API may be for a web-based system, operating system, database system, computer hardware or software library. As the glue that joins a range of web-based applications and platforms together it needs to be secure.
A social engineering attack, Phishing presents a particular risk to organisations because Trojan horses and viruses can be introduced into an entire network via one device. Testing for phishing vulnerability includes automated attack simulations. Mitigation includes education, quality security awareness training and actionable reporting metrics.
Is another type of social engineering attack, similar to Phishing but it is conducted over the telephone. Scammers contact individuals and trick them into giving access to computer accounts. Usually impersonating a trusted company, they leverage urgency to get victims to act quickly without thinking the situation through.
Is a variant of the same social engineering attack method, using SMS text messages to download a Trojan horse or virus onto a personal device. The testing procedure will highlight where potential intrusions have taken place and the extent of the attack within a network. Mitigation includes the removal of suspect viruses.
Open Source Intelligence (OSINT) Report
OSINT is a term used to refer to the data that can be collected from publicly available sources, to be used within an intelligence context. The use of ‘open’ goes back to the term as it is used within the intelligence community, meaning publicly available and not obtained through espionage. Although open in the sense that content found on Facebook, social media, telephones or emails, there are elements which should not be open to hackers. These include passwords or log in details which may not be readily visible but are embedded within the files somewhere.
A detailed report identifies vulnerabilities and provides a managed process for the reduction of these threats to an acceptable level.
A systematic test of smartphones, feature phones, wireless routers, hotspots, tablets, laptops, network-enabled devices and Information of Things (IOT) devices. An automated testing process, correct scoping is, as always, the key to successful identification and removal or risk.
Small intrusion devices can be used to bypass Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Usually requiring access to the premises, these can take the form of USB sticks or specialist equipment like a raspberry pie (a tiny computer to which all sorts of different sensors and equipment can be hooked up). These are then configured to provide an external hacker with remote access to network systems. As many hacks these days are conducted by employees, testing for evidence of rogue intrusion is an important aspect of information security.
OSCP qualified testing
Considered to be the top level qualification for information security testers, the Offensive Security Certified Professional (OSCP) course requires extensive practical hacking expertise.
Dropbox is diligent about keeping previous versions of files on record. By default, it goes back about a month keeping hundreds of versions of regularly used files. Ransomware infection can therefore expose an organisation to sensitive data being exposed. An automated test can gauge the risk as well as any potential infection, thus enabling an organisation to take steps to protect files and move some Dropbox content to a safe location if required
Network security testing
All organisations, from huge multi-nationals to charities and SMEs, rely on networks – wired, wireless and cloud based for their business connectivity. Regular and robust testing will identify any risks to the backbone of your operation. SRM’s network testing methodology includes:
- Routers, switches, firewalls (both physical and software based) and Wi-Fi access points internal and external to the organisation
- Remote access solutions and Virtual Private Networks (VPN)
- Company telephone solutions, including Voice Over IP (VoIP) and any mobile solutions in scope
- Review of Operating Systems, patching policies and change governance process
- Cloud deployed services including client access as appropriate