Penetration Testing
Penetration testing is a form of security testing where SCA emulates real-world attacks to identify methods or pathways to evade the security features of a network, system or application. These real-word attacks use tools and techniques, both automated and manual, that are commonly used by attackers which is why penetration testing is sometimes referred to attack and penetration testing; attack the target(s) to see how far they can be penetrated. The goals are to determine whether unauthorized access or other malicious activity is possible. The results of a penetration test can help demonstrate how well the target system(s) or application(s) withstand real-word attacks, the level of sophistication needed to compromise the system(s) or application(s), remediation needed to reduce threats and the defender’s ability to detect and quickly respond to attacks.
SCA penetration testing is a valuable tool to evaluate the adequacy of security controls to detect and defend against a threat actor. Additionally, SCA penetration testing helps organizations meet regulatory, framework and certification requirements including but not limited to the following:
-
Federal Financial Institutions Examination Council (FRB, FDIC, NCUA, OCC, CFPB, SLC)
-
PCI – Payment Card Industry
-
New York Department of Financial Services (23 NYCRR 500)
-
Insurance Data Security Laws
-
SOC 2 Reporting
-
Center for Internet Security Critical Security Controls
-
NIST Special Publication 800-53
For Federal, State and local government entities, SCA penetration testing is available under our GSA contract #47QTCA20D008C for Highly Adaptive Cybersecurity Services (HACS).
SCA Penetration Testing Capabilities:
Network Penetration Testing
-
External
-
Internal
-
Wireless
-
SCADA
Application Penetration Testing
-
Web Application
-
Mobile Application
SCA offers penetration testing as White, Grey or Black Box efforts. Each requires increasing amounts of planning and discovery effort to identify target assets. Due to the sensitive nature and architecture of SCADA systems, SCADA penetration testing by SCA is always performed as a White Box effort.
White Box
Full knowledge of target systems, applications and IP addresses in-scope
Grey Box
Partial knowledge of target systems, applications and IP addresses in-scope
Black Box
Zero knowledge of target systems, applications or IP addresses in-scope
Penetration testing may also be performed as a Red Team or Purple Team effort:
Red Team Penetration Testing
Purple Team Penetration Testing
Red Team Penetration Testing
Red teaming projects are heavily focused on emulating an advanced threat actor using stealth, subverting established defensive controls and identifying gaps in the organization’s defensive strategy, and often involve more than one red team cybersecurity analyst playing the part of the malicious actor.
Purple Team Penetration Testing
The Red team, friendly attackers, partner with the Blue team, client’s defensive personnel, in a collaborative exercise. The Red team shares their tactics, techniques, and procedures. The Blue team shares their monitoring tactics and playbooks with the Red team. Essentially, offense informs defense, and defense informs offense – this way, the capabilities of both teams are extended.
Reach out to us to schedule a consultation and learn more about our cybersecurity assessment and advisory services. We will help elevate your security and demonstrate your compliance so that your organization can grow and thrive.
Contact Us Today For Free Consultation
(727) 571-1141