Vulnerability Assessment & Scanning
Many organizations are required by regulatory bodies, including the Payment Card Industry (PCI), to perform periodic external and internal vulnerability assessments. In fact, in the event of a data breach, the lack of effective scanning and reporting can lead to a determination of negligence. Organizations often carry out external and internal vulnerability assessment on a periodic basis to ensure risks are identified proactively and plans on remediation are put in place.
At TRUDGE we provide full-suite of vulnerability assessment, vulnerability scans and provide a quick, easy, and inexpensive check to confirm your systems are protected. The type and nature of vulnerability assessment varies;
- Black Box – Un-credentialed scanning.
- Grey Box – Credentialed with limited privileges scanning.
- White Box – Credentialed with full system admin privileges.
At TRUDGE we provide full-suite of vulnerability assessment, vulnerability scans and provide a quick, easy, and inexpensive check to confirm your systems are protected. The type and nature of vulnerability assessment varies.
External and Internal Vulnerability Assessments
At TRUDGE we have qualified consultants in our red team that poses some of the industry leading level of certification in the field of vulnerability assessment and penetration testing such as OSCE, OSCP, OSWP, eWPTX, CRT (CREST UK), GWAPT, LPT, CEH etc. The vulnerability assessment is not simply running scanning tools and providing you results but actually go beyond basic automated scanning to provide manual validation and analysis of vulnerabilities identified by scanning and removing the false positives.
The depth of these services helps eliminate inaccurate reports that can occur with automated scanning, and they facilitate a more precise understanding of the real security posture of your systems. The assessment concludes with a detailed report that outlines validated vulnerabilities, risk ratings, and remediation recommendations and a stakeholder debriefing.
Offensive Security | eLearnSecurity | EC-Council | CREST | SANS
Quarterly External PCI Scans
This service provides monthly scans to meet the PCI Data Security Standard (PCI DSS)’s quarterly network scan requirements and can help ensure continued compliance. Included with this service are:
- Secure project portal access of approved vulnerability scanner (ASV) management interface.
- A monthly report that meets PCI DSS and may be passed on to your acquirer.
- A monthly report of vulnerabilities, remediation recommendations, and raw data for each quarterly scan.
Why choose TRUDGE for your vulnerability scans and assessments?
Safeguard your network and protect your data with our streamlined program:
- Extend beyond the tools: Our approach goes beyond the use of automated tools and processes to include manual reviews, adversarial analyses, and tailored manual techniques to fully explore identified vulnerabilities from our team of security experts.
- Follow a time-efficient process: We ensure all assessments are effectively executed within your project timeline by prioritizing the urgency of potential vulnerabilities and ensuring we abide by the rule of engagement.
- Deliver deep insight: Our assessments provide you with valuable and actionable insights into discovered vulnerabilities, projected business impact, and remediation steps where applicable.
Penetration Testing
Whether it’s internal or external, white-box, grey-box or black-box – uncovers critical issues and demonstrates how well your network, infrastructure and applications assets are protected. TRUDGE Red Team thinks and acts like an attacker, you can discover critical vulnerabilities and remediate them before they are exploited. TRUDGE Red Team simulates external and internal threat actors with the ultimate goal of obtaining privileged access to your critical systems, with the aim of exfiltrating sensitive data and penetrating deep into your network and systems by performing lateral movement. Such simulations support executive management to understand the impact level of a potential data breach subsequently providing the necessary support to ensure risks are mitigated.
Our penetration testing engagements identify the threats to your organization, key assets that may be at risk, and the threat agents that may attempt to compromise them. Each engagement is customized to your requirements and may span from breaching a single host to gaining deep network access.
An experienced penetration tester can mimic the techniques used by criminals without causing damage. These tests are usually conducted outside business hours or when networks and applications are least used, thereby minimising the impact on everyday operations.
We begin by identifying assignment objectives, scope of work, systems under test and execute a rule of engagement based on the OSSTMM methodology to ensure all parties understand the obligations towards conducting a penetration test. TRUDGE then performs the various attack vectors and scenarios, in many cases getting extremely creative in putting test scenarios together. Throughout the engagement, we provide ongoing status reports, immediate identification and reporting of critical risks, and knowledge transfer to your technical team. At the end of the process, we ensure you have a complete understanding of the exploitable vulnerabilities in your environment as well as recommended remediation strategies from a technical and management perspective.
Passive Recon Phase
Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.
In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.
This information can be used in Social Engineering attacks, if they are allowed, in which the tester uses information gained from the passive recon activities to manipulate employees or contacts of the target into providing sensitive information. Examples of this could be calling a Help Desk using public information to authenticate a user’s identity for the purposes of changing a password or forwarding a phone number.
The results from the passive recon phase would be a knowledge base of potentially useful information about the target’s Internet presence, key employees, IP addresses, domain names, products, or services that would be targeted in further phases.
Active Recon Phase
Performing passive reconnaissance provides the tester large amounts of knowledge that has already been previously created and captured by various sources without sending any data directly at the target. Some of the sources are part of the infrastructure required by the Internet, such as DNS information, IP databases (ARIN), Domain Registrars, and other information that can be queried by different WHOIS requests.
In addition to the WHOIS information, data can also be gained by looking at Social Networking sites, such as LinkedIn, Twitter, and Facebook, a target’s website, any Internet forums linked to the target, geographic and physical information around the target’s business presence, and information indexed by search engines like Google and Bing.
During the active recon phase, the tester takes the target network’s domain names and IP addresses and starts port scanning. This is the first time the tester actually sends traffic to the target. From the port scan output, the tester will start enumerating and documenting services that are open on the target. Enumeration can be done via a “banner grab” method where the tester connects to the service to document what information is directly returned. In addition to the manual banner grab method, automated tools can be used to fingerprint the service based on banner, flags set in the packet header, and other data related to the service’s operation.
The output from this phase is a list of hosts detailing the running services, ideally with service version identified.
Enumeration
- Network mapping and host discovery.
- Service identification, vulnerability scanning, and web application discovery.
- Identification of critical systems and network protections.
Research & Development.
In this phase, the tester will correlate the detected services against different vulnerability databases. This can be done manually by matching services, or automated using a vulnerability scanner to match the service version to a known vulnerability.
If no known vulnerabilities exist, or the client requests for 0-day vulnerabilities (vulnerabilities that have not been known to be exploited) to be used, then the process to find or research 0-day vulnerabilities will begin.
From this phase, a list will be created of hosts with the vulnerabilities specified.
Attack Phase
For the attack phase, the tester will take the list of hosts with corresponding services that have documented vulnerabilities and determine if an exploit exists. As in the R&D phase, searching can be performed manually using exploit databases, or using automated tools such as Metasploit or Core Impact. TRUDGE will only use commercially available exploits or exploits developed/tested internally to ensure that unsafe exploit code is not used.
If exploit code does not exist, it can be created, however this will take longer for a custom exploit than one readily available. Once a tested exploit is available for a specific vulnerability, it will be launched against the target.
Proof of exploit will be captured using flag files (non-executable file creation,) screenshot, terminal capture, or other agreed-upon methods.
Exploitation
- Research exploits and attacks based on enumerated information.
- Active exploitation of vulnerable systems and applications.
- Manual testing tailored to the deployment and business purpose of the target.
Post - Exploitation Phase (Optional)
In this optional phase, the tester can attempt to pivot by leveraging the exploited system to move into other areas of the target’s infrastructure, including systems that are not meant to be directly accessed from the Internet.
If this test is meant to be undetected by the system and network administrators, then the tester will attempt to cover the evidence of the exploit by deleting logs or creating false information to disguise the attempt.
In some cases, for longer-term testing, a back door access will be left or rootkit installed to allow the tester access after the initial exploit. From this access the tester will be able to pilfer or look for sensitive or targeted information relevant to the engagement.
Escalation
- Escalate privileges and compromise credentials.
- Leverage compromised systems to gain new access further into the network.
- Attempt to access business-critical systems or information to demonstrate impact.
Penetration Test Report
After completion of the testing, the findings will be categorized, risk ratings assigned based on likelihood and impact of exploitation, and mitigations recommended to prevent others from using the same exploits and vulnerabilities. The findings will be contained in a report that will contain summarized data as well as individual data that can be passed to technical remediation teams in order to create a Plan of Action and Milestones (POAM).
Why Choose TRUDGE as your Penetration Testing Partner
Our clients rely on our comprehensive technical security assessment services because we:
- Extend beyond the tools: Our approach goes beyond the use of automated tools and processes to include deep knowledge of how compromises can occur in government, financial and commercial organizations.
- Follow a time-efficient process: We ensure all assessments are effectively executed within limited engagement windows by prioritizing the testing of critical devices and components and its respective potential vulnerabilities and ensuring we abide by the rule of engagement.
- Deliver deep insight: Our assessments provide you with valuable and actionable insights into discovered vulnerabilities, potential attack paths, business impact of breaches, and remediation steps.
- Help you address the issues: Experienced, skilled tests develop our comprehensive reports, so you can easily understand the actionable information contained within them.
- Stay ahead of the evolving landscape: Our team members undergo extensive training, participate as industry thought leaders, participate in hackathons and CTFs, and have earned industry certifications, including LPT, GCIH, GWAPT, CREST CRT, MCSE, RHCT, OSWP, OSCP, OSCE, CEH, eWPTX, PMP, and CISSP.
Web Application Security Assessments
Vulnerable internet-facing web applications are rapidly becoming the most popular attack vector of malicious hackers. Application code vulnerabilities and design flaws in content-rich, web-based, thick-client, and mobile applications can be targeted to penetrate networks and steal sensitive information.
Web applications are now also subject to sophisticated attacks whereby delivery of payload no longer is required to obtain Remote Code Execution, the popularity and rise of file-less malware such as Apache Struts give hackers the ability to obtain root access on systems by simply targeting vulnerable web application by sending crafted HTTP request and responses. To mitigate these threats, web and application security assessments must be built into the development and release lifecycle.
Our application security assessments identify weaknesses in your proprietary or third-party applications and propose fixes that will enhance your system’s security posture. By combining the use of leading tools with targeted, expert manual analysis of your application, we diagnose threat susceptibility and provide you with repeatable, measurable, transparent, and actionable results. TRUDGE expert Red Team have extensive experience in testing web applications and more than 90% of the work we do is manual, as much as we like to use commercial and open source tools, a human interaction with the web applications always gives the best results – this is particularly true when it comes to performing grey-box web application tests.
Web Application Assessments
- Assess your application from an adversarial standpoint.
- Assessment against all OWASP Top 10 security attack vectors.
- Perform different assessment types - black-box, grey-box or white-box.
- Evaluate your application for misconfigurations, logic attacks, and input validation issues.
Application Program Interfaces (APIs)
- Perform in-depth API mapping and manual analysis.
- Ensure consistent boundary checking for API requests.
- Evaluate your APIs for misconfigurations, logic attacks, and input validation issues.
Mobile Applications (IOS and Android)
- Analyze application data storage routines.
- Evaluate the usage of platform protections.
- Identify permission boundary checking and analysis.
Static Source Code Analysis
- Evaluate code quality and implementation from functional and security perspectives.
- Manually verify findings and provide context as necessary.
- Develop proof-of-concept code to show impact of vulnerabilities.
Web Application Threat Modeling
- Conduct deep threat modeling exercise for your critical web applications.
- Identify input and output flows and communication matrix.
- Perform an attack surface analysis.
- Build the relevant protection mechanisms, controls and use cases for monitoring.
Thick Application Clients and Interfaces
- Analyze network traffic patterns for external communications.
- Reverse engineering application to determine if vulnerabilities exist.
- Conduct input validation checking and fuzzing activities.
Vulnerability Management Framework Development Trudge It Solutions Specializes
Vulnerability Management is classified as the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, especially in operating systems, firmware and applications. Vulnerability management is an integral framework that should be embedded into every organizational security policies. TRUDGE Solution specialize in providing consulting services to deliver the Vulnerability Management policy framework development that defines to both the business and technical functions how vulnerability management should be conducted across the IT asset.
One of the many ways to discover vulnerabilities is to employ a vulnerability scanner. This is a security scanner software that analyzes the target asset through multiple means to discover vulnerabilities it is susceptible to. The vulnerability scanner identifies loopholes based on a predefined set of known vulnerabilities through a cycle of reconnaissance, scanning and discovery, vulnerability assessment, prioritization, remediation and patching and finally audit and re-assessment. A vulnerability scanner cannot necessarily identify an undocumented vulnerability, such as a zero-day attack this is the function of the penetration test. In penetration testing and fuzzing with relevant test cases, can in many cases identify certain kinds of vulnerabilities, such as a buffer overflow exploit, system kernel crash, denial of service or memory leak.
Similarly, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file). Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering. Remediation is often considered the most difficult phase of any vulnerability management project - TRUDGE has the experience and know-how on helping customers develop remediation plans that are practical and achievable whilst ensuring risks are controlled and mitigated.
Trudge Vulnerability Management
Trudge® Vulnerability Management (VM) automates the lifecycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Trudge Vulnerability Management allows security managers to audit, enforce and document network security in accordance with internal policies and external regulations. As an on demand Software-as-a-Service (SaaS) solution, there is no infrastructure to deploy or manage.
Trudge Vulnerability Management for Large Distributed Enterprises
Trudge VM enables enterprises to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. Trudge provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues.
Benefits of Trudge Vulnerability Management;
- Mitigate risk by automating vulnerability identification and prioritizing remediation based on risk to business operations.
- Agent-less auditing, tamper resistant audit trails and the certainty that comes with third-party assessment.
- Onsite Impersonation.
- On demand SaaS technology offers significant economic advantages with no capital expenditures, extra human resources or infrastructure to deploy and manage.
- Unprecedented scalability makes it ideal for large, distributed organizations.
- Rapidly identify, visualize and organize network assets into Business Units and Asset Groups.
Centralized Vulnerability Management
- Automatic centralized reporting from distributed scans.
- Consolidated administration of both internal and external (perimeter) scanning.
- Executive Dashboard.
- Asset-based solution with an interactive asset search portal.
- Authorized user access from any location.
- Export reports to HTML, MHT, PDF, CSV and XML formats.
Automation
- Scheduled scans and network discoveries.
- Automated daily updates to vulnerability Knowledge Base.
- Automated remediation ticket generation and verification.
Accuracy
- Comprehensive vulnerability Knowledge Base incorporates thousands of unique checks.
- Trusted, third-party certification of network security with tamper resistant audit trails.
- Inference-based scanning engine with non-intrusive scanning techniques.
- Both un-trusted and authenticated scanning capabilities.
- Internal and external scanning provides a 360-degree view of network vulnerabilities.
- Configurable scans for customized audits.
- Unique fingerprints for over 2,000 operating systems, applications and protocols.
Reporting
- Customizable reports for on demand reporting by business unit for executives and managers.
- Automated trending and differential reports.
- Remediation reporting: ticket trending by asset group, user and vulnerability.
- Scorecard reports for enterprise stakeholders.
- Automated report generation and distribution.
- Multiple report distribution options including encrypted PDF.
Mobile Application Security Testing
Mobile applications are increasing in numbers every day. Today more mobile phones / tablets accesses web applications than PCs. More than 90% of government services in INDIA can be transacted through mobile applications. Increase in the use of mobile applications means, application vulnerabilities and thus security incidents that may impact the client device or backend systems that support the mobile application.
Many mobile applications we have assessed recently across the region, indicate the need for continuous security assessment of mobile applications. Poorly hardening and securely configured mobile applications by the software developers, often outsourced by organizations, do not even follow the most basic of security guidelines.
Mobile Application vulnerabilities often lead to customer privacy violations and/or data loss. Considering this, it is important to perform a holistic security review as part of your mobile application deployment strategy.
TRUDGE expert team of mobile application security consultants offers a detailed security analysis of your mobile application as part of our Mobile Application Security Assessment service. Our testing methods use both automated testing as well as manual testing using a combination of Mobile Application Security Framework (MobSF), OS simulators and SDK kits. Our “automated tests” detects many of the common vulnerabilities of your mobile application. However, manual testing by our security experts uncovers much more issues than the automated tests especially during a grey-box test.
Our Mobile Application Security methodology is based on the OWASP Mobile Security project and performs tests both client application as well as the server-side testing.
Application Mapping
The initial step in the Mobile application security assessment is the mapping of the application for each type of the Operating System architecture. This will provide a detailed understanding of the application and the data flow, within the application as well as to the server.
- Application Understanding
- Data Flow Mapping
Client-Side Attacks
In this stage, the focus of the testing is to understand the weaknesses on the client side. This includes the analysis of temporary storage, sensitive information and client-side encryption.
- Binary Analysis and Identification of insecure APIs.
- File system analysis for identification of sensitive files and weak encryption implementation.
- Memory and Process Analysis.
Network Attacks
In this stage, the communication channel between the client and the server undergoes the review and attack. Sensitive plain text traffic is retrieved by analyzing.
- Installation Traffic
- Run time Traffic
Server-Side Attacks
The final phase of a mobile application security assessment is to assess the security of the server. In this, the server-side application would be tested to find out how it responds to various malicious requests.
- TCP attacks are performed to identify vulnerabilities such as Buffer Overflows.
- HTTP Attacks are performed to identify application vulnerabilities such as XSS, SQL injection and other OWASP listed vulnerabilities.
Wireless Security Testing
- Identify technical security vulnerabilities and weaknesses with a wireless network deployment.
- Test the effectiveness of security controls associated with a wireless network and ensure adequate protection of organizational information assets.
- Effectively manage wireless service information security risks.
The deployment of a wireless network within an organization can introduce additional risk that needs to be properly managed. For example, a guest wireless network that is physically separate from a corporate network could be used to masquerade attacks against other internet hosts, allow attacks against other wireless clients or to access inappropriate internet content.
Furthermore, a corporate wireless network could suffer from weak authentication or be lacking segregation, which could be used by an ex-employees or motivated hackers to penetrate into your internal networks and to launch attacks against organizational assets. With the recent development and vulnerability exploits in the wireless infrastructure, KRACK exploit breaking WPA2 protocol security has raised many serious questions around how secure wireless communication really is.
Effective management of information security risk associated with organizational wireless should ensure a robust and functioning set of controls, including patch, configuration and vulnerability management of wireless access points, wireless LAN controllers, strong network architecture, robust authentication mechanisms and useful protective monitoring. Wireless security testing is conducted by both the RED team (in terms of penetrating the wireless infrastructure) and BLUE team (in terms of reviewing the security architecture, wireless network segmentation, configuration review of the wireless LAN controllers.
Whether associated with a sweep for unauthorized wireless deployments, an audit of a Guest or Bring Your Own Device (BYOD) Wi-Fi implementation or a full assessment of an enterprise grade wireless network access deployment our wireless testing service shall determine whether effective controls are implemented and operating properly. Our team has the equipment and capability to assess the complete and up-to-date range of wireless bands and technologies.
Using a team that comprises experienced penetration testers and wireless security experts and following formal methodologies, TRUDGE will assess a wireless network’s security controls for vulnerabilities and weaknesses across the stack and deliver a detailed report.
The output of the exercise shall position the effectiveness of security associated with the wireless network against best practice and provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements to Wi-Fi information security.
Social Engineering - Targeting the Human Weakness
TRUDGE has conducted more than 50 social engineering simulations over the last couple of years and the results are incredible. The level of cyber security awareness amongst employees across different industries, varies from one spectrum to another, on average, more than 60% of users fall for the bait by clicking on a link on a highly crafted email from our covert operations team. This not only demonstrates there is a lack of employee engagement in training and raising awareness of cyber security threats that are most commonly used, but also employees not having the ability to identify the good and the bad. The core benefits of running a social engineering simulation are to;
- Simulate a social engineering attack on elements of your organization.
- Gauge the effectiveness of information security awareness training.
- Improve the resilience of your organization to social engineering and phishing attacks.
The majority of recent high profile cyber-attacks against top tier organizations have been successful because they have breached the perimeter through targeted social engineering attacks, otherwise known as ‘spear phishing’.
These attacks identify the contact details of potentially vulnerable people within the organization and use a specially targeted attack vector which is likely to result in the execution of malicious code. Typically, this involves crafting an email which would be of interest to the victim incorporating embedded malware, in the email itself or as an attachment.
Once the code has been executed, it will then use network architecture weaknesses to establish command and control connections with the attacker who can then commence attacks on internal network resources. It is then generally straightforward to identify accessible stores of internal information assets (given access will have been gained with the credentials of the compromised user) and export them over the internet using usually benign and innocuous protocols such as web connections over encrypted channels to bypass security controls.
Furthermore, other attack vectors often include using phone calls to staff, usually under the guise of IT personnel or a senior member of staff and attempting to entice them into performing a task that would also have adverse consequences for the organization’s information security.
A defense-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that personnel within the organization are adequately briefed on information security awareness, how to identify and report potentially malicious emails and the inherent risks associated with opening them.
Social Engineering simulation by TRUDGE, will effectively identify an organization’s susceptibility to social engineering attacks, whether delivered via email, instant messaging, telephone calls or face-to-face within the client’s premises. As part of the assessment, we can use open source intelligence gathering to attempt to identify people within the organization or target a specific team or function that the client determines should be the subject of the investigation.
We will then systematically target those individuals with a bespoke attack which we believe (in co-ordination with the client) has the highest probability of success. All attempts will incorporate a means to measure the success and may also determine whether it would be possible to breach the architecture and establish outbound command and control connections.
The output of the exercise shall position the effectiveness of information security awareness within the organization, statistics on successful and unsuccessful attempts, details on whether it was possible to compromise the perimeter and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.
Social Engineering – Scenarios
Our covert testing team in TRUDGE, has undergone training from third party agencies to develop social skills and structure these types of assessments. This combined with their personal attributes enabling them to convincingly assume the roles they adopt and their experience in Information Security make them an ideal team for this type of exercise, some of the tests conducted during this assessment is as follows:
- Telephone Impersonation.
- Email Phishing.
- Onsite Impersonation.
- Clean Desktop Testing.
- Suspicious Activity Testing.
- Dumpster Diving and Shred Testing.
- Tailgating.
- Piggybacking.
- Reverse Social Engineering.
- Shoulder Surfing
- Remote Access VPN Account Compromise.