Penetration Testing

Penetration testing (AKA pen-testing or ethical hacking) is a way of examining your business’ security and threat preparedness in regards to cyberattacks, data breaches and other malicious activity. Penetration testing is an authorized, simulated exercise that lets you see where you’re protected and where you’re not before hackers exploit any holes. Our in-depth penetration testing covers every facet of your security assurance:

• Social engineering
• Physical security
• Man-in-the-middle attacks
• Brute-force attacks
• Wireless security

To make sure you’re protected, we’ll run a social engineering test attack to see how vulnerable your business is. Afterward, we can provide your staff with specialized training to help prevent these attacks in the future.

Physical security

Without physical security, most other safety measures are not much use. As the name implies, physical security checks that all your data is physically secured and locked up without even a hint of easy access.

You don’t leave your critical business data in a cardboard box in an unmonitored, unlocked janitorial closet. That is the opposite of physical security. You want your sensitive stuff inside a safe behind a vault surrounded by an alligator-filled moat with cameras and alarms at every entry point—or something to that effect. That is physical security.

While you needn’t take it as far as a moat, you definitely can’t take physical security lightly. What good is all the digital protection if someone can simply walk out with the data they need? That’s the kind of loss that can cost you dearly in time and money—it can even cost you your whole business.

Secure your data the right way. Keep important documents and servers out of sight; keep all applicable doors and windows locked; and use keycard or PIN entry whenever you can. At the very least, keep cameras on the important stuff and record at all times. Good physical security will not only prevent outside intruders, but it will help against disgruntled and spurned employees.

Man-in-the-middle attacks

With so much of our daily lives online now, you have to log in to one of several different services to get the important stuff done. These logins are meant to keep you and your information safe, but what keeps your login information safe? Hopefully you do, but you still need to type it in. What if someone sees what you’re typing in?

A man-in-the-middle attack (MiTM) gets away with just that. Using key-logging malware, spyware, fake card readers and tapped phone lines, hackers can intercept your login and personal information for just about any service. A MiTM stands between you and what you need to do and steals your information—and you’re none the wiser.

This seems like a hard threat to combat, but it can be neutralized with the right security measures. Active monitoring and threat detection are the first line of defense, and keeping your malware definitions up to date will help stall any attacks.

With active MiTM protection, you won’t have to worry about your sensitive information being swiped. As long as you’re on a secure connection with active monitoring, you can log into any services and type in sensitive information without worrying about it falling into the wrong hands.

As part of our penetration testing, we thoroughly check for MiTM vulnerabilities. We understand the scenarios these attacks are popular for, what vulnerabilities to look for, and how to protect those from being exploited.

Brute-force attacks

Sometimes, it’s easier for hackers to just kick the proverbial door down when they want access to something with password protection. While some of us have wised up and use long, complex passwords, others still use the same, easy-to-remember passwords we’ve always used. Those don’t stand much chance against a brute-force attack.

Brute-force attacks are an attempt to crack a password through shear persistence of trial and error. Hackers use an algorithm to methodically test every possible permutation of a string of characters until the correct password is found. While that sounds time consuming—and it is—these algorithms on the right computer can calculate and run these “tests” incredibly quickly.

We’ll break this down with some numbers so you can see how brute-force attacks work. Let’s say you have a 10-digit PIN like “0123456789.” Each character can be any of 10 digits from the set of 0–9, so for a password like this there are 10^10 (10 billion) possible combinations. That may seem like a huge number, and it is, but it’s not a lot for a computer to work through.

The best way to combat brute-force attacks is to use unique, complex passwords and change them every few months or so. Most passwords allow you to use any combination of the following characters:

• Uppercase letters (A–Z)
• Lowercase letters (a–z)
• Digits (0–9)
• Special characters (! @ # $ % ^ & * _)

So 52 upper and lowercase letters, 10 digits and 9 special characters for a 10-character password would give you 10^71 combinations. For reference, there are about 10^21 stars and 10^78 atoms in the observable universe. These are big, big numbers we’re talking about. The time it would take to crack a password that complex with a modern computer is unfathomable (and we did the math; it’s about 2.7 x 10^50 million years if you’d like to try to fathom that).

Our comprehensive assessment will determine if your password policies are up to snuff. If they’re not, we’ll have recommendations to make sure that they are and give you the best tools to keep your policies air-tight.

Wireless security

These days, WiFi is a necessity for any home or office network. It’s quick and easy to connect, and of course it’s wireless so you’re not tethered to your desk. However, there’s a tradeoff for convenience, and security is the biggest trade off.

WiFi security is way more than just a password-protected network, and a WiFi network with limited security measures is a wide-open door for hackers to walk through without you ever noticing.

You can take a couple steps to up your WiFi security before going all-in on penetration testing:

• Use a strong WiFi password, preferably one with a combination of the above character sets

• Use WPA encryption instead of WEP

• Hide your SSID (or network name, e.g., “Office WiFi”) from being broadcasted if possible

Penetration testing will take care of the rest, and we’ll provide you with all the tools you need to stay protected.

With robust WiFi security measures and sensible policies, you won’t have to worry about hackers exploiting your WiFi networks inherent vulnerabilities. You can conduct business as usual without worrying about WiFi infiltration.

Our comprehensive penetration testing will reveal any weaknesses in your security setup, and our experienced security experts will make sure to patch up any and all issues.