Penetration Testing

Penetration tests come in several different flavors – here’s a brief breakdown on each:

Internal Network Penetration Test

Goals of an internal network penetration test can include (but are not limited to):

  • Accessing sensitive/secret company data

  • Gaining access to privileged accounts (i.e. Domain Admins group)

  • Exploiting unpatched systems

  • Cracking user passwords

  • Escalating privileges

  • Planting backdoors

  • Exfiltrating data out of the network

External Network Penetration Test

Similar to an internal pentest, this exercise focuses on your external-facing endpoint such as mail servers, VPN portals, firewalls and Web sites/applications.  We will also look at what your company looks like from an external perspective, with these questions in mind:

  • What can an attacker about your company’s physical locations? 

  • What sensitive information might your employees be posting on Twitter and Facebook?

  • What can we learn about your company’s network simply by analyzing files on your public Web site?

  • Can we find usernames/passwords for your employees on the dark Web?

Web Application Penetration Test

In this type of test, we look for vulnerabilities within a Web application – issues such as SQL injection, cross-site scripting, authentication issues and more.  We use a combination of manual tools and techniques (while following the OWASP methodology) for these types of tests.

Light Pentest

Are you considering your first pentest? Or maybe the idea of a full-fledged, intense penetration test or red team exercise is a little intimidating?

No worries. 7 Minute Security also offers a service called Light Pentest which, as the name implies, is lighter on budget budget heavy in security value. Read more here.

Wireless Network Penetration Testing

In a wireless penetration test, we look to see if there are ways to join your corporate network without authorization, capture/crack your wireless network password, and/or spin up an “evil twin” wireless network and trick your corporate systems into connecting to it.

Red Team Exercises

For organizations with a more advanced/mature security posture, a full red team simulation may be appropriate. In this type of exercise, 7 Minute Security will use one or more social engineering methods (phone calls, phishing emails, SMS texts (smishing) to gain a foothold on the internal network from the public Internet. If initial phishing attempts are unsuccessful, we will shift into a “willing click” scenario – where the company simulates that a malicious click indeed was clicked (by launching a payload provided by 7 Minute Security).

Approach

7 Minute Security uses nationally recognized frameworks – such as MITRE ATT&CK – to emulate attacker TTPs (tactics, techniques, and procedures). We aim to provide a practical approach to penetration testing, write our reports in an easy-to-follow narrative format, and prioritize findings with reasonable timelines.

Internal Network Penetration Testing

7 Minute Security commonly conducts penetration testing under an “assume compromise” narrative – meaning we assume, given enough time/effort/money, one or more of the following will happen:

  • A user will click a malicious link

  • A user’s password will be guessed or socially engineered from them

  • An attacker could sneak a physical device onto the network without notice

External Network Penetration Testing

7 Minute Security will test your organization from both a technical controls standpoint, as well as a “big picture” view of what your organization looks like to the public Internet using:

  • Vulnerability assessments
    Assessing technical vulnerabilities using Nessus, Nuclei and other open-source tooling

  • Open-source intelligence (OSINT) searches
    7 Minute Security will scour Web sites, LinkedIn data, social media profiles, Google Dorks and other public/dark Web searches.

Reporting

7 Minute Security will create and deliver (live or via Zoom) one or more reports depending on your needs and goals:

  • Full report

  • Executive summary

  • Customer-facing attestation letter (summarizes the assessment, maturity scores and findings at a general, sanitized level)