Penetration Testing
Penetration tests come in several different flavors – here’s a brief breakdown on each:
Internal Network Penetration Test
Goals of an internal network penetration test can include (but are not limited to):
-
Accessing sensitive/secret company data
-
Gaining access to privileged accounts (i.e. Domain Admins group)
-
Exploiting unpatched systems
-
Cracking user passwords
-
Escalating privileges
-
Planting backdoors
-
Exfiltrating data out of the network
External Network Penetration Test
Similar to an internal pentest, this exercise focuses on your external-facing endpoint such as mail servers, VPN portals, firewalls and Web sites/applications. We will also look at what your company looks like from an external perspective, with these questions in mind:
-
What can an attacker about your company’s physical locations?
-
What sensitive information might your employees be posting on Twitter and Facebook?
-
What can we learn about your company’s network simply by analyzing files on your public Web site?
-
Can we find usernames/passwords for your employees on the dark Web?
Web Application Penetration Test
In this type of test, we look for vulnerabilities within a Web application – issues such as SQL injection, cross-site scripting, authentication issues and more. We use a combination of manual tools and techniques (while following the OWASP methodology) for these types of tests.
Light Pentest
Are you considering your first pentest? Or maybe the idea of a full-fledged, intense penetration test or red team exercise is a little intimidating?
No worries. 7 Minute Security also offers a service called Light Pentest which, as the name implies, is lighter on budget budget heavy in security value. Read more here.
Wireless Network Penetration Testing
In a wireless penetration test, we look to see if there are ways to join your corporate network without authorization, capture/crack your wireless network password, and/or spin up an “evil twin” wireless network and trick your corporate systems into connecting to it.
Red Team Exercises
For organizations with a more advanced/mature security posture, a full red team simulation may be appropriate. In this type of exercise, 7 Minute Security will use one or more social engineering methods (phone calls, phishing emails, SMS texts (smishing) to gain a foothold on the internal network from the public Internet. If initial phishing attempts are unsuccessful, we will shift into a “willing click” scenario – where the company simulates that a malicious click indeed was clicked (by launching a payload provided by 7 Minute Security).
Approach
7 Minute Security uses nationally recognized frameworks – such as MITRE ATT&CK – to emulate attacker TTPs (tactics, techniques, and procedures). We aim to provide a practical approach to penetration testing, write our reports in an easy-to-follow narrative format, and prioritize findings with reasonable timelines.
Internal Network Penetration Testing
7 Minute Security commonly conducts penetration testing under an “assume compromise” narrative – meaning we assume, given enough time/effort/money, one or more of the following will happen:
External Network Penetration Testing
7 Minute Security will test your organization from both a technical controls standpoint, as well as a “big picture” view of what your organization looks like to the public Internet using:
Reporting
7 Minute Security will create and deliver (live or via Zoom) one or more reports depending on your needs and goals: