Calgary, Toronto
1 (800) 385-1632

Penetration Testing

DigitalDefence has pioneered a penetration testing approach based on “goal-directed testing” – we start by identifying your critical data, and then we focus testing on compromising that specific data.  Unlike other testing methodologies that test everything, this cost-effective test highlights your most important risks.  We also use a team-based approach with your own network staff.  By determining if they can detect and respond to our attacks, we increase the effectiveness of our test results

DigitalDefence can deliver a variety of network and system tests designed to identify potential vulnerabilities before they are exploited by an attacker.  The most accurate testing methodology is penetration testing, sometimes referred to as “ethical hacking”.  Using commercial, open source, and proprietary tools, skilled testers will use the same techniques that a hacker would use to assess your network’s security.

By taking on the role of an outside hacker or a disgruntled employee, testers will: (1) demonstrate how the network was compromised, (2) prove that an actual compromise took place, and (3) provide real information on how to mediate against future attacks of this type

Penetration testing answers the question: “What could an attacker do to harm my organization or data out in the real world?”

Networks are under constant attack by individuals motivated by financial gain, political gain, intellectual challenge, or just mischief.

Although many organizations test their networks on a semi-annual or annual basis as part of their regular security program, additional testing may be required when:

  • Deploying a new infrastructure, or changing the existing infrastructure
  • Moving to a hosted environment (“the cloud”) or moving to a new physical location
  • Introducing new critical applications, especially those with connectivity to third parties or untrusted networks such as the Internet
  • Introducing new critical applications, especially those with connectivity to third parties or untrusted networks such as the Internet
  • Implementing new technologies (wireless, VoIP, third party management of critical systems)
  • A confirmed or suspected security breach has occurred
  • Terminating employment of individuals with privileged access levels
  • Satisfying regulatory requirements (PCI DSS)
  • As part of your regular security program

External Network Penetration Testing
(Internet accessible infrastructure and services)

·      Firewalls

·      Intrusion detection and prevention systems, other security devices

·      Routers, switches, other network hardware

·      DMZ architecture

·      Web, email, DNS, and other servers

·      VPN and other remote access endpoints

·      Online services and applications

Internal Network Penetration Testing
(Internal or private network infrastructure and services)

·       Firewalls

·      Intrusion detection and prevention systems, other security devices

·      Routers, switches, other network hardware

·      Servers, workstations, and mobile devices

·      Operating systems, databases, applications

·      Password strength testing

·      Administrator privileges escalation testing

·      Voice over IP, VoIP, including IP-connected messaging and teleconferencing networks

·      Printers, scanners, fax devices

·      Networked appliance (IoT), including automobiles, medical devices

·      Third party and vendor security testing

Attacks against WiFi networks based on the IEEE 802.11 standard are common; these devastating attacks can result in a loss of service or provide an unexpected entry into your data network.  DigitalDefence will work with your organization to perform the following security services:

  • Wireless security policy review
  • Wireless network architecture review, including enumeration of wireless network components
  • Collection and analysis of data transmitted over wireless
  • Identification of unauthorized or “rogue” wireless access points
  • Wireless access point configuration review
  • Control of wireless network access, including use of encryption
  • Resilience against denial of service attacks
  • User provisioning and endpoint security

DigitalDefence is experienced in working with IEEE 802.11, industrial wireless protocols such as ZigBee, and wireless controls in embedded systems.

A web application is any program that can be delivered using a web server; the application is usually accessed through a web browser.  These applications deliver online content that may include eCommerce systems, financial data, medical data, and other sensitive information.  Now, more than ever, web services are a critical part of an organization’s business.

Our proprietary methodology for testing web services incorporate the best advice of the Open Web Application Security Forum and other standards organizations.  Testing includes:

  • Software infrastructure and design weaknesses
  • Data leakage and privacy exposure
  • Web and application server operating system vulnerabilities
  • Vulnerabilities specific to web services including the OWASP Top 10 and platform-specific vulnerabilities
  • Content management system, CMS, vulnerabilities – Joomla, WordPress, and other applications
  • Other third party vulnerabilities

Throughout testing, DigitalDefence will take a variety of approaches to assess security and privacy. For example, testing may be conducted from the Internet, with no internal testing from the network; or, testing may be a mix of remote and on-site testing.  The chosen methodology will be worked out in advance with each client.

Although both automated and manual tools will be used, all vulnerability findings are manually verified to reduce false positive results.

Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control the operations of public and private industries and utilities, generally designated as “critical infrastructure”.  If a SCADA system is compromised or unavailable, the resultant loss or degradation in providing services can subject the utility to regulatory and/or financial penalties.  It is possible that a compromise could result in injury or even death.

At DigitalDefence, we are able to provide a range of SCADA assessment and protection services, including:

  • Development of standards-based (e.g. NERC CIP) security policies and supporting documentation
  • Secure SCADA architecture assessment, including interconnection with data networks (pre- and post-deployment)
  • Review of physical controls
  • Vulnerability scanning and penetration testing of SCADA systems and supporting architecture
  • Deployment of SCADA honeypots and honeynets to provide attack alerts
  • Development and implementation of custom incident response plans
Benefits of Penetration Testing
Identifies vulnerabilities and allows you to focus on those that are the most
critical to your specific network—provides proof of real threats to your data’s security—compelling evidence for management action!

Prevents financial loss—a security breach for even a small company can incur significant costs, including recovery costs, lost revenue, reduced employee productivity, and intangible costs, such as a damaged reputation

Proves due diligence; satisfies regulators, investors, and clients that you are providing the highest degree of security to their data

Ensures regulatory compliance under frameworks like ISO 27001:2005, PCI DSS, HIPAA / HITECH; required for many insurance policies

Knowledge professionals – the key to DigitalDefence’s success is our industry-certified experts who can demonstrate real risks to your network and provide you with practical strategies and options for mediation

When you’re facing one of these challenges, contact DigitalDefence to perform a penetration test.