Penetration Testing Service
CSC’s StrikeForce cybersecurity specialists and tools uncover vulnerabilities across your enterprise.
Cybercrime is growing, and the perpetrators are becoming more sophisticated. At the same time, IT organizations are under pressure to develop, test and release applications more quickly while maintaining systems with fewer resources. This opens the door to threats from remote code execution, poor configuration, weak default settings, outdated technologies and inadequate patching. Worse, organizations may not learn about a breach until months after it happens.
To protect critical systems and data, enterprise cybersecurity teams must continually monitor for emerging threats and zero-day vulnerabilities. In addition, they need real-world experience to identify all possible attack pathways. Finding and retaining staff members with those skills can be a constant challenge, but there is another way.
CSC’s StrikeForce Penetration Testing Service combines highly skilled security specialists, automated tools and manual attack scenarios to uncover potential attack vectors and provide a comprehensive view of your cybersecurity risks.
StrikeForce Penetration Testing identifies risks to both internal and external systems in large, highly complex IT environments as well as single-purpose networks. Findings are prioritized by risk, likelihood, and impacted-weighted severity, categorized by root cause process areas, and include recommendations for mitigation or remediation. The service includes:
- External networks (e.g., Internet-facing)
- Internal networks
- Web and thick-client applications
- Embedded computing devices (including medical devices)
- Wireless networks
- Physical security
- Antiphishing exercise training
CSC recommends testing on a quarterly or twice-a-year basis to help your organization maintain a mature defensive posture against attack.
Improving Security in Four Steps
CSC’s technical assessment services span four phases of work:
Step 1: Project Initiation
The first step is to identify a client’s scope and objectives. StrikeForce team members work with you to develop a detailed plan for the approach, expectations, and boundaries or limitations associated with the assessment. Our team will communicate with your technical resources staff and gather all relevant IP addresses, URLs, site locations and credentials.
Step 2: Reconnaissance
The reconnaissance phase includes the discovery and enumeration of publicly available company information. The team identifies live systems and open and filtered ports and services running on these ports, mapping router and firewall rules.
A meticulous enumeration process is used to acquire information about the target systems and the surrounding network environments. This facilitates the discovery of network devices, including security devices designed to restrict traffic. The team identifies live systems and open and filtered ports, analyzing responses to map the overall surface area and begin the groundwork for uncovering targets of interest.
CSC’s team uses this information to identify hosts, usernames and passwords, as well as detailed information on OS types, versions and patch levels to determine potential vulnerabilities.
Step 3: Penetration Testing and Ethical Hacking
CSC then uses the information obtained in the reconnaissance phase to identify and exploit vulnerabilities. The team deploys both manual and automated penetration-testing techniques against external, Internet-facing hosts, as well as internal servers, network devices and workstations.
External testing includes an assessment of Web and mail gateway controls. Once compromised, CSC’s StrikeForce team tries to exploit other systems to demonstrate the true risk and impact from successful breaches. This phase ends when all options for compromising systems are exhausted.
CSC approaches these exploitive activities conservatively and places a priority on server availability and stability. Activities include:
- Obtaining access through external firewalls, routers or other gateways
- Finding and customizing code that can be exploited to break vulnerable operating systems, daemon tools and other services
- Combining application and operating system attacks to expose application and database vulnerabilities
- Moving laterally through systems after vulnerabilities are uncovered for deeper network exploration
Step 4: Analysis and Reporting
As penetration testing is performed, the team analyzes collected data to determine which exploits are successful and whether these techniques can be used against other systems, allowing further access to critical systems. This recursive analysis phase is critical to understanding how much damage can be done.
After exhausting identified avenues of attack, CSC’s StrikeForce team compiles results in a comprehensive technical report that includes all vulnerabilities, technical references for further clarification, mitigation options and key recommendations. Vulnerabilities requiring immediate attention are documented in a Quick Hit Finding Report. CSC can also include an executive presentation that summarizes the results and recommendations.
Digital Attack Simulation
CSC also offers a Digital Attack Simulation Service specifically designed to improve a client’s ability to detect and respond to threats. Working closely with the client’s Security Operations Center, the StrikeForce team will simulate a breach, and help the defensive team quickly identify indicators the environment.
Scanning for Vulnerabilities
CSC also provides a Vulnerability Scanning Service that identifies weaknesses in your infrastructure systems. CSC’s vulnerability scanners can rapidly identify thousands of vulnerabilities and produce detailed reports on the threats, risk rating and remediation procedure.
Vulnerability scanning may detect:
- Default software settings and credentials
- Exposed administrative consoles
- Exposure of sensitive data
- Insecure configurations
- Unpatched software
- Web server vulnerabilities
Offering End-to-End Security Services
With 40 years’ experience in information security, CSC is one of the few companies in the world that provides end-to-end services — from strategic consulting and technical assessments to managed security services — to monitor and safeguard systems.
CSC’s StrikeForce team offers a full range of testing, including penetration, digital attack simulations, Web applications, wireless network security and social engineering exercises. StrikeForce provides managed vulnerability assessment services, as well as standalone security and privacy assessments, to organizations worldwide.
CSC dedicates more than 1,300 security specialists to help clients detect attacks, assess threats and vulnerabilities, rapidly respond to incidents, and enable disaster recovery and business continuity. Our security professionals hold numerous industry certifications, including CISSP, GIAC, CISM, CISA, OSCP, ISO 27001 Implementer and BS 7799 Auditor.
Contact us to learn how CSC’s StrikeForce Penetration Testing Service can improve your security posture.