Answers to frequently-asked cybersecurity questions.

Some have asked why each testing service has tiers, and do not have commonly offered features such as debriefings, detection/mitigation assistance, remediation verification, or in some cases, even a customized report.

We attempt to remain as a la carte as possible with the features offered for each service, allowing you to only pay for what you want and need. For example:

• Clients using our vulnerability scanning services typically want to keep the cost ultra-low, so we offer a “basic” service option that only includes a raw report from the scanning tool(s) used during testing.
• For our testing and assessment services, clients typically find the provided findings and recommendations report to be so detailed that it is unnecessary to call us back in for the remediation verification/testing, or to explain a certain finding.
• Some clients prefer to brief their executive leadership and support staff on their own.

Bottom line, why should we charge you for features you do not plan to use? Offering these tiers of services allows us to lower the the cost so you only pay for what you use.

Because computer security is such a fast-changing industry, we continually mold and update our methodology from a combination of industry standard evaluation/pentesting methodologies and intel based techniques, tactics, and procedures (TTP) such as:

• PTES
• OWASP
• NIST SP 800-115
• OSSTMM
• MITRE ATT&CK
• and others

We also rely heavily on:

• leading industry evaluation and “hacker” tools
• manual analysis
• years of industry experience and knowledge

For specific methodology information of each service, view the Services page and click on each service. If you have any questions, please reach out to us for additional information on our Contact Us page.

Our company slogan is, Rock Solid Security, which is based on Matthew 7:24.  The hardest rock on the Earth is a diamond. Our logo is a diamond molecule, flattened to a 2-D image, with the string, Rock Solid Security, in binary, encircling it.

This is a general order and timeline. After the first step, some of the phases run simultaneously. During a typical engagement, PEN Consultants will:

1. meet (or teleconference) with you to discuss your needs and goals
2. give you preliminary pricing based on your desired services
3. send a mutual non-disclosure NDA, to protect both parties
4. complete a detailed questionnaire to narrow down testing scope
5. provide a detailed, no obligation, contract and statement of work (SOW) for your review
6. perform testing/service (after execution of the final contract/SOW)
7. after testing is complete, (1) “get noisy” so your SOC staff will see the attack(s) and get some IR experience out of it or (2) clean-up, restoring any and all modifications made during the testing (if applicable)
8. create a detailed report explaining what key factors were discovered and provide recommendations for you to prevent and/or detect discovered attacks (at all layers), etc. (if applicable)
9. follow up with a debrief – on-site or teleconference – to discuss/show what was found (if applicable)
10. assist you with locating vendor products, determining a better use of current vendor products, acquiring qualified staff to carry out remediations, etc. (if applicable)
11. remain engaged until you are 100% satisfied

Check out this sample security testing report.

Hackers typically:

• steal financial information (credit cards, bank account #s, etc.) and/or PII (SSN, DLN, DoB, names, etc.)
• steal usernames/passwords then use those to attack further
• install malware that captures keystrokes, screen captures, etc.
• install backdoors and/or botnet software on victim’s machines so they can attack other computers around the world
• exfiltrate private and sensitive data, emails, etc.
• modify data, emails etc. residing on the hacked network
• capture network traffic
• and so much more

Not only can the technical damage be detrimental to an organization, but a damaged reputation and the expenditures to fix the damage after an attack can also be catastrophic.

Should security testing (vulnerability scanning, web app pentesting, etc.) be performed through a full protection stack (firewall, IPS, WAF, email filter, etc.), or should the tester’s IP be white listed?

Bottom line: You are highly encouraged to white list the tester’s IP address from any active interference in your protection system(s). The faster we can identify your vulnerabilities, the more thorough we can be, and the cheaper it is for you. Note: In this context, white list means to move the tester’s IP into a policy that still prevents access as intended for a given source, but changes any active protections (ex. IDS/IPS) to a monitor/alert-only mode, as to prevent interference.

You may be required to do so anyway, depending on various compliance standards you may fall under. The only exception is if you are a vendor seeking testing of a protection product (firewall, IDS/IPS, etc.) you have developed.

More about this topic can be read here: Shields Down Security Testing

When looking for a reputable offensive security testing firm to perform penetration testing and red teaming for your organization, there are a few things that can help ensure you find not only the most highly trained and experienced testers, but also the best company for your situation.

Read more on that topic here: https://penconsultants.com/compare

REMOTE: Other than Wireless Testing, this is the default for all testing services.  The security tester never physically visits your site. Although a remote evaluation will not address “physical” attacks, it will ensure you have a measured level of security from remote threats.

ON-SITE: The security tester goes on-site on multiple occasions to perform local assessments in addition to remote assessments. Advantages to on-site testing is the ability to assess wireless/wired infrastructure, physical access attacks, more thorough social engineering attacks, etc.

On-site testing is certainly more effective as it helps protect you against local and remote attacks. However, if your organization is not concerned with the local attack vectors, then remote testing may be all you need.

Additional fees for On-Site Testing:

In addition to the cost of the service you select, there is a two-part additional fee for on-site testing.  The first is the mileage fee of $3 per mile from 78006.  The second part is the number of days needed and what the testing includes. At minimum, this part of the fee is typically $200-400 per day.  Example: a small testing engagement in Dallas might be (275 miles x $3 per mile from 78006) + $350 = $1,175.  That is, $1,175 in travel expenses, in addition to the cost of the engagement itself.

What is the difference between "Vulnerability Scanning," "Vulnerability Assessments," "Penetration Testing," and "Red Teaming?" What do they mean? Which one do you need performed on your systems?

For a detailed look at this topic, and to make an informed decision about which testing best meets your organization’s needs, check out this blog post: Red Teaming vs Penetration Testing vs Vulnerability Scanning vs Vulnerability Assessments

Every detail of our testing is available to the client, during testing, in real-time.

This allows our client to track progress during testing, SOC staff to correlate recent activity to our testing (vs. a possible unauthorized attacker), IT staff to review any configuration changes made, and security staff to know about vulnerabilities they should start working to resolve immediately (vs. waiting for the report). It also enables every test we perform to be a Purple Team approach if the client chooses to. You can read more about Purple Teaming here.

We relay information in the following ways during testing:

• Secure communications and file transfer avenues to ensure your information remains protected
• Immediate notification if an imminent risk or compromise is identified
• 24-7 support – name, phone number, and email address of all security engineers performing tests
• Access to real-time notes and a journal-style timeline, which contains the following:
  • security engineers’ real-time, unedited, unfiltered notes about where they currently are in the testing process
  • individual tests completed, what has already been tested/attacked
  • current tests being carried out
  • upcoming tests yet to be performed
  • full commands ran for all tools and utilities
  • exploits used
  • vulnerabilities found
  • any changes/modifications made (most are pre-coordinated)
  • timestamps
  • See more examples here: https://penconsultants.com/realtimeTransparency

You may have heard the term black-hat to refer to a hacker or white-hat to refer to a security consultant, such as a Pentester/Red Teamer. The differences really only vary in intent and outcome.

Hackers:

• Their intent is usually for financial gain at your expense.
• Their outcome is to gain unauthorized access to your network, use it for their benefit, and leave no trace.
• They have no concern for your data, privacy, availability, or integrity.
• The breach and all data accessed is covert, and you often do not know they are in your network until it is too late.
• They have their own interests in mind.

Pentesters/Red Teamer:

• Their intent is to uncover the same vulnerabilities and test the same exploits/attack vectors as a hacker, documenting every step taken along the way.
• Their outcome/purpose is to provide you with ample guidance to protect yourself against discovered attack vectors.
• They go to great lengths to ensure your network/systems remain available and data stays secure and confidential.
• They provide you with detailed steps to mitigate and/or detect the attack vectors discovered during testing.
• They set up an out-briefing to go over mitigation steps in person.
• If Red Teaming, they will test your IR/SOC staff and then hold a debrief with the goal of helping your staff improve.
• They have your best interest in mind.

The balance of white/black box testing is a decision you will ultimately make based on your budget, risk concerns, and internal policies. PEN Consultants can help you determine the balance of testing you need during the no-obligation scoping phase.

Bottom line: White box testing is always going to give you the best ROI. A security tester’s objective is to help you find your weaknesses and address them.

For more information on this topic, read here: Gray Box vs. Black Box vs. White Box Testing

Absolutely! Insider Threat Simulation services fall nicely under our Red Teaming services. However, we can model the threat under just about any of our services: web app testing, penetration testing, wireless assessments, etc.

OUTSIDER’S PERSPECTIVE: Standard testing is conducted from an outsider’s perspective. This usually means the network is attacked remotely, visits to the campus are stealthy and/or “blend into the crowd,” and there is no “pre-authorized” access to any resource such as to doors, computer accounts, email, etc. The security tester would have the same level of access a “visitor” would have.

INSIDER’S PERSPECTIVE: The insider’s perspective simulates an attack by an employee, authorized contractor, or product owner. Typically during this test, the security tester will be granted access to certain doors/rooms and/or given a limited user computer account (just like an employee would have). It could also mean the tester (or at least a network connected device or software) may be on-site for 8+hrs per day in a place such as an office.

FOR CONSIDERATION: PEN Consultants will offer a custom blend of both perspectives based on your organization’s perceived risks and comfort level in granting us an “insider's level” of access. Another advantage to the insider’s perspective is the ability to evaluate the product(s) more quickly and thoroughly. “Outsider’s perspective” is time-consuming and not as likely to reveal as much within the constraints of time given for testing compared to having full access. The degree of access will be discussed and determined during the scope meeting(s).

According to the 2012 CyberSecurity Watch Survey, 24% of attacks are from an insider; 51% of corporations say the insider attacks have cost more money than outsider attacks.