INTERNAL/EXTERNAL NETWORK PENETRATION TESTING
Phoenix Infosec follows the Penetration Testing Execution Standard (PTES), a standard that has gained wide adoption within the security community.
This includes vulnerability scans of the in-scope systems where we manually verify issues and exploit any issues found. We report on the issues that actually pose an actual risk to your organization.
In an External Penetration test, we perform a vulnerability scan of your company’s externally facing (public) systems, manually verify issues, and exploit issues.
During this testing, we perform port scans, vulnerability scans, and testing for all computers, devices, databases and networking equipment on in-scope networks. We then validate the scan results to weed out false positives by manually verifying a subset of results within particular vulnerability classes, and review the discovered vulnerabilities.
WEB APPLICATION PENETRATION TESTING
Phoenix Infosec uses the OWASP Testing Guide for its assessment methodology relying on the use of real-world tactics, techniques, and procedures.
We will perform an in-depth assessment of your web applications in order to discover vulnerabilities caused by programming errors, misconfiguration or architectural issues. We use both manual inspection and automated scanning tools to identify vulnerabilities.
VIRTUAL SECURITY OPERATIONS DEPARTMENT
Don't have the resources needed to comprise a competent security department? We work with you to define and establish logging, monitoring and alerting alongside other proactive cyber security initiatives suited to your business.
Security Operations Services Include:
Implementation and configuration of SIEM (Security Information and Event Management) systems to aggregate and correlate security event logs.
Development of incident response plans to detect, prevent, and contain security breaches, eradicate associated cyber threats, and restore affected business processes
Manage the identification, tracking, and remediation of security vulnerabilities within the corporate environment
General security consulting, guidance and implementation on the necessary security initiatives to enable and protect your organization.
Network security architecture review
ASSUMED BREACH ASSESSMENT
Even a seemingly insignificant compromise can have big consequences, and our goal is to demonstrate this risk.
We start as a low privilege user and attempt to move through the network in an attempt to access the data the matters to you. This assessment simulates that of a compromised internal host/user or a rogue trusted insider.
The level of access used as a starting point simulates what an attacker may have gained through a successful phishing email campaign or by imitating an employee or contractor and assist your company with understanding what can happen and how to ultimately allow you to raise the bar on your internal security.
CRITICAL SECURITY CONTROLS
The Center for Internet Security (CIS) Critical Security Controls is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year.
As you probably know, simply being compliant is not enough to mitigate probable attacks and protect your critical information. While there's no silver bullet for security, organizations can reduce chances of compromise by moving from a compliance-driven approach to a risk management approach focused on real world effectiveness. Implementing the CIS Critical Security Controls is a great way to protect your organization from some of the most common attacks.
PCI COMPLIANCE READINESS ASSESSMENT
Prior to scheduling an official PCI audit, many Level 1 merchants conduct a PCI readiness assessment. Also known as a pre-audit, this assessment is designed to uncover and remediate any security issues.
We would also recommend that Level 2-4 merchants – required to fill out a self-assessment questionnaire (PCI SAQ) – also conduct a readiness assessment.
Our PCI readiness assessment builds a baseline to ensure that compliance is achieved as efficiently as possible, often uncovering weak points in a client’s cyber defenses.