Infrastructure Penetration Testing
Our CREST-Certified CHECK Team Leaders (CREST CCT Infrastructure since 2011) have international work experience in penetration testing, security auditing and security management across varying sectors such as Banking, Financial Services and Insurance, Gaming/Gambling, Energy, Entertainment, Transport, Telecommunication, Oil & Gas, Pharmaceutical and local governments.
We have successfully executed and delivered several web application and infrastructure security projects for a number of clients rated amongst the top five in the BFSI industry. This involved contribution to complex projects with regard to IT security expertise on different aspects, i.e. architecture, network and development. A number of large projects/jobs commissioned related to the following main scopes:
- Big data/Hadoop security assessments (estate-wide Cloudera and Hortonworks implementations) including Hive, Impala, Knox, Ranger/Ambari, HBase, HDFS, etc. modules security reviews.
High risk platforms testing, such as investment banking products, FIX and futures trading compiled application assessments.
- SAP security assessments at one of the top retail and commercial banks and a leading British MNC in construction, demolition and agriculture.
- Pin Entry Device (PED) security assessments for PCI preparation for a major restaurant and coffee chain.
- Multiple black box internal security assessments.
*Internal Infrastructure Testing (domain wide – Black box testing ) – from zero knowledge with only physical access to one network port of your organisation, we attempt to compromise the network, grabbing password database, cracking and analysing the nature of passwords popular within the organisation, auditing the patch management policies, account policies, security settings and how group policy is faring against the server, desktop and other domain systems.
*Internal Infrastructure Testing (Focussed) – this testing differs from the above service with the exception of focussed testing on a set of systems. It does not involve any patch management or password cracking areas unless there is a compromise of systems in scope for test. This will provide a network footprint picture, along with any vulnerabilities associated with the software/services running on identified open ports.
*External Infrastructure Testing – this is a network infrastructure test performed over the internet. It is mainly performed against internet-facing servers such as web servers, email servers, firewalls and other network devices.
*Hardening Review – build reviews are performed on the operating systems to prepare organisations for benchmarking internal hardening processes necessary before rolling out new builds or improve existing server operating systems.
*Device Reviews –this area covers auditing configurations from a hardening perspective against devices such as switches, routers and firewalls.