Security Assessment and Penetration Testing Services
InteliSecure provides security assessments and penetration testing services that help you understand which threats and vulnerabilities pose the most risks to your organization due to infrastructure gaps, people, environmental issues or third-party exposure. We offer assessment and testing services for organizations of all sizes and across all industries.
Penetration testing is part of a recognized approach to identify and quantify risk. Through testing we actively attempt to exploit vulnerabilities in your applications, infrastructure and business processes. We provide context around identified vulnerabilities, their impacts and the likelihood of a breach of an asset.
Our team is trained to think and act as if they were real-world malicious attackers and hold some of the top certifications in the industry including CREST STAR and Offensive Security’s OSCP and OSWP designations. This approach helps your organization fully understand how it would hold up during an actual attack. The results of our engagements proactively identify and quantify vulnerabilities so you can measure and determine the acceptable level of risk your organization is willing to take on.
Our Security Assessment and Penetration Testing services provide insight into all aspects of an organization’s environment and include:
If your organization is looking at becoming Cyber Essentials or Cyber Essentials Plus certified, please visit our Cyber Essentials Certification page.
An external infrastructure assessment provides a snap shot of the current security posture and state of Internet facing systems. By choosing this type of assessment you would be implementing a proven test which replicates what an attacker would initially implement prior to an external attack. This enables you to establish the attack surface of your external internet facing infrastructure.
This type of assessment will allow you to understand the potential impact of an attacker with a foothold within your network or a malicious or disgruntled employee. With the exception of cloud services, almost all sensitive information is held within the perimeter of a typical infrastructure. By understanding which areas are vulnerable to attack (such as internal email, databases or financial information), you can begin to protect those assets.
With the data centre being slowly moved from within the company network to being hosted by third parties, a new challenge arises in how to secure access to these critical assets. With extensive experience in performing cloud infrastructure, segregation testing and access control, InteliSecure can work with third parties to ensure confidentiality, integrity and availability of your critical infrastructure.
From the starting point of a standard user, InteliSecure will determine the actions that could be taken to affect the confidentiality, integrity and availability of your critical assets. Can the user escalate privileges to that of Domain Admin? Are sensitive files available without any access restrictions? Can a malicious actor attack impersonate other users? Breakouts can be performed from on-site desktop, remote access solutions such as Citrix, and from within VPNs.
InteliSecure aligns to Open Web Application Security Project (OWASP) methodologies to ensure consistent coverage and depth of testing. Our team has a wide range of experience of external and internal applications covering financial, telecommunications, retail, national infrastructure and government (U.K. only) sectors.
While some architecture can be similar between mobile and web applications, the deployment of a mobile application introduces a greater attack surface. Does the application correctly store data on the device? Can the application detect use on a ‘rooted’ or ‘jailbroken’ device? InteliSecure has experience with Android, iOS and wearable devices.
Internal applications can suffer from multiple vulnerabilities around network traffic, memory usage and operating system vulnerabilities. We will perform an in depth assessment, hooking into the application to understand how it interacts with network resources, authenticates users and secures data while in use on the desktop.
Web applications are increasingly required to communicate with other web applications to provide and retrieve sensitive information. Testing is performed in a similar manner to user interactive web applications, searching for incorrect configurations, injection attacks and other Open Web Application Security Project (OWASP) vulnerabilities.
Network Device Configuration Review
InteliSecure will review the configurations of firewalls, switches, routers and proxies to ensure that their configuration is performing the intended function and adheres to industry standard best practices. Gaps in filtering rules could allow an attacker to traverse a network, exfiltrate data and hamper investigations should logs not be captured correctly or securely. The majority of network devices are covered and reviews can be performed on-site for secure environments.
VPN/Remote Access Services
Virtual Private Networks can fall short of best practices when configured as default, by ensuring that encryption, password policies, two factor authentication and user/access management are correctly configured you can help protect network traffic when traversing the internet.
Stolen Laptop Assessments
Theft or loss of a laptop can be devastating. Organizations often find themselves asking: What information was available? Can a malicious actor gain access to our network? Do the policies to ensure data encryption work as required? We answer those questions and can give remediation advice to prevent your critical assets from falling into the wrong hands.
A build review provides a detailed review of the installation and configuration of a company’s base operating system or ‘gold build’. By choosing this type of assessment you would be implementing a proven test which ensure that systems have been built, configured and deployed with respect to industry standards or corporate policy.
Red Team engagements involve InteliSecure’s Penetration Team attempting to breach a client’s environment through an intelligence-led, customized penetration text against its infrastructure to replicate the kinds of attacks malicious threat actors may perform. These types of engagements are designed to help a client’s internal teams become more effective in the identification and prevention of such attacks in the future.
InteliSecure is CREST and CREST STAR approved.
A database review provides a review of the deployment and configuration of an organization’s database servers. With the importance of database systems in today’s business environment it is important to review their configuration before deployment and at regular intervals.
Physical Security Assessments
Physical penetration testing attempts to infiltrate an organization’s facilities through various means which may include access via secured doors; the evasion of motion sensors, security cameras and checkpoints and even obtaining passwords written on post-it notes. The aim of the engagement is to identify weaknesses in the physical security controls and areas where staff and/or polices can be strengthened to identify intruders.
Social engineering relates to coercing individuals within an organization to inadvertently grant access to information to someone who does not have proper authorization. Examples of social engineering may include phishing, phone campaigns, and impersonation. Social penetration testing may be a component of a physical penetration test.
InteliSecure offers additional assessment and testing services around other key components of an organization’s IT infrastructure and specialized systems. InteliSecure can assess supervisory control and data acquisition (SCADA), industrial control systems (ICS) and radio frequency transmissions such as Bluetooth and Zigbee.