Penetration Testing - ESTec Security

By: Estec Security  09-12-2011

Penetration testing should be considered whenever control systems are already in place and their functioning has to be tested. Penetration testing also verifies the functioning of a business's Intrusion Detection System. In addition, penetration testing identifies vulnerabilities in proprietary systems. Penetration testing takes place at 3 levels:

Initial testing occurs with only the information that might be discovered by an outside intruder: zero-knowledge testing.

The second level of testing checks for illegitimate or legal use of a machine by a legitimate user armed with the information legitimately available to him or her.

In the third level of testing, the intrusion test works as a well-informed malicious individual with strong computer knowledge and access to sophisticated tools.

The penetration testing methodology used by ESTec ensures that all potential weaknesses are tested, including all currently identifiable vulnerabilities. It stresses the application in ways that the developers never expected. Where an application exists on multiple machines (typical client/server architecture), we test each machine and the communications channel between systems. We also attempt to exploit 'features' of the applications to gain unauthorized access.

Sample Case

Customer: Major American Power and Gas Utility
Services: Penetration Test the SAP Accounting system
Problem: The utility was preparing to convert all accounting functions to SAP R/3. Management wanted to ensure that the controls in place adequately protected the system, which would soon handle billions of dollars in Receivable and Payables.
Solution: We conducted penetration testing on the accounting network, including a penetration attempt from the Internet. ESTec then provided a report detailing findings and recommendations. ESTec identified more than 80 critical vulnerabilities, and recommended additional control procedures to properly secure the accounting system. The recommendations included a change to the firewall configuration.
Result: After completing the majority of the recommendations, the accounting switchover took place, replacing an aging accounting system with a new Y2K compliant system.

Other products and services from Estec Security


Incident Response - ESTec Security

With the cooperation of the security department of the computer's company, the offender's machine was seized, and an image of the hard drive given to our investigator.A log of the event from both the attack machine and the victim machine was turned over to the FBI.


ISO 17799 - ESTec Security

A risk assessment allows management to prioritize protection activities and incident handling allows the organization to evaluate how successful it has been in achieving the priorities. Over 30 countries either require ISO 27001 / ISO 17799 / BS 7799 certification for some organizations, or are considering requiring ISO 27001 / ISO 17799 / BS 7799 certification.


Vulnerability Assessment - ESTec Security

ESTec has experience reviewing systems with widely ranging sensitivities, ranging from Internet Banking to e-commerce to proprietary internal systems. Using industry-standard tools, a trained auditor reviews each machine, identifying all the services offered by the computer. A vulnerability assessment reviews the configuration of a computer or group of computers to identify known vulnerabilities.


Security Awareness Programs - ESTec Security

The consultant presented the courses and also trained the trainers to give the courses to existing pwersonnel or to new personnel entering the workforce.The initial testing of the courses received such high reviews that management rolled out the course to 20,000 users, 1,000 managers, and 400 systems administrators.