Security Assessments and Pen Testing

Security Assessments & Pen Testing

As companies have increasingly been hit with data breaches the demand for security services has grown, and a variety of firms looking to rebrand themselves as ‘cyber’ service providers have piled into the industry. These firms possess widely varying degrees of expertise and often do not adhere to established security frameworks, which can lead to confusion and inadequate security practices.

Some Basic Terminology
Information security assessments (often termed “cybersecurity assessments”) are recognized by key regulatory authorities such as the SEC, the FFIEC, and the New York State Department of Financial Services, and are well-defined by Federal authorities such as the U.S. Department of Commerce (NIST) and by internationally-recognized security frameworks including ISO, SANS, OWASP, and COBIT.

Security assessments are intended to be holistic, and include each of the following:

  • Review of Security Policies and Procedures (known as Administrative Controls)
  • Real-world Threat-matching and Evaluation of:
    • Effectiveness of Administrative Controls
    • Change Management and Configuration Protocols
    • Security Architecture (Network-, System-, and Host-level)
  • Cybersecurity Health Assessment
  • Penetration Testing
  • Security Audit

NES Cyber professionals are highly trained in each of these services, and we describe our services below.  Before proceeding, however, we think it is useful to define the terms Cybersecurity Health Assessment and Penetration Testing, as these terms are commonly confused or misapplied.

Cybersecurity Health Assessments
Cybersecurity Health Assessments (also known as Vulnerability Testing) comprise the first step in assessing the security of your enterprise environment. As described by the U.S. Department of Commerce (NIST SP 800-115) vulnerability scans are “Vulnerability scanning can help identify outdated software versions, missing patches, and misconfigurations, and validate compliance with or deviations from an organization’s security policy.”

Put differently, if external scans (for example, scans of a firewall or an internet-facing web server) are analogous to walking up to the front door of a target’s house to determine if the front door is unlocked, then cybersecurity health assessment scans are the equivalent of checking inside the house to determine (a) whether an attacker is already inside the house and perhaps sending data out the back door, and (b) whether an internal vulnerability (such as unpatched software, or an unsecured database or device) is likely to lead to a security breach.

While compliance-focused “desk audits” and external scans of your network are often performed as part of an overall security assessment, these steps are not sufficient in themselves since they cannot identify internal vulnerabilities and therefore cannot give you a complete picture of your company’s security posture.

Pen Testing
Pen Testing (short for “Penetration Testing”) is a term that is a well-defined process among security professionals.  A pen tester is a certified ‘white hat’ whose job it is to break into a network using a variety of technique – physical, electronic, social, or some combination of these.

The purpose of a pen test is to determine whether or not an attacker is able to penetrate your network, and to determine how far they are likely to get once they are in (e.g. whether or not they are able to exfiltrate or otherwise compromise sensitive data).

Pen testing should be conducted after a full, on-premise cybersecurity health assessment scan has been performed, and after the identified vulnerabilities have been prioritized and fixed, since the purpose of the pen test is to verify that any identified vulnerabilities have been adequately patched.

A word of caution:  Pen tests should always be performed by highly-trained experts who possess years of relevant experience and advanced certifications such as the OSCP/ OSCE and GPEN certifications.  The average IT practitioner (or IT administrator) does not possess these certifications and therefore should not attempt to perform pen testing as this could lead to the damage of systems, data bases, and other critical IT infrastructure.

NES Security Assessment Services
Each NES cyber expert possesses at least a decade of offensive and defensive experience, and each carries advanced certifications, including:  OSCP/ OSCE (offensive security), GPEN (pen testing), CCNP/ CCIE (master-level network engineering), MCSE/ MCITP (master-level systems engineering), GCIA (intrusion analysis), GCIH (incident handling), GCNA (network auditing), GCFA (forensic analysis), and CISSP.

NES performs every level of security assessment testing, and we customize our assessment processes to meet the operational and compliance-based priorities of our clients.

NES Cybersecurity Health Assessment Services
Our Cybersecurity Health Assessment services are illustrated by Figure 1 (below) and include the steps outlined below.  For each of our clients an initial cybersecurity health assessment scan is free of charge.

  • A scan of the external environment (perimeter) Step 1
  • A full network scan, including an inventory and mapping of all interior network segments, hosts (computers), devices (e.g. switches, printers, etc.), databases, operating systems, applications, and security protocols Step 2
  • Identification of any active and vulnerable services (ports) running on each host Step 3
  • Identification of vulnerabilities associated with any discovered operating systems and applications, including out-of-date software versions, mis-configured systems and services, inadequate access controls, etc. Step 3
  • Testing and validation of compliance with host application usage and security policies Step 3
  • Prioritization and recommended fixes for all identified vulnerabilities based on (i) Severity and (ii) Operational Requirements. Steps 4 & 5


NES Pen Testing Services
Our Pen Testing services are illustrated by Figure 2 (below) and include the steps outlined below.

  • A scan and compromise of the external firewall (perimeter security) Step 1
  • The compromise of host / LAN security Step 2
  • An escalation of user privileges, the compromise of directory services, and lateral movement (as needed) across the user internal network Step 3
  • The exploitation of one or more database servers Step 4
  • The exfiltration (removal) or other demonstrated compromise (e.g. flagging) of selected data Step 5