Penetration testing is a proven methodology, and in some instances a compliance mandated requirement, for accurately evaluating an organizations state of security by simulating realistic attacks. SudoSecure combines both manual and automated penetration testing techniques and tools to accurately simulate the methods utilized by real attackers and malicious actors to carry out these attacks against your organization.
SudoSecure tests the security of your IT infrastructure by applying ethical hacking principles to safely identify and exploit your organization’s weaknesses. We analyze your organization’s security from the perspective of potential risks, and then by correlating these risks with your business processes and information flows, we can determine how well your security will stand up to malicious threats.
Although many companies perform penetration tests, SudoSecure delivers the highest of quality reports to ensure that results are presented visually and that both non-technical and technical personnel can understand the real risks within your organization. Our reports cover the approach taken by SudoSecure, the methods of attack for which your organization is most vulnerable and our recommendations to protect your organization from future attacks. SudoSecure prides itself on producing Actionable Intelligence through our reporting techniques, so that your organization can immediately respond to threats identified by our testing process.
Our penetration testing methodologies are based upon industry best practices including the OSSTMM (Open Source Security Testing Methodology Manual) and NIST (National Institute of Standards and Technology) Guidelines. SudoSecure utilizes these world-recognized penetration testing methodologies and guidelines as well as our own proprietary methodologies and know-how to produce repeatable, quality results with minimal risk to your systems during testing.
Technical Approach Overview
Our penetration testing methodology consists of three distinct phases as illustrated in the diagram:
Phase 1 – Preparation (Reconnaissance): We begin by executing formal contracts and non-disclosure agreements to protect the confidentiality of our client’s data and to provide legal protection for the testing team. Next, we prepare Rules of Engagement (ROE) that details the scope, timing, types of tools we will use, scripts, test plans, and comprehensive project schedules for the entire penetration test environment. We prepare restoration and escalation procedures in the unlikely event of service disruptions during the testing activity, and we prepare response and notification plans to address unavoidable service disruptions or outages of systems that may result from our testing. We also identify the key personnel and key stakeholders from the client and testing team.
For all our penetration test engagements, SudoSecure attempts to limit all potential outages or disruptions during all testing stages, but we can never guarantee that a system or service will not be affected based on its level of vulnerability.
Phase 2 – Execution (Testing): Once our client agrees to the ROE, the testing team will conduct the penetration tests in accordance with the test plans and scripts that we developed during the Preparation Phase. We will adhere to the agreed-upon testing times and parameters when conducting the tests, and we will terminate testing if we observe any anomalies or suspected adverse system activity. During the testing, we analyze and verify findings to help eliminate false positive results. At the end of the testing, we categorize the vulnerabilities we discover by level of criticality, we identify remediation actions to close or mitigate any uncovered vulnerabilities, and we compile this information for inclusion in our final test reports.
Phase 3 – Delivery (Reporting): We formally document and present our penetration test results to the key stakeholders defined in Phase 1. This includes a recommended corrective action plan to mitigate the vulnerabilities discovered during the testing phase, a categorization of our findings by criticality, and an impact analysis for the vulnerabilities identified.