31 Aug Penetration Testing Improves Cyber Defense and Resilience of Government Networks
The recent OMB/Office of National Cyber Director memo outlined three cybersecurity priorities for Federal government networks. The first among these is improving the defense and resilience of government networks. A key tool for improving cyber defense and network resilience is Penetration Testing: security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.
Criterion’s Penetration Testing services, also known as pen testing, help organizations to discover whether the implementation of required cybersecurity controls is in place and assess the level of awareness employees have as it pertains to security social engineering tactics, while providing a risk assessment of sensitive data. By validating existing preventative and detective controls deployed throughout the organization, analyzing vulnerabilities, and observing misconfiguration, the team can then provide and implement recommendations to ensure a more secure IT environment.
Benefits of Pen Testing
There are several key benefits of undertaking regular pen tests:
- Provides in-depth understanding of where vulnerabilities are that could be exploited by an adversary (external and internal).
- Validates existing cybersecurity controls and identifies areas of improvement to ensure program stays in compliance with regulations and enterprise directives.
- Enables organizations to optimize (cost / performance) and justify investments over time while building in continuous improvement and maturity.
Criterion’s Approach
Criterion’s six-phase penetration testing process is designed to validate existing preventative and detective controls deployed throughout the organization. From recon to the initial compromise, establishing a foothold, escalating privileges, then performing internal recon, our Penetration Testing process packages and compromises targeted data, then provides a detailed report that identifies and analyzes vulnerabilities and observes misconfigurations that, when remediated, will make our customers’ enterprise IT environment much more secure. During these phases, we follow a variety of methods to accomplish our mission:
- Use non-invasive and invasive methods (if approved)
- Exploit entry points
- Elevate permissions
- Execute internal scans
- Collect vulnerability information and unsecure configurations
- Compromise additional machines
- Demonstrate how we would clean up our tracks by deleting logs, removing created user accounts, and removing escalated permissions
- Perform a hard reset of machines, if possible, to remove forensic information in memory
Criterion’s Penetration Testing services offer validation of existing preventive and detective controls deployed throughout the organization. After every penetration test our team will write reports and presentations to articulate vulnerabilities found, what we could exploit, what data we could access, and recommendations on how to avoid these types of activities. Combined with a risk assessment of sensitive data – where it is stored, accessed, and by whom – the result is a more secure, mature cybersecurity program.
Criterion’s Penetration Testing service was developed in our Cybersecurity Center of Excellence, a dedicated group of cybersecurity professionals and subject matter experts with a focus on understanding and extending industry best practices. This development and application of practical, innovative, and continuously improving cybersecurity approaches, methodologies, and technologies directly benefits our customers today and into the future, as they tap into Criterion’s specialized expertise. Adding pen testing to our customers’ Focused Operations teams enables them to move beyond their current capabilities, keeping ahead of adversaries while they continually mature their systems.
Our Penetration Testing services are already being used by Federal customers either as a stand-alone solution or combined with Criterion’s Cybersecurity Operations Center (CSOC) services. Customers can access our services via the General Services Administration (GSA) Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) 54151HACS.