Assessments and Penetration Testing

Vulnerability assessment & penetration testing (“ethical hacking”) are MSI’s oldest and most renown service offerings. Our experience ranges from small business networks to some of the largest and most sensitive networks, devices and applications on the planet.

Vulnerability Assessment

At MSI, we use vulnerability assessments to measure the width of attack surfaces available for an attacker to exploit. MSI has the capability to perform ongoing, periodic and single instance vulnerability assessments against Internet exposed and internal networks, regardless of their size and complexity. To do so, we leverage our Distributed Assessment Platform (“DAP”), which uses a proprietary back-end to integrate several different commercial and open source assessment tools. The DAP allocates these tools against targets, based on the work plan and their characteristics, then leverages analytics and correlation techniques to align the data and remove both false positives and false negatives to the greatest extent possible. Added to the toolset are customized assessment tools focused on bringing the bleeding edge threat techniques discovered in our HoneyPoint Internet Threat Monitoring Environment (“HITME”) to bear against your assets. This helps us ensure that our clients have up to the moment protections in place versus the emerging threats active on the public Internet.

This unique approach, based on our long standing research work with the US Department of Energy, allows MSI to bring affordable, highly accurate, scalable vulnerability management techniques to nearly any organization. Our teams combine the best in technology, with a 10+ year mature methodology for doing assessments to create the highest value for our clients.

Note: Passive vulnerability assessment is also available. See your account executive for more information.

Penetration Testing

Our expertise in penetration testing and red teaming are well known in the industry. We have performed penetration exercises against financial networks, government agencies, lottery and gaming systems, voting infrastructures and every manner of network, web application and IT deployment. Our team is comfortable testing complex infrastructures in the following manners:

  1. Open, cooperative testing - working directly with the knowledge and integrated experience of the customer team
  2. Semi-Trusted testing - emulating a business partner or insider who is armed with partial knowledge of the environment, but acts as an advisor
  3. Zero Knowledge testing - working without knowledge of the environment, but working with trust agents to verify and validate information as discovered and manage the scope of the engagement on the fly
  4. True Red Team testing - solely results focused testing with no knowledge or trust agency, the team acts as a real adversary to safely accomplish the mission of the client
  5. Extrusion/Exfiltration testing - MSI believes in testing and modeling initial stage compromises. In this testing approach, our team starts with a compromised workstation or device and mock data. The team then tests for ways to exfiltrate the data without the client security team blocking the theft.

All of our penetration testing engagements follow a methodology based on several different testing approaches. The approach, strategy and tactics can be scoped by the client, but the emphasis is always on emulating real world threat vectors and attack techniques. Our team is skilled in technical attacks, social engineering, reverse engineering, exploit development, operational security compromise and physical security penetration.

From the physical layer to the application layer and all of the people that surround your organization’s efforts, MSI can systemically target, exploit and measure your security posture.

MSI testing engagements include our auditor friendly, clear, concise and actionable standard reports. These reports include an executive summary, a technical manager’s report and a technical detail report. All reports include color graphics, mitigation advice and full explanations of the work performed and the findings. Customized reporting is also available at an additional charge, along with readouts, briefings and other awareness activities for the report data.

Common types of Penetration Testing we perform:

  1. External & Internal Network Penetration
  2. Physical Compromise
  3. Social Engineering Testing
  4. Partner/Vendor Interconnection Attack Simulation
  5. Wireless Network Penetration
  6. Mobile Device Compromise
  7. Application (Web, Code Review, Client/Server) Testing
  8. Hardware Device Attack Simulation
  9. Simulated Malware Outbreaks & Command & Control Hunts
  10. Exfiltration/Extrusion Testing

For more specific information about our assessments or to discuss the testing methodologies, platforms or the like, please contact your account executive. They will be happy to work with your team to design a customized scope of work to address your specific needs.