Penetration Testing and Cyber Security Consulting

Penetration testing is performed by “Ethical Hackers” using the same tools and techniques as a hacker-in-the-wild to safely mount an attack and uncover weaknesses in networks, web applications, IoT devices, and other systems.

Then the Ethical Hacking team develops a strategy to help the organization improve its security posture and reduce the risk of a cyber-attack.

Penetration testing is not performed by the IT team for three important reasons. 1. The IT team is responsible for setting up the system and the security defenses. It is impossible to identify faults in this role. 2. Ethically it is necessary to have an independent, third party perform the security assessment. 3. Ethical Hackers have specific experience and training that is different than an IT team member role.

A penetration test identifies vulnerabilities and weaknesses before a cyber-criminal finds them.

During the penetration test the Ethical Hacker attempts to find opportunities to:

• Gain access to restricted information, user accounts, and sensitive information
• Move laterally from one environment to another when access is restricted
• Uncover protected data and other opportunities to compromise the confidentiality, integrity, and availability of business records
• Mount the domain controller, printers, cameras, IOTs, workstations, and other assets
• Identify the level of sophistication needed to deploy ransomware or malicious files

Every day new vulnerabilities are discovered in hardware, software, code, and cloud environments. These vulnerabilities are published to a repository and each year the list grows. In 2023 the list is on pace to exceed 29,000 new published vulnerabilities. This is up by 11,000 in just 2 years.

Most organizations perform quarterly vulnerability assessments and whenever major changes occur.

A vulnerability assessment is an automated process to identify if the testing environment includes any of the vulnerabilities published to the publicly available list of well-known vulnerabilities.

A penetration test is a manual process to identify how or if an attacker could move laterally through an environment to escalate permissions, access sensitive information, or compromise the environment.

 

	Vulnerability Assessment	Penetration Test
Goal	Identify well-known vulnerabilities	Exploits vulnerabilities to gain access to the system and emulate a hacker-in-the-wild.
Outcome	List of Vulnerabilities by Asset and recommendations to remediate	Narrative description of attack scenario, prioritized list of vulnerabilities, detailed remediation instructions
Performed by	Tool based primarily	Experienced Penetration Tester (aka Ethical Hacker)
Value	Cost effective method of identifying well—known weaknesses	Provides an in depth understanding of security posture
Frequency	Quarterly	Annually
Cost	Less	More

 

 

Some organizations are regulated and are required to perform penetration tests annually.

Utility Companies

Financial institutions & Fintech

Healthcare Organization

Education – K-12 schools

Professional Services (attorneys, accountants, architects)

Manufacturing

Retail

Local, State, Federal, and Tribal governments

Those businesses who are not required should also consider a penetration test since waiting for a real-world cyber-attack is a risky and expensive strategy.

Every environment is unique, so the cost to test the IT infrastructure is, too! Depending on the scope our team can give you a ballpark with just a few details. Give us a call and we will point you in the right direction.

Engagements are fixed price and we will always look for ways to stretch your security dollars and help you find risk reducing strategies that are low cost, practical, and effective.

NYS School Districts -- Zelvin Security is state aided by BOCES through a COSER.

Top 5 reasons for performing a penetration test:

1. Protect client records, employee data, the investment of stakeholders, and Intellectual Property
2. Avoid reputational damage due to a cyber-attack
3. Uncover unknown vulnerabilities before cyber criminals can
4. Reduce the risk of operational downtime due to a ransomware attack
5. Prioritize cybersecurity strategies and IT investments

Additional reasons to perform a penetration test:

• Comply with regulations
• Identify the business’s resistance to cyber-attacks.
• Develop a strategy to reduce cyber-risks – blind spots.
• Nearly all business functions rely on technology. Without networks, cloud, and applications business comes to a halt and profits are reduced.
• Cyber insurance is no longer the answer. Premiums have sky-rocketed, and in some cases, the insurance coverages are not guaranteed if the “Cyber Insurance Application” doesn’t match the business security practices.

All 50 states have reporting requirements if a business is breached. Some states such as NY, CA, and Massachusetts also have hefty fines.