Security Assessments

API Security Assessment

The Web application development industry is increasingly moving toward an ‘API driven’ approach, whereby an API (or Web service) is built to store and serve data, then a traditional Web application is built afterward to allow users to easily access that information. The versatility of APIs to interact with multiple technologies and languages provides businesses with greater opportunities to connect with other providers. However, APIs are not inherently secure, and often present new security concerns and potentially a wider attack surface. Security controls implemented in the traditional Web application may not necessarily be reflected in the associated API, resulting in a higher risk of sensitive information disclosure.

CloudCoCo have a professional API Security Assessment service that can be used to identify vulnerabilities that exist on your API. These tests can be performed on an API directly (depending on available documentation), or in accompaniment with any associated Web application.

Business OSINT Assessment

Gathering reconnaissance on the targets forming the scope of a security assessment is a critical first step; one that forms an extremely effective foundation on which to build targeted attacks. Online sources of information are now more numerous and easy to access than ever before. Building up a detailed profile on a business or individual can reveal a wealth of useful information. Understanding what information is available, and how that information could be leveraged, allows a business to implement better policies and compensatory controls to reduce the risk of attack.

CloudCoCo’s Business OSINT Assessment identifies the publicly available and leverageable information associated with the client’s business. This information can include open social media accounts, email addresses, DNS records, document metadata, and various types of personally identifiable information (PII) on key employees. This information is then used to create example targeted phishing attacks, and highlight the most likely external targets that any potential attacker would focus on.

Citrix Breakout Assessment

The various Citrix based remote working solutions allow employees to securely access both business data and applications remotely. The implementations can vary, some providing access to full Windows desktop environments, with others providing access to restrictive interfaces with limited applications. These solutions are often hosted on the client’s own infrastructure, which presents a security risk should these services be compromised. If an employee can ‘break out’ of the service’s restrictions, then they could potentially execute commands on a server with visibility of other internal hosts.

CloudCoCo’s Citrix Breakout Assessment can identify the vulnerabilities in the myriad configuration settings that can result in a user bypassing restrictions. These can be as simple as accessing a command shell via popular Microsoft Office applications, or involve more complex custom scripts to exploit weaknesses in file and service permissions. The results of this assessment can then be used to improve the Citrix environment configuration procedures, mitigating the risk of users breaching security.

Server / Endpoint Build Review

When building multiple servers and workstations in an office environment, it is typical for a ‘standard’ or ‘gold’ build image to be used. This image has been built with a fully patched operating system, and configured following the business server/workstation hardening procedure. This procedure is designed to reduce the risk of configuration vulnerabilities leading to a security breach. There may also be business specific configuration or proprietary software that is also included as part of the base image.

CloudCoCo’s Server / Endpoint Build Review provides the assurance that the business host hardening procedure includes all the necessary steps to sufficiently secure the host. The assessment identifies issues such as missing operating system and third-party software patches, but also examines the myriad security configurations that mitigate the risk of privilege escalation exploits, network based attacks, and weak passwords.

External Infrastructure Assessment

A business’ external infrastructure is typically a first port of call for attackers, potentially presenting a significant attack surface that can be examined and exploited with little risk of identification. The compromise of services providing remote access to corporate resources (such as VPNs and email portals) could result in the disclosure of highly sensitive information, or even provide a foothold from which to attack other internal resources.

CloudCoCo’s External Infrastructure Assessment service aims to identify both software and configuration vulnerabilities that exist on the client’s external public facing infrastructure. The testing is typically performed remotely from CloudCoCo’s office and data centre locations.

Firewall Configuration Assessment

A well configured firewall can significantly mitigate the risk of unauthorised connections to services, and can be placed at the network layer both internally and externally, or be software based on a single host. However, the granularity of configuration options increases the likelihood of vulnerabilities, and could expose hosts and services that are considered by businesses to be fully segmented.

CloudCoCo’s Firewall Configuration Assessment can identify general configuration, software, and ruleset specific vulnerabilities that exist on the firewall device. Testing includes not just an assessment of the chosen authentication controls, but also a thorough examination of other wireless attack vectors, such as bypassing captive portals, establishing fake wireless access points, leveraging lack of wireless isolation, the solutions susceptibility to denial-of-service type attacks, and the solutions ability to detect common attacks.

Internal Infrastructure Assessment

Establishing a security baseline with an assessment of the internal infrastructure is commonplace in most organisations. Whether the drivers are from industry compliance, or from security focused company leaders, the benefits of risk mitigation are widely understood and accepted. CloudCoCo’s Internal Infrastructure Assessment service aims to identify both software and configuration vulnerabilities that exist on the internal network and systems. Additionally, the assessment acts as a simulation of what is achievable should an endpoint be compromised (such as through a phishing attack or malware infection). The testing is typically performed onsite at the clients’ office or datacenter location, with the consultant patched directly into the infrastructure.

Managed Internal Infrastructure Scanning

The various automated vulnerability scanners can identify a wide range of common software and configuration issues, highlighting new issues that arise in between more in-depth manual penetration testing. New issues are discovered daily, and any changes a client makes to their infrastructure could also introduce new vulnerabilities. Such automated scanners are easy to use, many requiring just a target IP address to begin. However, the results can be overwhelming, and although severities are assigned to each issue, knowing how to prioritise remediation efforts can be a daunting task.

CloudCoCo’s Managed Vulnerability Scanning service provides the benefits of automated and regular testing, with the added value of an experienced security consultant interpreting the results. The vulnerabilities are examined in the context of the client’s environment, reclassified as necessary, and comments added to help the client understand the security issues and where to focus their efforts.

This service can be performed using a client’s already installed solutions, or CloudCoCo’s consultants can install the scanning solution within the client’s network.

Managed Web Application Scanning

Automated Web application scanners are widely available can identify a range of Web application vulnerabilities, allowing users to identify issues that could be exploited by an attacker. However, the results can be overwhelming amd knowing how to prioritise remediation efforts can be a daunting task. CloudCoCo’s Managed ‘Unauthenticated’ and ‘Authenticated’ Web Application Scanning service provides the benefits of automated and regular testing, with the added value of an experienced security consultant interpreting the results.

Mobile Application Assessment

The Mobile Applications we use daily have significantly advanced in recent years. This advancement and reliance upon such services has exposed users to a variety of new security risks. Protecting these applications from new threats is a constant challenge, especially for developers who may not be security aware and typically working toward a performance deadline.

CloudCoCo have a wealth of knowledge in the area of application security testing, and the professional Mobile Application Security Testing service can be used to identify vulnerabilities that exist on your Mobile applications.

PCI CDE Infrastructure Assessment

Any company that processes cardholder data is expected to be compliant with the PCI-DSS version 3.2 standard. This standard ensures that the cardholder data environment (CDE) and all associated infrastructure is suitably configured to process cardholder data securely. Companies can face large daily fines if they fail to comply with the requirements of this standard. The various requirements include regular security testing of the CDE, its segmentation from surrounding networks, and structured security testing of the public facing infrastructure by an Approved Scanning Vendor (ASV).

CloudCoCo’s PCI CDE Infrastructure Assessment meets the main 11.3 requirements to ‘implement a methodology for penetration testing’, examining the security of client’s internal infrastructure, CDE, and confirmation of suitable segmentation controls.

Phishing Email Assessment

Broad-scale and targeted email phishing attacks are among the most likely type of cyber attack that businesses are having to contend with today. Such emails can be sent with little risk, and if successful, could trick users into revealing sensitive information such as login credentials, or potentially even result in the installation of malware. Such emails could be sent in mass to all employees, when just one successful exploit is needed to compromise the business’ sensitive data. Alternatively, specific individuals within the business may be targeted with highly bespoke emails, aiming to leverage that particular employee’s privileges. CloudCoCo’s Phishing Email Assessment simulates both a broad-scale generic email phishing attack, or a realistic targeted attack on key employees. The result of this assessment generate valuable statistics for measuring the effectiveness of the business awareness training and procedures.

Overview of Methodology

The Phishing Email Assessment will typically include the following fundamental stages:

Category Description
Targeted Scenarios Through the gathering of business OSINT, and discussions with the client, appropriate scenarios are designed. These scenarios will assess the business’ procedures and effectiveness of awareness training.
Bespoke Fake Portals CloudCoCo use proprietary software to automate the sending of emails, tracking of responses, and hosting of fake login portals. As such, bespoke portals can be built from scratch to perfectly match any the client may have. These portals are then used to capture the credentials of users.
Tracked Emails and Responses Emails sent are embedded with information unique to the target user, allowing CloudCoCo to track which users clicked links, submitted credentials, the times of all events, and will cross reference this information with departments and/or locations to build useful statistics.
Awareness Training The results of the phishing assessment are then used to provide recommendations for awareness training areas of focus.

Red Team Assessment

The typical approach for security testing is to perform modular tests with clearly defined scopes. However, this is not usually the approach taken by real-world attackers who don’t have rules to abide by and time restraints to adhere to. Therefore, to simulate a realistic targeted attack, the same approach needs to be taken by security consultants, opening up the scope to all aspects of the entire target company. The primary aim would be to exfiltrate data, rather than to identify as many vulnerabilities as possible.

CloudCoCo’s Red Team Assessment will simulate a real-world targeted attack by a team of highly trained and experienced security specialists. The results can then be used to understand the most significant vulnerabilities spanning the full scope of the company, and the issues most likely to be exploited in a real- world scenario.

Overview of Methodology

The Red Team Assessment service will typically include the following fundamental stages:

Category Description
OSINT Profiles for the target company and key employees will be created using online resources. This information forms the basis for targeted scenarios designed to exploit weaknesses in business policies, procedures, and awareness training.
External Infrastructure Attacks The public facing attack surface will be mapped (including any third-party attack vectors where viable), identifying opportunities for faking remote access logins, password attacking weak authentication controls, exploiting outdated and/or vulnerable services, and leveraging key Web application vulnerabilities.
Spear Phishing Both broad scale and highly targeted phishing emails may be used to illicit sensitive/useful information for use in other scenarios, or to establish a foothold on the internal network.
Vishing Where appropriate, telephone calls to key employees may be used to gather information for use in onsite attack scenarios, or to aid in scenarios such as booking meetings rooms or arranging contractor access.
Physical Access If the primary objectives include access to restricted areas, removing company property from site, or establish remote network access (where no remote attacks are feasible), then the consultants will visit the target site with the aim of gaining unauthorised access.
PoC for Compromise Red team assessments can have varying objectives, but typically include the exfiltration of specific information or proof of access to restricted physical areas. In either case, the consultants will collect screenshots, photographs, place stickers on target network points, or install drop boxes.

Remediation Consultancy Service

Penetration Testing is a well-utilised service with many organisations undertaking such a service either for risk management or compliance purposes.

Fixing the issues identified in a Penetration Test is referred to as Remediation. In our experience, Remediation after a Penetration Test can be an onerous task that can burden the organisation’s technical teams.

CloudCoCo offer a Remediation Consultancy Service as part of their Penetration Testing as a Service (PTaaS) offering. This service offering completes the Penetration Testing process by engaging with a consultant to provide a tailored prioritised approach to remediating any security issues identified from the testing engagement.

What are the risks?

Fixing identified security issues is a technical task that has to be performed by competent technical consultants who are adept with dealing with such matters. CloudCoCo specialise in identifying and remediating security issues on all common platforms and applications. It is important that you assign proper priorities to the identified issues and fix them in a timely manner. Once these issues have been fixed, they have to be retested to ensure that the fix has mitigated the risk.

How can we help?

This Remediation Consultancy Service provided by CloudCoCo is a two-stage process. The initial phase involves one of our specialised consultants reviewing the findings of the Penetration Test report and aligning this with your business requirements to create a prioritised approach document that contains remediation advice for all of the identified issues ranked in order of risk.

Once this report is created, the next step is to look at the implementation of this plan to mitigate the risks identified.

This prioritised approach document can be implemented either by your own internal IT staff, your incumbent IT provider or CloudCoCo as part of the engagement, therefore, taking away the time pressures of ensuring your infrastructure is secure and free from security issues.

The service would be delivered as part of the CloudCoCo Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.

Web Application Assessment

The Web technologies and applications we use daily have advanced in recent years. This advancement and reliance upon such services has exposed users to a variety of new security risks. Their complexity and availability have made them an ideal target for attackers, demonstrated by the many publicised major data breaches. Protecting these applications from new threats is a constant challenge, especially for developers who may not be security aware and typically working toward a performance deadline. CloudCoCo have a professional Web Application Assessment service that can be used to identify vulnerabilities that exist on your Web applications. CloudCoCo have a wealth of knowledge in the area of application security testing, and their testers have created and contributed to many open source web application security projects.

Wireless Infrastructure Assessment

Having both a corporate and guest wireless network infrastructure is now fairly commonplace in most businesses both small and large. These networks provide convenient access for portable devices such as laptops, tablets, and handsets. However, they are another service for attackers to target, a connection to the corporate infrastructure that reaches beyond the physical walls, sometimes for huge distances depending on the specialist kit available to the attacker. Configuration vulnerabilities are common, and could allow an attacker to access corporate resources from guest networks, attack business managed hosts, or even bypass well-established enterprise authentication controls.

CloudCoCo’s Wireless Infrastructure Assessment can identify the various configuration vulnerabilities that exist on the wireless networks. Testing includes not just an assessment of the chosen authentication controls, but also a thorough examination of other wireless attack vectors, such as bypassing captive portals, establishing fake wireless access points, leveraging lack of wireless isolation, the solutions susceptibility to denial-of-service type attacks, and the solutions ability to detect common attacks.