Penetration Testing

The purpose of penetration testing is to identify weaknesses in an information system and recommend mitigation measures to increase the resistance of the information technology (IT) infrastructure and protect against unauthorized access, modification, or sabotage. Organizations often use the terms "penetration test" and "vulnerability assessment" interchangeably, when they are really two distinct tasks. SeNet works with our customers to ensure that the correct type of testing is selected. When a company's security maturity is at a high level, penetration testing can add value. However, if the security program is still growing or early in its life-cycle, an overall vulnerability assessment may be a better option.

Conducting a successful penetration test or vulnerability assessment effort depends not only on the skills and expertise level of the practitioners, but also on meticulous planning and oversight throughout the project life-cycle. SeNet has vast experience in performing these types of tests in both the commercial and government sectors.

SeNet follows an established multi-step methodology when performing penetration testing and vulnerability assessments. The exact process differs slightly based on whether the testing is being performed from an internal or external perspective. A key element of SeNet’s planning process is the development of a detailed test plan. This test plan will incorporate the rules of engagement, and will be developed following the kickoff meeting and a review of relevant documentation provided by the client. Its purpose is twofold: a working document to be used by the SeNet Team while engaged in this activity and a specific description for client stakeholders of planned testing activities.

When performing vulnerability assessments or penetration tests, one of the biggest obstacles in providing a valuable product is dealing with false positives. Once the raw results from the automated and manual tools are collected, SeNet’s team begins the process of verifying and cross-referencing them against not only our extensive vulnerability knowledge-base, but also against the Common Vulnerabilities and Exposure (CVE), National Vulnerability Database (NVD), and several other knowledge-based resources used throughout the security community. Findings discovered by the automated tools are further tested to ensure false positives, possibly caused by an organization's customizations, are eliminated. Weaknesses are also correlated against our knowledge-base to determine if potential false negatives were omitted.

A series of sophisticated tests then follow where our team leverages our extensive experience of security software, attack profiles, test scripts, and exploit programs to assess the security of the target environment.

Knowledge transfer is an important objective of this task. A study would be less valuable if the findings are not mitigated and changes are not made to reduce or eliminate the introduction of future security vulnerabilities. Full documentation of test results accompanied by formal presentations, informal work meetings, and discussions between the client and the test team, will ensure that knowledge transfer is complete and effective.

Application Security

Application security covers a range of services from web and mobile application testing, secure code reviews, reverse engineering, and application design.  We have performed these services for a wide range of customers such as Amtrak, Department of Education, Idaho Department of Health and Welfare, Parx Casino, and many more.

Web and mobile applications are becoming more prevalent and more sophisticated, and they are critical to almost all businesses. They are also one of the targets that attackers are looking to exploit.  As the impact of insecure applications on data security becomes ever clearer, organizations with a strong commitment to data integrity and privacy are taking concrete, measurable steps to ensure the software that controls data is developed securely.

Vulnerabilities such as cross-site scripting (XSS), SQL injection, and command injection attacks result from inadequately designed or written secure code.  Organizations now understand that it is imperative to find a way to identify and eliminate critical vulnerabilities in the applications that expose vital data and systems.  SeNet can assist companies in designing and testing their applications to reduce overall risk to the business.    This can be done both once an application is already in production, or ideally during the software development life cycle.

Assessment and Accreditation

Security compliance and risk management are areas that we understand very well.  Over the years we have performed security compliance work ranging from FISMAPCIISOHIPAACJIS, DFARS and others.  We believe that many organizations approach security compliance incorrectly and in the process leave themselves with a false-sense of security.  Our view is that compliance does not equal security, but if you are secure you will be compliant.

We are proud of all of the testing work we have performed and what makes SeNet successful is our passion for information security, approaching testing as more than a “check-box” exercise, our staff’s experience and technical skills, and management’s hands-on involvement.

Gaming Security

SeNet’s focus and knowledge on Gaming makes us the only information security firm that specializes in Gaming and iGaming.  Over the past four years we have turned our attention to the gaming and iGaming industry, largely in part due to the research and interest of SeNet's Chief Technology Officer (CTO), Mr. Gus Fritschie. Mr. Fritschie has performed extensive research on online gaming security, presented at multiple computer industry conferences such as DefCon on this subject and written articles for both print and on-line publications. Based on the efforts of our CTO, SeNet has established a new line of business focusing on this emerging and growing area. We have assembled a team that not only has more than a decade of proven information security expertise as a company, but also a strong understanding of the traditional gaming industry and the emerging iGaming market. 

Over a fairly short period we have learned that while casinos vary greatly in their size, staff, and technical expertise most do face significant IT security challenges.  We believe that SeNet can provide valuable services both for those organizations that have mature security programs and those that have never had a vulnerability assessment conducted before.

Our experience in gaming covers traditional land-based casinos, iGaming and daily fantasy sports sites, lotteries, and tribal gaming.  Some of our customers include Borgata Hotel Casino and Spa, North Carolina Lottery, Multi‑State Lottery Association, Spirit Mountain Casino, Rush Street Gaming, Pala Interactive, Star Fantasy Leagues, and Akwesasne Mohawk Casino Resort.

Most gaming organizations have been expanding their Information Technology footprint in recent years, mirroring the trend in Federal, State and Local governments.  While these new technologies provide increased productivity and better quality of service to the end users they also introduce new security risks if implemented incorrectly.  This is the same for implementing a new firewall, upgrading point-of-sale (POS), moving into iGaming, or changing overall network design. Information security needs to be taken into consideration and your environment needs to be secured.

It is a misconception to believe that small, unknown organizations are immune.  Attackers do not discriminate between a large organization with multiple casinos and a smaller one with only a few Internet resources.  What does change is the level of risk.  Most organizations, including casinos, will never be completely secure.  Consequently, informed decisions must be made about reducing risks to acceptable levels commensurate with the possible damage and likelihood of occurrence. SeNet’s goal is to help identify vulnerabilities to help you make well-informed risk based business decisions and increase your organization’s overall security posture.

Forensics

It seems that you cannot go a day without reading about another company or organization that has been “hacked.”  The trend has been evolving from simple mischievous actions, such as defacing a Web page, to determined and dedicated attacks with a purpose to steal sensitive data or establish a foothold as part of an advanced persistent threat (APT).

When this occurs, SeNet can assist you in performing incident response and forensic analysis.  Working as an extension of your team, we provide the technical ability to identify malicious activities, assess the results of these activities, and collect information that can be admitted as evidence in a court of law, if required. If you desire to pursue legal action, SeNet can assist your organization in the investigative proceedings.  Our team of forensic analysts can testify as expert witnesses at the federal, state, and/or civil levels.

Below is a list of the services that our SeNet incident response and forensic analysis team can provide.  We have experience performing these tasks in both commercial and government organizations. Our forensic analysis services can help you determine the following:

  • Whether or not financial databases were tampered with.
  • Whether covered data was compromised in a data security breach.
  • The purpose for which a computer was primarily used.
  • Whether a user possessed or disseminated a document or documents.
  • Whether a specific file was ever printed.
  • Whether a user wiped a drive or a file.
  • Whether Web-based email accounts were used.
  • Whether intentional deletion of materials occurred.
  • Whether or not USB keys or other remote media were used.
  • Whether files were copied to the USB or remote media and which files were copied.
  • Whether a system was compromised or not.
  • Whether computer misuse has occurred.
  • Whether intellectual property was compromised.

This can be done in both physical and virtual environments, although different tools and techniques may be used. The SeNet Team is prepared to assist you on a very short notice, most of the time within 24 hours from your call.

Social Engineering

Social Engineering is a technique by which an imposter approaches non-suspecting users in an attempt to extract useful information. The objective of SeNet's Social Engineering inspection is to identify and report on security awareness deficiencies and to allow our customers to focus and improve upon such issues in their employee IT security awareness training programs. SeNet has performed social engineering exercises for multiple clients, each time identifying a number of interesting findings in the time that was allotted. Some common social engineering techniques that we typically perform include:

  • Phishing attempts using spoofed e-mails and fake Web sites tricking legitimate users into assisting with browser and e-mail client based attacks, giving up legitimate authentication credentials, and revealing potentially sensitive information.
  • Attempts to gain any password access using multiple Social Engineering approaches: Authoritative, Impersonation, Intimidation, Ingratiation, Innocuous Questions, Rushing, and Name Dropping. These attempts target the help desk and the Osage operations staff. Tests will be conducted during stated hours of operations.
  • Telephone attempts to obtain or modify the network password of IT staff using multiple Social Engineering approaches: Authoritative, Impersonation, Intimidation, Ingratiation, Innocuous Questions, Rushing, and Name Dropping.
  • Unescorted, un-badged patrols of the halls, measuring time and distance of travel until an inquiry of the tester's presence and a note of what action the inquirers took from acknowledgement of the tester's presence.
  • Unattended presence in an employee cubicle, measuring time until an inquiry of the tester's presence and a note of what action the inquirers took from acknowledgement of provider's presence.
  • Eavesdropping during un-badged patrol of halls and unattended presence in employee cubicle.
  • Unattended, noninvasive accumulation for proprietary data (e.g., post-it notes with passwords) which, if found, will be turned into Security Officer immediately.
  • Approaching staff members in person and soliciting information or assistance (e.g., help in printing a document stored on the tester's CD/USB).

For more information on how we can provide assistance in these types of exercises please contact us.

Training

The following information security courses are available from SeNet:


Introduction to Practical Computer Security Assessments


DESCRIPTION


This class will teach the basics of assessing your network for security vulnerabilities using open-source and low cost tools.  You will learn how to perform port scans to identify systems running unnecessary or dangerous services, how to perform vulnerability scans, and how to assess the security posture of your systems on a regular basis.  Tips and tricks will be provided to make this process more efficient and delivering better results.  The class will consist of several labs where you will have the opportunity to perform the scanning activities yourself.


INTENDED AUDIENCE


This class is attended for system administrators and other IT professionals who are responsible for managing and operating computer networks.  Information security personnel who did not have hands-on experience in security assessments are also the target audience.

 

C_A101: CERTIFICATION AND ACCREDITATION FUNDAMENTALS (3 DAYS)

 

DESCRIPTION


The Federal Information Security Management Act (FISMA) directed the National Institute of Standards (NIST) to develop a comprehensive security certification and accreditation (C&A) process for information systems that support the federal government.  The guidelines for implementing this process are contained in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.  SeNet has designed this introductory course to instruct government personnel and their contractors on the fundamentals of this process.


INTENDED AUDIENCE


Government personnel and their contractors who are:
Tasked with performing or maintaining their organizations system/network (C&A) process.
Responsible for any portion of a C&A effort but who have less than one year of active participation in the process.
Interested in learning how to build the team necessary to conduct a successful, efficient C&A effort.
Authorizing Officials, Authorizing Official Designated Representative, Chief Information Officers, Senior Agency Information Security Officers, Risk Executives, Information System Owners, Common Control Providers, Information Owners, Information System Security Officers, Information System Security Engineers, Security Control Assessors, and User Representatives

 

C_A102-1: PHASE 1 C & A INITIATION PHASE (2 DAYS)


DESCRIPTION


This session covers the basic documents and tasks involved in the initial documentation phase of the C&A process. Attendees will learn the specifics about what goes into each of the documents that are required for (C&A) of information systems under FISMA and NIST SP 800-37.


INTENDED AUDIENCE


Government personnel and their contractors who are:
Responsible for performing or maintaining their organizations system/network (C&A) and testing.
Authorizing Officials, Authorizing Official Designated Representative, Chief Information Officers, Senior Agency Information Security Officers, Risk Executives, Information System Owners, Common Control Providers, Information Owners, Information System Security Officers, Information System Security Engineers, Security Control Assessors, and User Representatives.


C_A102-2: PHASE 2 SECURITY CERTIFICATION (3 DAYS)


DESCRIPTION


This session covers the basic tasks involved in the certification phase of the C&A process.  This phase of the C&A process is about execution of security control assessments for components of an information system.  This session covers how to develop the plans for testing those components and then executing those tests and analyzing the results.


INTENDED AUDIENCE


Government personnel and their contractors who are:
Responsible for performing or maintaining their organizations system/network (C&A) and testing.
Authorizing Officials, Authorizing Official Designated Representative, Chief Information Officers, Senior Agency Information Security Officers, Risk Executives, Information System Owners, Common Control Providers, Information Owners, Information System Security Officers, Information System Security Engineers, Security Control Assessors, and User Representatives

 

C_A102-2L: PHASE 2 SECURITY CERTIFICATION + LABS (5 DAYS)


DESCRIPTION


This session covers the same content as in C_A102-2.  This phase of the C&A process is about execution of the system test and evaluation (ST&E) of the components of an information system.  This session covers how to develop the plans for testing those components and test execution, as well as collating the test results.  In addition, it includes laboratory exercises that are actual C&A testing exercises using available tools and techniques for testing on information system components.  Actual hands-on use of testing tools are utilized during lab exercises.


INTENDED AUDIENCE


Government personnel and their contractors who are:
Responsible for performing or maintaining their organizations system/network (C&A) and testing.
Information System Owners, Common Control Providers, Information Owners, Information System Security Officers, Information System Security Engineers, and Security Control Assessors

Security Engineering

SeNet applies a structured engineering approach. We first assess the needs and define the requirements: what is needed to be protected, what measures are already implemented, and what policies and procedures are in place. We then define the technical specifications – network based IDS, Host-based tools, etc. Our deployment of the network involves not only the physical installation of devices and software tools, but also a period of parameter fine tuning and calibration to reduce the level of “false alarms” since out-of-the-box most IDS/IPS tools tend to generate tremendous amount of reported events. Training is an important part of the implementation process. For a number of our clients, we conduct weekly visits and work with the on-site network operations team to fine-tune the system, train them in this process, and this took up to three months after the initial installation. In addition to the hands-on training, SeNet would develop detailed operational procedures regarding all aspects of these systems – from creating new users to uploading new attack signatures. And if this proved insufficient, our engineers are always available to respond to an emergency, as well as non-emergency consultations. 

Tools and technologies we have experience with include:

  • ArcSight
  • Splunk
  • Sourcefire
  • Check Point
  • Palo Alto
  • Cisco

Our solutions can be tailored to meet every size and IT budget.  We are also experienced in open-source solutions and can implement those where cost is a concern.  We also have partnerships with companies such as AlertLogic where a cloud-based implementation is a better choice.

Mobile Security

When it comes to mobile application security, one of the most important factors is secure code, both on the mobile device and the backend web service. Code is more difficult to secure on mobile devices for a variety of reasons: Technology, diverse platforms, privacy concerns, and experience, to name a few.  How people use applications and their usage patterns are different on mobile devices. Other factors besides just the mobile application need to be considered, such as remote Web services, platform integration, and device-specific security issues.  

The threat sources are also different from traditional web applications.  There are multiple perspectives that attackers may take when attempting to compromise mobile applications.  One is intercepting traffic in a man-in-the-middle attack (think at a coffee shop).  The second is perhaps more likely and dangerous and that is when the attacker has access to the mobile application on the device itself.

SeNet’s mobile application assessment strategy has two different components:

  • Static Code Analysis – In this phase the source code of the mobile application is made available to the testing team.  A combination of automated tools and manual examination is used to identify weaknesses in the code and security vulnerabilities.  This is also considered white-box testing.
  • Dynamic Analysis – When mobile applications are used they communicate with a backend web service via application programming interfaces (APIs).  In this phase our approach is to examine the application and the APIs, along with the security of the backend web services.

A mobile application security assessment can combine both code review and dynamic analysis, or may just be one component or the other.  The primary factor in scoping the task is the client’s objective and time/budget allocated.