Call, Text or Email

{Click Here}

215.598.2887

info@gettallyho.com

Managed IT Support and Cybersecurity for Businesses of All Sizes

Penetration Testing

Penetration Testing

Many companies are now required by the FTC (due to the updated GLBA) to have annual penetration testing done. However, if it is your business is not required this should be considered a critical piece of your business process. Should a hacker gain access to your system they can potentially ransom your data or modify your system in a way that would make it unrecoverable. Hackers have been known to break into systems and slowly modify backup processes so that they go unnoticed. Then, when backups are no longer working, they dive in and delete all the data and install their ransomware. This can be catastrophic and has caused many businesses to shutter their doors or sacrifice years of profit.

Over the last few years there has been a shift of the hacking community to focus more on  small businesses. While the pay off is not as big (Ronin Network had over $600,000,000 stolen), the ease of access is often much simpler and quicker. This is due to a vast increase in black hat hackers and also because some hackers prefer quick nickels over a slow dime.

The first step in problem resolution is problem recognition. Tally Ho Tech performs professional penetration tests so that you may accurately evaluate the risk of your business data and your livelihood.

Get a Quote

Find out more about setting up a penetration test for your business.

Click Here

Common Tactics For Penetration Testing

  • Brute Force

    A brute force attack uses software that can try potentially millions of different combinations of usernames and passwords to try and gain access. They can also use leaked account data form the Dark Web as a dictionary for commonly used passwords.

  • Cookie Theft

    Cookies are little text files stored on your system or browser cache for when you access various websites. These files can sometimes carry personal, sensitive and valuable information about you. These could include your browsing history, user credentials, passwords, and financial information. If stolen, these cookies can be easily decrypted to obtain your personal information and can be used to impersonate you.

  • Denial of Service (DoS\DDoS)

    This hacking technique is used to bring down a site or network by overloading it. This is done by issuing excessive login attempts, data requests and repetitive tasks that exceed the capacity of the servers. This can be used to overwhelm your IT staff and distract them to launch other attacks covertly.

  • Keylogger Injection

    Hackers use Keyloggers to capture the sequence and strokes you make on your keyboard into a log file on your system. This could be sensitive information like your password or email ID. Often it is transmitted to them in real time.

  • Man-in-the-Middle Attacks

    A hacker can capture your internet browser session and take control to impersonate the user requesting information from a web server. This makes it possible for the hacker to steal valuable information.

  • Social Engineering

    The targets of this kind of attack are organizations, corporate bodies, and business entities. Hackers use outright deception or psychological manipulation to lure unsuspecting victims into divulging critical and often classified information. This hacking technique employs the human element.

  • Fake WiFi

    Hackers create a fake WiFi access point such that it redirects the victim to the hacker’s page in order to steal their personal information. The best way to counter this threat is to use a Virtual Private Network (VPN) service.

  • SQL Injection

    You may not realize it but a vast amount of your data is stored in some sort of database. Hackers often search for vulnerabilities to exploit in SQL databases. Once the individual finds an entry point they can often steal credentials or set up a ransomware attack.

  • Phishing

    This involves the cloning of a website to steal private confidential information from a victim. The hacker sets up an impersonating site, which looks completely legitimate, and collects the information when the victim logs in to the site or enters sensitive data like passwords or financial information.

The Five Phases of Penetration Testing

Recon!

Any good battle plan starts with gathering information. In this step  information is collected from the client (domain names, office locations, basic network details) so a testing strategy can be constructed.

Phase 1

Scanning

A series of customized and detailed scripts and programs are run to gather information on business assets and their potential vulnerabilities.

Phase 2

Gain Access

This is where targeted attacks are deployed. Brute force, cross-site scripting, SQL Injections, phishing campaigns, etc.

Phase 3

Foothold

This is the pay day for a malicious hacker. Break in and find a way to come and go as they please. This stage involves getting a foothold into a business asset and determining what damage could be done.

Phase 4

Debriefing

A conclusive face-to-face  meeting is held with the client to communicate

  • Vulnerabilities that were able to be exploited.
  • Data that was able to be accessed (and to what extent).
  • Detection events (did anyone in the organization know about the tester's access).
Phase 5

Get A Quote

Find out more about setting up a penetration test for your business.

Click Here