• Home

• Industries
  • Financial Services
  • Government
  • Healthcare
  • Higher Education
  • Legal
  • Public Companies
  • Public Utilities
  • Retail

• Solutions
  • IT Audit Services
  • IT Risk Assessment Services
  • IT Security Planning
  • PCI Compliance Services
  • Application Code Review
  • Vulnerability Scanning
  • Penetration Testing

• News & Events
  • Events
  • Webinars
  • In The News
  • Press Releases

• About Us
  • Overview
  • Management
  • Partners

• Careers

• Contact Us

Network Penetration Testing

Network penetration testing is typically performed from an external location with minimal knowledge of the environment. The "white box" tester utilizes knowledge gained during interviews and online data sources to attempt to break into a company's operating environment. The tests identify exposed systems and takes inventory of vulnerabilities that may offer a path to sensitive systems and data. The goal of a penetration test is far different form all other non-invasive IT security testing. Penetration testing teams attempt to exploit vulnerabilities and identify potential damage to systems and data.

The Coalfire approach leverages purpose-designed attack systems with custom-attack scripts to exercise target systems much like a "black box" hacker would attempt. During the testing, Coalfire documents the systems identified, the vulnerabilities that were pursued, and the extent of the exploitation available to a tester from a remote location.

Our highly trained test teams, combined with industry-leading tools, provide confidence to organizations that easily-exploited attack paths can be identified and remediated, or that existing protection is reasonable.

In addition to network skills and tools, Coalfire has assembled teams that have specific knowledge of payment systems and banking applications. This specialized expertise allows Coalfire to target more precise test scripts at industry-specific systems. You get a high level of confidence in the testing when it is performed by an industry expert with knowledge of your operating environment.

Application Penetration Testing

Unlike network penetration testing, application-level penetration testing requires some limited set of user credentials. Typically a disgruntled employee or a new hire that joined the company for the specific purpose of conducting fraud is the source that will be pursued. Application penetration testing can be conducted remotely or on-site depending on user credentials.

The tools used by application testing teams are more rigorous and require more highly specialized staff with specific application development skills. Coalfire has assembled a team of former programmers who test and validate payment applications for credit card processors and merchants. This same team also conducts application-level penetration tests to confirm that organizations can adequately defend themselves against known application exploits such as:

• SQL injection
• Cross-site scripting
• Buffer overflow
• Access escalation
• Other known application vulnerabilities

When your business depends on its ability to defend sensitive applications and data from rogue internal users and successful external hackers, highly skilled penetration testing may offer the only solution for identifying attack potential before the cyber criminals inflict damage.

Social Engineering

The old saying that you're only as good as your weakest point is absolutely true - especially when factoring in the "people" aspect of IT security. Regardless of the technologies you implement or physical barriers you erect, the strength of your controls comes down to the training, awareness, diligence and honesty of your company insiders. Comprehensive security policies and security awareness training are fundamental controls within an effective security program. Testing these controls is also critical to validating and improving program effectiveness.

Coalfire has a full suite of social engineering assessment services for testing all aspects of your human control areas. We can customize these testing programs to evaluate the risk of information disclosure, using technical methods like online phishing, staff impersonation, pretext calling and physical control tests such as piggy-backing, lock testing, and other physical entry methods.