Our penetration testing services identify those areas of risk that could impact the confidentiality, integrity and availability of your sensitive information prior to a real attack.
We offer penetration testing – also called “ethical hacking” or “cyber threat hunting” – as a standalone service as well as part of an overall IT security audit. In many cases the penetration testing is part of the compliance required by PCI, HIPAA and other regulatory frameworks.
Besides probing general network and server vulnerabilities, Contextual Security can assess specific IT targets, such as firewalls, wireless networks, and web applications.
Our penetration tests are standards-based. They are closely tied to the fundamentals found in the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES) and the Open Web Application Security Project (OWASP) Penetration Testing Guide.
The open method associated with OSSTMM builds on a foundation of truth, diminishing commercial gain and political agendas. PTES is an endeavor by a group of information security practitioners to develop a common language and scope for performing penetration testing. The core purpose of OWASP is to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”
By combining the spirit of these three methodologies, we create a formidable program of work to serve you. You can rely on the Contextual Security penetration testing services to be thorough and comprehensive.
The goal of our engagement is to identify areas of risk that impact the security of your information. We provide a remediation plan tailored specifically to your organization’s needs for security and compliance. We often learn from new clients’ past experiences that plans were recommended, but never executed. Why plan if you’re not going to follow through? Contextual Security will give you the plan and help you to follow it to secure your company’s future.
Contextual Security has worked with a number of industries and is familiar with the applicable frameworks that they must adhere to. As a result of this in-house experience, our approach, as well as the delivery of the results of our penetration testing engagements, is framed around our client’s specific needs and requirements.
Payment Card Industry
For the various Payment Card Industry merchants and service providers we work with across the United States and Canada as a designated Qualified Security Assessor Company (QSAC), our penetration testing is conducted in accordance with and support of PCI DSS 3.2 Requirement 11.3. Specifically, our approach is standards based, includes testing from both inside and outside of the cardholder data environment (CDE), includes testing to validate segmentation and scope-reduction controls, and includes both application-layer and network layer tests.
Contextual Security has performed penetration testing for Covered Entities as well as Business Associates, both large and small. Our penetration testing professionals are experts in conducting engagements within these sensitive and mission critical environments. In addition, our penetration testing is a great option for not only determining if the electronic protected health information (ePHI) your organization stores, process or transmits is protected, but it can be used in support of the HIPAA Audit Protocol (2018 Update) requirement §164.308(a)(8), which requires covered entities and business associates to “Perform a periodic technical and nontechnical evaluation.”
In addition to helping Electric Cooperatives navigate the threats and vulnerabilities to their key systems and applications through routine security assessments, Contextual Security has been a key partner in helping them tackle and ultimately achieve compliance with the PCI DSS. Contextual Security’s experience within this industry is also evident by their frequent participation with groups like EnergySec, the North Carolina Association of Electrical Contractors and the Tennessee Electric Cooperative, to name a few.
Contextual Security penetration tests are specifically tailored to your organizations needs and requirements. Our penetration tests can be comprehensive and include multiple locations and perspectives, or limited to just one perspective and a single location.
They can also include social engineering exercises, web applications assessments, and a review of your key firewall rules base and configuration. Our team of experienced enterprise consultants can quickly help you identify a penetration test plan that is right for your organization based on any compliance requirements you must adhere to as well as the sensitivity of the data you process, store and transmit.
Penetration Testing Components
- Passive Reconnaissance (Domain Squatting, Email and File Enumeration, etc.)
- Vulnerability Assessment
- Penetration Testing
- Web Applications Assessment
- Mobile Application Assessment
- Social Engineering (Phishing, Baiting, Pretexting)
- Physical Security Review
- Firewall and Router Configuration Review
- Wireless Security Assessment
- Incident Response Threat Identification Training
- B.A.S.E. (Base Assessment of Security Elements)
Security Xtension Program
Contextual Security can also assist your organization in creating a cost-effective security testing plan, through our Security Xtension offering. This program includes various testing activities throughout the year to ensure you are kept abreast of your security posture continuously. Our Security Xtension offering allows organizations to bolster their internal security department without adding people or resources.
Every Contextual Security penetration test is accompanied by a formal report, which was designed to not only provide a high level overview of the engagement for upper management and C-Level staff, but also includes the detailed findings, along with key recommendations, that can assist those with remediation responsibilities.
In addition, if your organization enrolls our Security Xtension program, Contextual Security can track and document improvements in your security posture between tests (e.g. quarter to quarter).
- Formal Report (Our Flagship Report)
- Snapshot Report (Report Supplement)
- Vulnerabilities by Severity Report (Report Supplement)
- Vulnerabilities by Host Report (Report Supplement)
- Ports and Protocols Report (Report Supplement)
In addition, Contextual Security includes, as part of each engagement, an out brief call to discuss the findings and answer any questions your organization may have.
Please contact one of our Enterprise Consultants for a free sample report.