ControlCase offers the following penetration test offerings. All information will be available on a centralized IT GRC portal for tracking compliance quarterly.

External Penetration test (Network Layer)

ControlCase firstly conducts network scan for clients. Once appropriate IP addresses are captured, the system will be set up to perform scans every quarter upon verification that the same internet IP addresses are used.

ControlCase will further attempt to exploit any vulnerability found by the network scan to eliminate any false positives. This would be performed after any known vulnerabilities are removed.

External Penetration test (Application Layer)

ControlCase assesses the application for known application vulnerabilities. Assessment techniques include:

• Parameter Tampering - Query strings, POST parameters, and hidden fields are modified in an attempt to gain unauthorized access to data or functionality.
• Cookie Poisoning - Data sent in cookies is modified to test application response to receiving unexpected cookie values
• Session hijacking – ControlCase attempts to take over a session established by another user to assume the privileges of that user.
• User privilege escalation – ControlCase attempts to gain unauthorized access to administrator or other users’ privileges.
• Credential manipulation – ControlCase modifies identification and authorization credentials in an attempt to gain unauthorized access to other users’ privileges.
• Forceful Browsing - Misconfigured web servers will send any file to a user, as long as the user knows the file name and the file is not protected. Therefore, a hacker may exploit this security hole, and "jump" directly to pages.
• Backdoors and Debug Options - Many applications contain code left by developers for debugging purposes. Debugging code typically runs with a higher level of access, making it a target for potential exploitation. Application developers may leave backdoors in their code. These backdoors, if discovered, could potentially allow an intruder to gain additional level of access.
• Configuration Subversion – Misconfiguring web servers and application servers is a very common mistake. The most common misconfiguration is one that permits directory browsing. Hackers can utilize this feature in order to browse the application's directories (such as cgi-bin/) by simply typing in the directory name.
• Input validation bypass - Client side validation routines and bounds-checking are removed to ensure controls are implemented on the server.
• SQL injection – Specially crafted SQL commands are submitted in input fields to validate input type controls.
• Cross-site scripting – Active content is submitted to the application in an attempt to cause a user's web browser to execute unauthorized code. This test is meant to validate user input type controls. ControlCase employs the use of automated and manual application testing tools and techniques. Automated tools identify vulnerabilities based on signatures or common vulnerabilities that are easy to identify such as cross-site scripting and SQL injection. However ControlCase recognizes that all applications are different and thorough testing requires a skilled and experienced approach. ControlCase manually explores, examines, and testes the application to identify those vulnerabilities that cannot be easily detected by automated tools.

For any additional information on penetration test services, please contact ControlCase at contact@controlcase.com