Vulnerability Assessment and Penetration Testing

KLC Consulting performs Vulnerability Assessments and Penetration Tests to evaluate and improve your organization’s security posture.  We present findings in deliverable reports prioritized by criticality and our recommendations for remediation.  We’re also available to help with remediation.

Vulnerability Assessment

We conduct Vulnerability Assessments to discover, quantify and document the current security vulnerabilities within an organization’s information system environment.   This provides a better understanding of assets, security flaws and overall risk.  Our recommendations for improvement reduce the likelihood a cybercriminal could breach the system.

Penetration Testing

We perform Penetration Tests to simulate how an external or internal attacker would navigate the compromised information system environment to hack sensitive/protected information.  The penetration test is the logical “next step” after a Vulnerability Assessment to improve security posture.

People often use the terms “Vulnerability Assessment” and “Penetration Test” interchangeably, but they’re very different. A good analogy to understand the difference is: a Vulnerability Assessment identifies the ways a burglar can break into your home; a Penetration Test identifies assets the burglar can find, and how they can steal, destroy or hold them hostage once inside.

Web Application Penetration Testing

We perform Web Application Penetration Tests to identify security weakness across an entire web application, API’s and its components (source code, database, back-end network, etc.) The tester fabricates attacks using manual, automated and customized proprietary tools.

Wireless Network Assessment

BYOD (Bring Your Own Device) and Wireless Networks provide employee convenience but add another potential attack surface to be exploited.  A Wireless Network Assessment includes a full audit of your BYOD policy and improves overall maturity of your business’s security posture.

Social Engineering (Simulated Spear Phishing)

A Spear Phishing or Business Email Compromise (BEC) attack relies on human fallibility (“Social Engineering”) rather than a hardware or software vulnerability. It’s a surreptitious email attack seemingly from a trusted source that targets specific individuals or departments within an organization with the goal of tricking people to send money, hand over sensitive information, or even just download malware The authors of these attacks will use lies, trickery, forgery, and outright manipulation to succeed. Most cyber-attacks and successful data breaches begin with a spear phishing email. We conduct simulated spear phishing attacks to help identify weaknesses in security posture, evaluate perimeter software defense, and inadequacies in employee training

Social Engineering (Physical)

Physical social engineering is an onsite, face to face simulated attack utilizing a client approved pre-text scenario of a hacker posing as a credentialed IT/telephone technician or building maintenance person requesting access or sneaking into secure IT areas to perform a Penetration Test internally.  The goal is to evaluate security controls pertaining to physical access and related employee preparedness.

Digital Footprint Analysis

We gather public information available to hackers, which is often the first step in a targeted attack.  If attackers can leverage system configurations or applications to differentiate valid usernames from invalid ones, they can begin a malicious Spear Phishing campaign or formulate brute-forcing or guessing attacks on passwords to legitimate user accounts and access sensitive systems and resources.

Firewall Configuration Review

We review the firewall configuration and rule sets to ensure that actual configurations and traffic flowing through the firewalls matches approved configuration restrictions.