Penetration Testing Services

Web applications are one of the most significant points of vulnerability in organizations today. Web application holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting websites altered by attackers is too high to count. To combat this rising risk, Compass IT Compliance offers web application penetration testing to assist organizations with understanding their vulnerabilities and providing them with a remediation plan to mitigate their risk. Our web application penetration testing services can include any of the following based on your specific needs and requirements:

• Application Vulnerability Assessment
• Application Penetration Testing
• Secure System Development Lifecycle Assessment
• Static Code Review
• Dynamic Code Review

Wireless network penetration testing involves evaluating the connections between all devices connected to an organization's wireless local area network (WLAN) or Wi-Fi. These devices include smartphones, tablets, laptops and other internet-enabled mobile devices. Putting the security of your wireless network to the test allows penetration testers to determine your security levels and offer solutions on how to strengthen them. Our wireless network penetration testing will:

• Determine if a wireless network is vulnerable to attack
• Determine how far a wireless network extends outside the physical boundaries of a facility
• Test the authorization and authentication system
• Determine how well wireless IDS / IDP is working
• Determine if the wireless deployment meets compliance / best practices requirements (FFIEC and NIST)
• Provide detailed recommendations for strengthened security configurations and remediation prioritized by urgency

Many organizations today utilize mobile applications to communicate with and provide services to their customers. The large amounts of data being processed by these apps is often sensitive and confidential, making them a perfect target for malicious actors. Rapid development of mobile apps also furthers the risk of critical vulnerabilities being overlooked. Mobile application penetration testing is critical to secure these applications before security vulnerabilities can be exploited by malicious actors. Compass IT Compliance utilizes industry best practices and methodologies for mobile application penetration testing, such as the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG). These methodologies ensure a complete and consistent approach to the assessment. Testing may be conducted using various methods including:

• Sniffing of Traffic
• Code Review
• Testing of APIs

In today’s world, with rising infrastructure costs and ever escalating security threats, many organizations have decided to host some or all of their environment and data in the cloud instead of locally on premise. Well known cloud services, such as Amazon Web Services, Microsoft Azure, and Google all offer robust environments that allow users to leverage a modern well-secured hardware environment. Just because the physical environment is certified secured does not mean that your environment is secure or compliant. Securing what is in the cloud is just as important as making sure the cloud itself is secure. Our cloud penetration test will identify weaknesses within the configuration, policies, and access controls of a cloud environment. Our assessment includes reviews of both the data and the applications in the cloud to determine common weaknesses in:

• Installation
• Configuration
• Policies
• Object Access Control

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Countless employees have fallen victim to these convincing schemes, often accompanied by a significant loss of money or data. Social engineering is among the most popular attack vectors for malicious actors as it relies on human error rather than solely exploiting technical vulnerabilities, which is often far more difficult.

The key to addressing these human vulnerabilities is a robust social engineering penetration testing program including simulated attacks to gauge employee awareness and recognition of the latest threats. Our testing simulations include:

• Phishing - emails
• Vishing - phone calls
• QRishing - QR codes
• Physical Access Assessments - onsite physical security controls

For organizations looking for a defense in depth approach, Compass IT Compliance offers red team penetration testing. This service consists of an adversary attack simulation across all assets of your organization. Your people, processes, technology, and facilities will all be in scope and will be tested simultaneously. The methodologies utilized will most closely resemble a real world attack, combining various physical and cyber exploits to uncover vulnerabilities.

The assessment rules of engagement and core organizational information are entirely customizable to fit your unique needs. Our team of ethical hackers will use all applicable techniques available to achieve your desired objectives. This may include:

• Utilizing previously exposed data on the dark web
• Phishing and vishing to gather information from employees
• Physical site visits to exploit vulnerabilities in security controls and human trust
• A blend of network, web application, wireless network, mobile application, and cloud penetration testing

White label penetration testing services allow your company to leverage Compass IT Compliance’s highly skilled and certified team to offer quality penetration testing services to your clients under the umbrella of your established and reputable brand. Our cybersecurity professionals can work seamlessly within your project management environment, displaying a unified front in delivering quality and timely deliverables with industry-leading insights into vulnerabilities present and the steps necessary to remediate risks.

Professional service organizations and IT managed service providers (MSPs) have sought a partnership with our team for the following reasons:

• The opportunity to gain competitive advantage and expand service offerings to reach new customers who are looking for an all-in-one solution
• To fulfill a gap in talent within your existing team, either in the interim or long-term
• The ability to offer a wider array of service capabilities to existing clients without the need to send them to other vendors
• To satisfy conflict of interest concerns and utilize an independent set of eyes to verify IT security and compliance