Vulnerability Assessment and Penetration Testing

Eventually, someone is going to test your network security, whether you ask them to or not.

Let PJ Networks test it for you first​.

Businesses often choose to conduct a vulnerability assessment, also called a vulnerability audit or security audit, because they know their security posture needs improvement, but they are not sure where to begin.

We do.

Additionally, Vulnerability Assessments can be a requirement for some standards, like PCI and HIPAA compliance, that need to be performed on an annual or quarterly basis.  We will first identify the most severe issues and recommend solutions for mitigating them, so that the most exploitable weaknesses are quickly locked down.  We will then run a series of deeper-level vulnerability scans to find the less obvious (but still penetrable) weaknesses, document them, and then assemble final summaries and reports that will clearly define what issues still need to be addressed, and then present a clear plan for resolving them.

The following list represents techniques and procedures that can be performed during the assessment, depending on your specific environment and needs:

  • Unknown and known asset identification
  • Credentialed or network-based vulnerability discovery
  • Sensitive content auditing
  • Selective re-scan by host, net, sub-net, etc.
  • Authentication weaknesses
  • Botnet/Malicious Process/Anti-virus Auditing
  • Compliance Auditing (FFIEC, FISMA, GLBA, HIPAA, PCI DSS)*

FFIEC = Federal Financial Institutions Examination Council

FISMA = Federal Information Security Management Act

GLBA = Gramm-Leach-Bliley Act also known as the Financial Modernization Act of 1999

PCI DSS = Payment Card Industry Data Security Standard

HIPPA = Health Insurance Portability and Accountability Act of 1996

Penetration Testing

For organizations who protect highly sensitive data, host their own websites, or have servers and custom applications that are exposed and accessible to the outside world, PJ Networks can use the most advanced approaches and techniques in Ethical Hacking to try to penetrate beyond your firewalls and security protocols to find out just how far your security measures will stand up to a simulated professional hacking attempt.  Most companies will probably never be the focus of a targeted attack - but many will.  Don't wait until that happens to find out just how good your security practices and defenses are.

Vulnerability Scanning vs Penetration Testing - What's The Difference?

A Vulnerability Scan is a preconfigured series of automated scans that try to identify and talk to open ports on a network - either from the inside of from the outside - to identify which ports are active and accessible, and then it will query them to find out how they are configured, what is accessible behind them, and what kind of security has been put into place to protect them.  It is not so much of a hostile attack as an active dialogue between the scanning software and the network, to see what responds back and how it responds.

A Penetration Test is a focused, concerted and skilled effort to break past the security protocols and  breach a data system by using a number of very specific tools, techniques and methods.  If it is being done by a person (or computer) with bad intentions or objectives, then it is usually called hacking.  If the endeavor is being made by a paid professional working on behalf of the target, whose intention is to identify and document where potential security breaches could happen and then to document and remediate the weaknesses, then it is called Ethical Hacking.

Some of the methods used by both professional hackers (bad guys) and Ethical Hackers (good guys) to breach a data system include brute force, dictionary attacks, spear phishing and man-in-the-middle.

We can even conduct custom-tailored social engineering penetration tests, where one or more members of our team attempt to get employees from a targeted client to divulge information or allow access into the network environment using a number of proven social penetration techniques, such as tailgating, phishing, pretexting or media dropping.  Most security and data breaches happen as a result of the actions of people on the inside of an organization, either intentional or unintentional.  They are a legitimate risk and need to be addressed, just as much as any technology-based weakness or vulnerability.

What kinds of systems should be tested?

  • Network devices:   firewalls/routers/switches (Juniper, Check Point, Cisco, Palo Alto Networks), printers, storage
  • Virtualization:   VMware ESX, ESXi, vSphere, vCenter, Microsoft, Hyper-V, Citrix Xen Server
  • Operating systems:   Windows, OS X, Linux, Solaris, FreeBSD, Cisco iOS, IBM iSeries
  • Databases:   Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, MongoDB
  • Web applications:   Web servers, web services, OWASP vulnerabilities
  • Cloud:   Scans the configuration of cloud applications like Salesforce and cloud instances like AWS and Rackspace

Don't leave your systems and data at risk for another day!

    Vulnerability Assessment Pricing*

    * Pricing below is for standard network vulnerability scans to detect security issues.  PCI, HIPAA, Meaningful Use and other industry-specific compliance scans require special custom scanning configurations and quotes for these types of scans are available upon request.

    FREE External Vulnerability Scan.....................................................................................................................$0.00

    A free basic broad-spectrum external vulnerability scan will be run against all of your public-facing static IP addresses using enterprise-class cybersecurity assessment software and the results will be sent to you, with no obligation, including recommendations for the mitigation and remediation of any detected vulnerabilities.  No consultation time is included with this free offering, but you may use the results to address the detected issues on your own, or to engage your own IT support team to remediate them for you.  Upon request, PJ Networks can provide you with a quote for either working together with your staff to remediate the discovered vulnerabilities, or to completely mitigate them on your behalf.  This is the quickest and easiest way to find out what you don't know about your current data breach vulnerabilities from outside of your organization.

    Comprehensive External Vulnerability Scan, Analysis and Consultation...........................................$250

    A comprehensive, customized external vulnerability scan will be run against all of your public-facing static IP addresses using enterprise-class cybersecurity assessment software and the results will be analyzed and complied into a professional report.  You will then be provided with a professional consultation  at your place of business or at one of our offices to review the results of the scans, explain each of the vulnerabilities and answer any questions that you or your staff about how to  address them.  Upon request, PJ Networks can provide you with a quote for either working together with your staff to remediate the discovered vulnerabilities, or for us to completely mitigate them on your behalf.  You may also choose to resolve the ones that you can handle on your own, and then request a quote to take care of the remaining vulnerabilities. 

    Comprehensive Internal and External Vulnerability Scan, Analysis and Consultation...........$1,000 + $50 per system/device

    A comprehensive, customized vulnerability scan will be run against all of your public-facing static IP addresses and the local area network environment for your business or organization using enterprise-class cybersecurity assessment software, and the results will be compiled into a professional report for each of the scans and provided to you. You will then be provided with a professional consultation at your place of business or at one of our offices to review the results of the scans, where we will explain each of the vulnerabilities and answer any questions that you or your staff about how to address them. Upon request, PJ Networks can then provide you with a quote for either working together with your staff to remediate the discovered vulnerabilities, or for us to completely mitigate them on your behalf. You may also choose to resolve the ones that you can handle on your own, and then request a quote to take care of the remaining vulnerabilities.

    * * * HIPAA, PCI, Meaningful Use and other regulatory compliance audits and assessments are custom-tailored to the needs of each client and their network infrastructure, and therefore require a preliminary consultation in order to properly evaluate the full scope of the project.  * * *  

    You Will Find Our Cybersecurity Experts Knowledgeable, Friendly and Easy To Work With.  Guaranteed.

    Servers | Workstations | Networks | Firewalls | Printers | Routers | Backup Solutions | Office 365 | VPN | Wireless Solutions | Security | Compliance | Vulnerability Scans | Penetration Testing | Security Audits | Ethical Hacking

    Charlottesville ~ Albemarle ~ Greene ~ Ruckersville ~ Stanardsville ~ Earlysville ~ Madison ~ Orange ~ Richmond ~ Harrisonburg ~ Fishersville - Staunton - Central Virginia