Discover our services for
Orenda Security assessment services simulate real world attempts to breach your networks, applications and cloud environments.
Orenda Security offers high-value penetration testing that models the activities of real-world attackers to find vulnerabilities in target systems and exploits them under controlled circumstances. Applying technical excellence to determine and document risk and potential business impact in a professional, safe fashion according to a carefully designed scope and rules of engagement with the goal of helping an organization prioritize its resources in improving its security stance. We customize our Penetration Testing offerings to ensure they meet your compliance requirements, such as PCI DSS penetration testing requirements.
System & infrastructure network vulnerability assessment and penetration testing is crucial to demystify the security exposures that are used to launch a cyber-attack through the internet. The security assessment of internet facing system or internal network tests helps discover the vulnerable network services that can be exploited by unknown threat sources.
During a network penetration test, we attempt to breach your network perimeter by exposing weaknesses in servers and network devices. We build on our initial access to your network to probe the network core and associated devices. We then study within the perimeter to identify additional methods for compromising your network’s defenses.
Assessing the security of your external network includes multiple steps. Key steps include:
Anonymous information Gathering
Anonymous information gathering to discover all Internet-facing assets a hacker could identify as potential entry-points into your network.
Scanning of your internet-available network access points and web servers for known vulnerabilities (non-credentialed).
Verifying scan-result findings through in-depth manual penetration testing attack techniques (both credentialed and non-credentialed).
Providing deeply informed remediation guidance and advisory services for identified/verified vulnerabilities.
Focusing on exploiting private or internally accessible infrastructure and services that may pose a high risk to your business critical systems and applications.
When misconfigured, these security and access control devices can introduce massive risk to internal and business critical network segments. Reviewing firewall rules and regularly testing their effectiveness is must.
Servers host the high value information assets of any business and are the ultimate targets. Whether it is an application, database or file storage server, they need to be hardened. Database servers are high value targets, normally storing financial, PII or cardholder data.
Workstations and laptops of users with privileged access are often targets given their access to critical systems. Selectively targeting these end user systems for exploitable vulnerabilities can lead to identifying high risk threats.
Mobile devices threats continue to increase as mobile devices capabilities for accessing internal corporate resources and business critical applications is now a norm.
Routers, Switches, & other network hardware
Core and edge network devices are still prime targets for hackers as these devices provide critical connectivity between corporate networks. Testing for the hardening of these devices is crucial to ensure exploitable vulnerabilities are identified.
Increasingly gaining adoption as companies are taking advantage of the Internet of Things (IoT) and big data to improve processes. As such they are becoming targets and must be protected similarly as other critical systems in your environment.
External Penetration Testing
We focus on exploiting the following internet accessible infrastructure and services. Vigilance with external systems and services must be maintained as they are constant targets by hackers as an entry point to systems hosting sensitive information. By understanding the architecture of your external network and internet-facing services we can better identify threats and risks specific to your business environment. Common external targets include:
Subverting external facing network and application firewalls is a key strategy to gaining access to high value targets. Network and Application firewalls are the gatekeepers to corporate networks and as such should be well configured and tested regularly.
These servers are normally serve up important business content to the public and clients, as such are prime targets for hackers. Compromising a web server can lead to exploiting back-end databases and other servers hosting sensitive data.
At the heart of every business’s IT network lies the Domain Name System (DNS). Translating domain names, or website addresses, into numerical machine-readable Internet Protocol (IP) addresses, it is known as the address book of the internet and, as such, is a mission-critical part of IT infrastructure for all organizations and one without which they cannot function. Testing DNS security is more critical than ever.
Compromised email servers can wreak havoc to any business, since email facilitates a critical business function for corporations, clients and partners. Email servers often transmit and contain company sensitive information that can introduce privacy, regulatory and reputational risks if exposed.
DMZ & Public facing servers
DMZ hosted servers are ever popular targets as they are internet accessible and may have connectivity to back-end applications and databases. Often being transactional systems facilitating payments or other processing of sensitive data. Hardening and testing these servers is critical, and often required at least annually, especially those in scope of PCI DSS processing or storing cardholder data.
VPN & end points
Often facilitating remote access for employees, partners or vendors into internal networks resources, misconfiguration of access can lead to unauthorized access and the compromising of internal systems. Access can then be leveraged for malware and other attacks.
Routers, Switches, & other network hardware
Internet-facing network devices are prime targets for hackers as these devices provide critical connectivity between public and private networks. They also serve as targets of denial of service attacks. Testing for the hardening of these devices is crucial to identify misconfigurations and ensure exploitable vulnerabilities are identified.
IoT devices and infrastructure are being deployed everywhere from houses to critical infrastructure. Orenda Security Penetration Test approaches these tests by understanding the interaction between the different components and making each of them secure.
Depending on the specific target and scope you may expect these tasks and components be assessed:
Utilizing a threat modeling process is a key step in threat identification in components that make up the IoT ecosystem. This includes the inventory and mapping of all critical devices, applications, services and analyzing associated dependencies.
Hardware devices and running firmware are just one of many parts of the IoT ecosystem. The devices and associated firmware need to be reliable and secure. Vulnerabilities exploited here can pose significant threat to other connected services.
Source code review
The code should be tested in SDLC, code vulnerabilities identified early in development process and remediated prior to being in production.
API, Web, and Mobile applications
Assessing the secure integration of API, web services and mobile apps is a foundational step in protecting the IoT ecosystem. Security testing will uncover weaknesses and vulnerabilities in their integration.
Integration of cloud application integration is accelerating and it is no different in IoT environments. We Assess the security of such integration and security test controls in place.
Discover our services for