Penetration
Testing

Orenda Security assessment services simulate real world attempts to breach your networks, applications and cloud environments.

Orenda Security offers high-value penetration testing that models the activities of real-world attackers to find vulnerabilities in target systems and exploits them under controlled circumstances. Applying technical excellence to determine and document risk and potential business impact in a professional, safe fashion according to a carefully designed scope and rules of engagement with the goal of helping an organization prioritize its resources in improving its security stance. We customize our Penetration Testing offerings to ensure they meet your compliance requirements, such as PCI DSS penetration testing requirements.

Penetration
Testing process

System & infrastructure network vulnerability assessment and penetration testing is crucial to demystify the security exposures that are used to launch a cyber-attack through the internet. The security assessment of internet facing system or internal network tests helps discover the vulnerable network services that can be exploited by unknown threat sources.

Network &
Infrastructure

During a network penetration test, we attempt to breach your network perimeter by exposing weaknesses in servers and network devices. We build on our initial access to your network to probe the network core and associated devices. We then study within the perimeter to identify additional methods for compromising your network’s defenses.
Assessing the security of your external network includes multiple steps. Key steps include:

Anonymous information Gathering

Anonymous information gathering to discover all Internet-facing assets a hacker could identify as potential entry-points into your network.

Scanning Networks

Scanning of your internet-available network access points and web servers for known vulnerabilities (non-credentialed).

Verifying Results

Verifying scan-result findings through in-depth manual penetration testing attack techniques (both credentialed and non-credentialed).

Providing guidance

Providing deeply informed remediation guidance and advisory services for identified/verified vulnerabilities.

Internal
Penetration Testing

Focusing on exploiting private or internally accessible infrastructure and services that may pose a high risk to your business critical systems and applications.

Network Firewalls

When misconfigured, these security and access control devices can introduce massive risk to internal and business critical network segments. Reviewing firewall rules and regularly testing their effectiveness is must.

Servers

Servers host the high value information assets of any business and are the ultimate targets. Whether it is an application, database or file storage server, they need to be hardened. Database servers are high value targets, normally storing financial, PII or cardholder data.

Workstations

Workstations and laptops of users with privileged access are often targets given their access to critical systems. Selectively targeting these end user systems for exploitable vulnerabilities can lead to identifying high risk threats.

Mobile Devices

Mobile devices threats continue to increase as mobile devices capabilities for accessing internal corporate resources and business critical applications is now a norm.

Routers, Switches, & other network hardware

Core and edge network devices are still prime targets for hackers as these devices provide critical connectivity between corporate networks. Testing for the hardening of these devices is crucial to ensure exploitable vulnerabilities are identified.

Appliances (IoT)

Increasingly gaining adoption as companies are taking advantage of the Internet of Things (IoT) and big data to improve processes. As such they are becoming targets and must be protected similarly as other critical systems in your environment.

External Penetration Testing

We focus on exploiting the following internet accessible infrastructure and services. Vigilance with external systems and services must be maintained as they are constant targets by hackers as an entry point to systems hosting sensitive information. By understanding the architecture of your external network and internet-facing services we can better identify threats and risks specific to your business environment. Common external targets include:

Network/Application firewalls

Subverting external facing network and application firewalls is a key strategy to gaining access to high value targets. Network and Application firewalls are the gatekeepers to corporate networks and as such should be well configured and tested regularly.

Web servers

These servers are normally serve up important business content to the public and clients, as such are prime targets for hackers. Compromising a web server can lead to exploiting back-end databases and other servers hosting sensitive data.

DNS

At the heart of every business’s IT network lies the Domain Name System (DNS). Translating domain names, or website addresses, into numerical machine-readable Internet Protocol (IP) addresses, it is known as the address book of the internet and, as such, is a mission-critical part of IT infrastructure for all organizations and one without which they cannot function. Testing DNS security is more critical than ever.

Email servers

Compromised email servers can wreak havoc to any business, since email facilitates a critical business function for corporations, clients and partners. Email servers often transmit and contain company sensitive information that can introduce privacy, regulatory and reputational risks if exposed.

DMZ & Public facing servers

DMZ hosted servers are ever popular targets as they are internet accessible and may have connectivity to back-end applications and databases. Often being transactional systems facilitating payments or other processing of sensitive data. Hardening and testing these servers is critical, and often required at least annually, especially those in scope of PCI DSS processing or storing cardholder data.

VPN & end points

Often facilitating remote access for employees, partners or vendors into internal networks resources, misconfiguration of access can lead to unauthorized access and the compromising of internal systems. Access can then be leveraged for malware and other attacks.

Routers, Switches, & other network hardware

Internet-facing network devices are prime targets for hackers as these devices provide critical connectivity between public and private networks. They also serve as targets of denial of service attacks. Testing for the hardening of these devices is crucial to identify misconfigurations and ensure exploitable vulnerabilities are identified.

IoT
Testing

IoT devices and infrastructure are being deployed everywhere from houses to critical infrastructure. Orenda Security Penetration Test approaches these tests by understanding the interaction between the different components and making each of them secure.
Depending on the specific target and scope you may expect these tasks and components be assessed:

Threat Modeling

Utilizing a threat modeling process is a key step in threat identification in components that make up the IoT ecosystem. This includes the inventory and mapping of all critical devices, applications, services and analyzing associated dependencies.

Hardware

Hardware devices and running firmware are just one of many parts of the IoT ecosystem. The devices and associated firmware need to be reliable and secure. Vulnerabilities exploited here can pose significant threat to other connected services.

Source code review

The code should be tested in SDLC, code vulnerabilities identified early in development process and remediated prior to being in production.

API, Web, and Mobile applications

Assessing the secure integration of API, web services and mobile apps is a foundational step in protecting the IoT ecosystem. Security testing will uncover weaknesses and vulnerabilities in their integration.

Cloud applications

Integration of cloud application integration is accelerating and it is no different in IoT environments. We Assess the security of such integration and security test controls in place.

Testimonials

''Orenda has been a reliable partner for AMA and has helped us in our journey to develop and deliver secure applications to all of our AMA members. I recommend Orenda Security to other AAA and CAA clubs on the basis of a strong working relationship with AMA and an excellent track record of delivering technical expertise and high-quality assessments.”

 

Collin Moody
Chief Information Officer
Alberta Motor Association

Finding a reliable partner with a high degree of technical expertise is hard to find! Orenda Security was exactly what we were looking for. They help us improve the security posture of our product and application. I recommend Orenda Security to any security leader seeking reliable and robust security penetration testing services.

Kartik Agarwal
Chief Technology Officer
Concert Cloud Inc