Penetration Testing

Security Domain

CIS Control 18 – Penetration Testing

Service Description

Practical testing and exercise of a cybersecurity framework is valuable for determining where flaws may lie in the system before the real attacks find them. This practice of finding and exploiting vulnerabilities in a simulated environment is known as penetration testing and is typically a service that is contracted out to third party organizations to evaluate the fortitude of the client organization’s security defenses.

Product

• Penetration Testing Division at the North Carolina Cybersecurity Response Force via the North Carolina National Guard

Key Benefits

• Penetration (Internal/External)
  • Secure Remote Connection / Access Port(2) on Switch with IP assignments
  • Remote IP Ranges provided to Trusted Agent
  • Non-credentialed/credentialed web application/application program interface (API)
  • Wireless – In-range of agency & rouge AP detection
  • Phishing emails

Cost to PSUs

No cost – provided by the North Carolina National Guard

PSU Time Commitment

Upfront/Setup: Determined by Penetration Testing Division
Testing periods last two weeks

Point of Contact

North Carolina Cybersecurity Response Force
nc.csrf@army.mil

Additional Pentest Information:

What Does a Pentest Include?

According to industry leader CrowdStrike, there are six general parts that make up a penetration test:

• Internal Pen Testing
  • Access internal systems to see how an attacker can move laterally through the network.
  • System Identification, Vulnerability Discovery, Exploitation, Privilege Escalation, Lateral Movement
• External Pen Testing
  • Assess Internet-facing systems to determine if there are exploitable vulnerabilities.
  • System Identification, Enumeration, Vulnerability Discovery, Exploitation
• Web Application Pen Test
  • Evaluate web application using reconnaissance, discovery phase, and exploitation phase
• Insider Threat Pen Test
  • Identify risk and vulnerabilities that expose sensitive internal reosurces and assets to thoes without authorization.
  • Deauthentication Attacks, Misconfigurations, Session Reuse, Unauthorized Wireless Devices
• Wireless Pen Testing
  • Identify risk and vulnerabilities associated with wireless networks
  • Deauthentication Attacks, Misconfigurations, Session Reuse, Unauthorized Wireless Devices
• Physical Pen Testing
  • Identify risk and vulnerabilities associated with physical security in an effort to gain access to a corporate computer system
  • Social Engineering, Tail-Gating, Badge Cloning, Additional Physical Security Objectives

Additional Services

The NCDPI K-12 Cybersecurity Program recommends reliable penetration testing services by the Joint Cybersecurity Task Force (JCTF) that are available to PSU at NO COST:

• North Carolina Joint Cybersecurity Task Force (NCJCTF)

Additionally, there are major cybersecurity organizations that offer similar services for a price:

• The Center for Internet Security (CIS)
• Cybersecurity & Infrastructure Security Agency (CISA)

Bringing in external groups to conduct these assessments is effective to eliminate any bias or internal knowledge of the system and its working, ensuring that the procedure is strictly black-box oriented.

Training & Professional Development

For penetration testing provided by internal organization groups, the following resources can be valuable for establishing an effective assessment:

• CompTIA PenTest+ Certification
• GAQM Certified Penetration Tester (CPT)
• INFOSEC Certified Expert Penetration Tester (CEPT)
• HackerOne Pen Testing Guide
• The Ethics and Legality of Port Scanning – SANS GIAC Certifications

For additional questions and consultation, please contact k12cybersecteam@dpi.nc.gov