Penetration testing is a form of security testing where SCA emulates real-world attacks to identify methods or pathways to evade the security features of a network, system or application. These real-word attacks use tools and techniques, both automated and manual, that are commonly used by attackers which is why penetration testing is sometimes referred to attack and penetration testing; attack the target(s) to see how far they can be penetrated. The goals are to determine whether unauthorized access or other malicious activity is possible. The results of a penetration test can help demonstrate how well the target system(s) or application(s) withstand real-word attacks, the level of sophistication needed to compromise the system(s) or application(s), remediation needed to reduce threats and the defender’s ability to detect and quickly respond to attacks.
SCA penetration testing is a valuable tool to evaluate the adequacy of security controls to detect and defend against a threat actor. Additionally, SCA penetration testing helps organizations meet regulatory, framework and certification requirements including but not limited to the following:
Federal Financial Institutions Examination Council (FRB, FDIC, NCUA, OCC, CFPB, SLC)
PCI – Payment Card Industry
New York Department of Financial Services (23 NYCRR 500)
Insurance Data Security Laws
SOC 2 Reporting
Center for Internet Security Critical Security Controls
NIST Special Publication 800-53
For Federal, State and local government entities, SCA penetration testing is available under our GSA contract #47QTCA20D008C for Highly Adaptive Cybersecurity Services (HACS).
SCA Penetration Testing Capabilities:
Network Penetration Testing
Application Penetration Testing
• Web Application
• Mobile Application
SCA offers penetration testing as White, Grey or Black Box efforts. Each requires increasing amounts of planning and discovery effort to identify target assets:
White Box – full knowledge of target systems, applications and IP addresses in-scope
Grey Box – partial knowledge of target systems, applications and IP addresses in-scope
Black Box – zero knowledge of target systems, applications or IP addresses in-scope
Penetration testing may also be performed as a Red Team or Purple Team effort:
Red Team Penetration Testing: Red teaming projects are heavily focused on emulating an advanced threat actor using stealth, subverting established defensive controls and identifying gaps in the organization’s defensive strategy, and often involve more than one red team cybersecurity analyst playing the part of the malicious actor.
Purple Team Penetration Testing: The Red team, friendly attackers, partner with the Blue team, client’s defensive personnel, in a collaborative exercise. The Red team shares their tactics, techniques, and procedures. The Blue team shares their monitoring tactics and playbooks with the Red team. Essentially, offense informs defense, and defense informs offense – this way, the capabilities of both teams are extended.