X

WHY

Connect with Us

Penetration Testing

Organizations that own or handle sensitive information – such as health or payment card information – need a clear view of the risks in respect to that information. Furthermore, the need to understand the intricacies of complex technical solutions, interpret technical jargon and consider vulnerabilities in the context of impact to the business is increasingly a challenge for managers and stakeholders in an organization. A penetration test presents a focused view of potential risks to information in the context of attack, loss of service, and impacts to data integrity, from any threat source.

The power of Brier & Thorn’s penetration testing lies in the skills of our consultants. We pool our talent to access proven technical skills and training that’s unmatched in the industry – going beyond simply relying on robust testing tools that only skim the surface of the complicated problem. Our holistic approach scrutinizes the people, process and technology in your organization.

We partner with clients to protect the confidentiality, integrity and availability of their key systems and data – while at the same time balancing the costs and limitations that security controls can put on the business. Our portfolio of penetration testing services offers black box and white box testing in infrastructure, IoT, application, network, and database security assessments.

HACKING THE CLOUD

How the cloud has changed penetration testing and how to perform assessments against virtual machines.

HACKING THE CONNECTED CAR

A primer on penetration testing against Electronic Data Units (EDUs) inside connected cars.

Background

The rise of sophisticated attackers and the increasing dependence on online services increases the need for the highest confidence and most actionable intelligence for your organization’s exposure to security incidents.

Vulnerability assessments and penetration tests can assist organizations of all sizes to:

  • Simulate attacks on infrastructure and applications;
  • identify flaws in technology architecture and design;
  • Find security errors in application and software code; and
  • Determine vulnerabilities in process, policies and personnel.

At Brier & Thorn, we believe that being a trusted adviser means helping our clients understand their key risks and exposures — both in their own IT infrastructure and the infrastructure of their service providers and supply chains. Our dedicated team of security experts have contributed to national security policy, identified unpublished vulnerabilities in vendor products, performed penetration testingon IoT (Internet of Things) devices, such as medical devices and even infotainment systems for automobiles.

Our philosophy is that reports based on automated tools alone aren’t sufficient to gain a complete picture of the security threats facing your organization. An effective vulnerability assessment needs supporting analysis and subject matter expertise for meaningful results. Just as you wouldn’t hire a plumber simply because of the wrench he uses, we believe a firm shouldn’t be selected simply just because of the tools they use.

Our methodology evaluates the severity of vulnerabilities in the context of the organization’s risk profile. This provides our clients with a clear direction towards mitigating the highest and most concerning vulnerabilities. Upon completion of the penetration testingexercise, the results are codified into an executive report and vulnerabilities made available in a cloud-based SaaS platform for vulnerability management for later triage.

Our testing process is driven by (6) fundamental steps:

  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post-Exploitation
  • Reporting

Penetration testing is a critical component of information security, providing an effective and on-going mechanism for identifying security vulnerabilities in a changing landscape and being able to map their corresponding impact to enable remediation before exploitation.

By going beyond the basic principles of protection, we apply our knowledge and experience to provide a complete picture of a client’s security to identify the threats and vulnerabilities aligned with the client’s overall business objectives.

Our industry leading methodology incorporates the full spectrum of technology risks faced by our clients. Our penetration testingframework continues to evolve, bringing new insights tailored to our clients’ specific environment and business requirements.

threatmanagement_chart

Summary

A penetration test or “ethical hack” evaluates an application’s or network’s ability to withstand attack. During a penetration test, our penetration testers (or “ethical hackers”) are armed with the same tactics, techniques, tools, and procedures as today’s cyber criminals to hack into your network or application. Such an exercise uncovers vulnerabilities our clients didn’t know existed and helps ensure the security of their assets.

Our penetration testing services:

  • Prevents exposure between annual tests, eliminating point-in-time security;
  • Provides retesting, where possible, at no additional charge;
  • Provides ongoing testing throughout the subscription term every quarter; and
  • Allows our clients to control the breadth and depth of testing, number of targets, and efficacy of their network security monitoring capability.

Recurrent Penetration Testing, On Demand

Quarterly penetration testing provides continual insight into the security of our clients’ applications and networks. Whenever possible, subsequent tests will re-evaluate findings from prior tests so that our clients always have a current set of results available.

Application, Internal Network and External Network Testing

  • Using the methods of real-world attackers, our risk, audit, and compliance team demonstrates how a vulnerability can be exploited, then provides tactical and strategic recommendations for fixing the problem;
  • Controls testing schedules and budget;
  • Allows our clients to adapt to change more quickly, which will set the organization apart from competition; and
  • Empowers our clients to keep up with business demands without leaving security considerations behind.

Other Value:

  • Transcend Point-In-Time Security. Our quarterly penetration testing service provides ongoing insight into vulnerabilities within your networks or applications.
  • Integrate Security into Business Processes. Because our clients schedule testing when they need it, our clients can make security a priority throughout their software development and application and network management lifecycles
  • Go live with confidence. By using application and network penetration testing from our firm, our cliets rest easy knowing that an industry leader has identified the weaknesses within their applications or networks before a cyber criminals can find and exploit them.
  • Establish or Maintain Compliance Standards. Our clients meet compliance requirements, such as the PCI-DSS, which requires security tests of in-scope network environments and applications. Our penetration testing services fulfill PCI-DSS requirements, such as sections 6.6 and 11.3, and provides ongoing evaluation of the security of their networks or applications to support HIPAA, Sarbanes-Oxley (SOX), FISMA and GLBA/FFIEC compliance efforts.
  • Make Security Testing Cost Predictable. Through our penetration testing subscription model, our clients are able to predict their annual operating expense for penetration testing.
  • Reporting and Metrics. Custom written reports provide multiple views of risk, remediation status, and compromised data and status across projects or tests. Historical views of test results allows for trend analysis and insight into your organization’s risk profile over time.

Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

Securing the Connected Car

Major manufacturer of EDUs for connected cars retains Brier & Thorn to perform penetration testing the resulted in remote control of the connected cars the unit was installed in.

SaaS company for US healthcare exchanges and marketplaces retains Brier & Thorn for managed penetration testing services

Connecture, the SaaS provider to healthcare insurance providers of online insurance marketplaces and exchanges, retains Brier & Thorn for 3-year managed penetration testing services of its application.

SHARE