Never, Never, Never

SystemExperts never outsources nor subcontracts this work. We never use hackers and we never leave systems in a less secure state than when we found them (no back doors) - many other firms cannot say the same.

SystemExperts regularly performs several types of penetration testing. For each of the testing scenarios described below, our reports focus on concrete and practical measures you can take to address any deficiencies we might find. Some of the testing scenarios we frequently perform include:

Internet Exposure Profile ^SM
(also known as Tiger Team Attack or White Hat Penetration Testing)
As a skillful outsider on the Internet, we focus on vulnerabilities related to TCP/IP protocols and services. We specifically look for problems in your DMZ or firewall setup, the configuration of your systems, and unauthorized access to resources in your environment. In this test scenario, we will attempt to gain privileges on systems (either at an application level or system level) and see if we can reach data.

Web Application Vulnerability Assessment
(Web Content Review^SM)
As a skillful outsider on the Internet, we focus on vulnerabilities related to your web applications and your web infrastructure. In this test scenario, we will attempt to escalate privileges, potentially reach the back end database, or identify instances where customer-private data may be exposed.

A popular optional service conducted as part of a Web Application Vulnerability Assessment is the Larcenous Customer Scenario^SM . In this scenario, you will provide our consultants with standard user-credentials for your environment. Using these credentials as a starting point, we will determine if one user can see data from other users' accounts or masquerade as another user.

Denial of Service Review
Some of the most visible hacker attacks of the recent past have been denial of service attacks. In this test scenario, we will assess your vulnerability to a wide range of both point-source and distributed denial of service exploits. In considering a Denial of Service Review and unlike all of the other testing scenarios described on this page, it is important to understand that this type of testing requires substantial advance planning and close coordination during the actual testing.

Dial Exposure Review (Wardialing)
While Internet based attacks are getting the headlines, hackers continue to use direct dial attack techniques to do significant damage to companies. By systematic dialing and analysis of your telephone resources, we will assess your exposure to this classic form of hacker attack.

System Hardening Assessment
Many organizations deploy standard builds to support key Internet accessible services or environments. These builds typically consist of class of computers, an operating system configured in a particular way, and a set of layered software products. Fully understanding the security profile of your standard platforms is critical in understanding the security profile of your enterprise.

In other cases, organizations deploy mission critical applications on a hardware and software platform outside the firm�s technical expertise. Assessing the security hardening of these critical systems makes sense.

IP Services Inventory
Large organizations often lose track of the IP-based services they are exporting to the Internet. Periodic remote scanning of their external address space enables them to better manage their exposure by eliminating unnecessary security vulnerabilities.

SystemExperts will remotely scan your external IP address space for IP based services accessible from the Internet. For each IP address scanned, SystemExperts will look for service availability on well-known TCP and UDP ports and we will categorize whether service availability is either open (reachable) or closed (not reachable). The deliverable is a spreadsheet containing the IP Services Inventory.

Some of our clients stop at this point and remove any unexpected/unnecessary services that we found. Others prefer more closure. After remedying the problems, they provide us with a Rescan List. SystemExperts then remotely rescans the IP addresses in the Rescan List and updates the IP Services Inventory spreadsheet to reflect any changes.

Firewall Review
Firewall rules tend to grow by accretion; changes to the rules are made to support the evolving needs of the business and they tend to accumulate over time. Too often, the rule set grows too large to be readily understood. Too often, later rules contradict earlier rules. Too often, a particular business need that required a specific opening in the firewall, no longer exists but the opening remains as a historical artifact. SystemExperts will work with you to document how the firewall should function and review the configuration to determine if the configuration is consistent with the expected behavior.