Cloud Services Penetration Testing
- Highly trained and certified penetration testing team
- Proven penetration testing methodology
- Includes retest option to validate your fix actions
- Clear & concise reports with prioritized, actionable items
Cloud Services Penetration Testing Service
Hedgehog has extensive experience in working with all major cloud service providers. Shared services have become extremely common, and organisations are leveraging cloud services with increasing frequency. As a consequence, Hedgehog delivers cloud service testing and technical assurance as a core part of its penetration testing offerings.
Why is Cloud Service Penetration Testing necessary?
As we continue to see more services migrating to the cloud, the need for Cloud security testing increases. We deliver Cloud based penetration testing for Cloud service providers as well for the clients that use these services.
Whether it is Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (Saas), Hedgehog's team of security experts are versed in all the major cloud based platforms and environments.
Cloud Service Providers Hedgehog work with
Hedgehog has had experience is testing many of the larger Cloud based environments including Amazon's EC2 environment, Rackspace Managed Cloud and Microsoft's Azure platform. In addition, the methodologies and approaches gained within these environments gives us the insight in to how to test other cloud based services.
Similarly, for software houses and development companies that are publishing their applications in to the cloud, Hedgehog has a range of services that provide system assurance for these offerings.
Types of vulnerabilities frequently identified in cloud environments
Cloud service testing is used to deliver assurance against the build and configuration of the service providers environment. Cloud services can be made just as secure as on premise services, however through inadequate configuration, it is common to see administrative UI's management features available online.
The types of issues Hedgehog frequently see include:
- Administrative UI's available, (Including Hypervisor and OS interfaces)
- Management Consoles
- Administrative Daemons
- Abandoned Storage Blobs
- Poor firewalling logic making other non-core services available online
Hedgehog has an intricate understanding of many of the shared technologies are implemented to deliver cloud based services. In addition to this, Hedgehog has extensive experience in identifying some of the vulnerabilities that can be created by these types of environments. As a consequence of this, Hedgehog is able to deliver highly effective testing strategies for all types of public and private cloud infrastructures.
Hedgehog has a defined security testing methodology that applies to testing IaaS, PaaS and SaaS environment. This methodology combines many of the steps found in our standard penetration testing methodology with our web application security testing methodology.
Penetration Test Report
The Penetration Test Report includes the URLs and IP addresses tested, reconnaissance (discovery) information, vulnerabilities discovered, steps taken during the assessment, exploitable areas, and prioritized recommendations. For any systems we are able to exploit, an Issue Detail section is used to discuss step-by-step the process we used to gain access, escalate privileges, etc.
Penetration Test Report Findings Review
We schedule either an in-person or online session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our penetration test report review adds tremendous value because we can clarify findings and remediation steps.
How do you know the steps you took to fix our penetration test report findings actually worked? Validation removes the guesswork. When you're ready, after fixing the issues identified in the penetration test report, we offer a free re-test of those identified vulnerabilities. This is a crucial and often overlooked step in this process. Validating security controls, patches, and other fix actions is extremely important. We have discovered numerous organisations that thought they fixed a finding we identified, only to discover after a retest that the finding was still there.
Certificate of Attestation
The attestation letter serves as record of us performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your organization, to show proof that a security assessment was performed and to highlight test results.
Frequently Asked Questions
- Penetration Test or Vulnerability Assessment, I'm confused. What do I need?
Great question. The vulnerability assessment is akin to looking at a house and writing down the make of the locks, the location of the doors and windows. All the time checking to make sure they are closed and see if they are locked or not. A penetration test will attempt to pick those locks, open the doors, see what is behind them. The good penetration test will also try to build tunnels from the house to their house, create an inventory of all your possessions and many other things besides. We get a lot of questions asked of us regarding Penetration Testing. We have tried to gather as many of the frequently asked questions together here.
- I have a mate who can test, what makes you better?
Almost everyone has a friend, peer, colleague who understands a little about security. We test 7 days a week, 365 days a year and each tester spends a third of their time at conferences, on course and doing research to stay at the top of their skill set. It is like comparing a race car engineer (the penetration tester) to a car garage engineer (the IT generalist with some tools) to the home garage hobbyist (the friend). Occasionally, the friend will have excellent levels of skills, but is this the exception, not the norm.
- What tools do you use for a penetration test?
Our primary "tool" is the Mk1 Human. In our testers arsenal are over 200 opensource tools bolstered by more than 50 internally developed tools. On an average penetration test, 20% of the testers time will be spend working with tools. These are important for covering a lot of digital ground in a small amount of time.
- Does your Gray Box Penetration Test include Black Box?
Yes, we perform the Black Box Penetration Test first, then perform the Gray Box. Our report shows which test the finding is linked to and which role, if we test multiple user roles for the Gray Box test.
- How often should we have a Penetration Test?
The best practice guideline is at least annually but it really depends on what it is you are testing. If your environment is static and does not change, and you perform monthly vulnerability scans then you are reasonably safe in having a penetration test every three years. If you are including applications within your test scope, that change often, then you should be testing those applications separately after development and before UAT.
- What type of Penetration Test is done as part of the Cyber Essentials audit?
We are asked this question almost every week. Cyber Essentials and Cyber Essentials Plus include within the audit process a Vulnerability Assessment only. A vulnerability assessment is not a penetration test.
- We have regular vulnerability tests. Why do we need a penetration test?
A vulnerability assessment is one of the phases of the reconnaissance phase of a penetration test. In the grand scheme of a penetration test, the vulnerability assessment phase constitutes about 5% of the test.
- I want a Penetration Test, how much will it cost?
In order to determine the cost, we need to have a discussion about the scope. While some firms will give you a quote blind, it is like asking a painter to paint a building in London without knowing which building and what type of paint. There are a lot of variables and these can only be fleshed out via a scoping conversation with one of our test team leaders.
- How do we know you are any good?
For the first engagement this is always a worry for clients. We are a CREST member company with a number of OSCP and OSCE qualified staff. Our engineers have a wide variety of experience covering multiple disciplines. Have a look at our testimonials to see what our clients think. But the main thing is we actually care about our clients and their security.
- When do you issue the certificate?
We typically issue the certificate after we perform the re-test, if included. This allows you to fix any issues we identify in the initial penetration test.
- Can I talk to a tester regarding my test and re-test results?
Of course, we positively encourage you to contact us if you have any questions about your testing results, if you need pointers for fix or any explanation of the findings.