An Internal Penetration Test identifies security weaknesses and strengths of the client's systems and networks as they appear to internal users, operating within the client's security perimeter. A significant benefit is that it concurrently mimics an attack on the internal network by a disgruntled employee, an authorized visitor having standard access privileges, and a malicious external user gaining access to the internal network.

Key focus points during Internal Penetration Tests include:

• Identifying NOS and application vulnerabilities on high asst value / high risk systems including Primary Authentication Servers, Accounting Systems, ERP applications, executive desktops, extranet servers, etc

• Identifying protocol and network infrastructure vulnerabilities (clear text passwords, sniff-able network segments, poorly secured network devices, spoof-able switches, SNMP vulnerabilities, etc.)

• Identifying Access control deficiencies (excessive or inappropriate user and application/service privileges)

• Identifying System Security issues (excessive/non-essential services, patch management issues, application versioning issues)

The Pivot Point test team will deliver an Internal penetration Test and Analysis Report that contains an executive security overview, details the processes / methodologies used, identifies and prioritizes vulnerabilities, recommendations for risk mitigation, and full detail / output of all data acquired during the test. The report will be delivered in bound hard copy format, via secure email (PGP preferred) or via SFTP.

To ensure that the business objectives of the Penetration testing is fully achieved, the Perspective, Impact, Stealth, Intensity, Scope, and Point of Origin are client defined to ensure that the Penetration Testing fully meets the business objectives of the engagement.

Typically we assume one or a combination of three perspectives:

• Black Box (aka Zero Knowledge) - our team assumes the role of a malicious internal user, with no previous knowledge of your network structure or security plan. The black box perspective most closely simulates a malicious external user on your network (e.g., a consultant plugging into an RJ45 in a conference room, an external hacker gaining internal access, a war driver gaining access via an un-secured WLAN)

• White Box (aka Full Knowledge) - our team assumes the role of a malicious internal user, with access to some (dependent upon assumed role) level of detail of your network structure and security plan. This scenario is typically used to assess privilege escalation controls and to selectively target specific resources

• Gray Box (aka Limited Knowledge) - our team assumes the role of malicious external user with some knowledge provided are part of the test to protect certain systems / reduce the project scope, or the role of an malicious external user working with a malicious internal user

For each engagement (often defined to a system / segment level) the "allowable" impact of the penetration test is defined. Typically one or more of the following Impact postures are assumed:

• LI - our team concentrates it efforts on gathering information (systems, OS's, Key Applications, Version & Patch levels, etc.) This information is correlated against known vulnerabilities, but no exploits are actually performed. This posture is typically only assumed for a limited number of "high risk" targets (e.g., a Financial Services system which is Fed connected, a life support system in a Medical Center)

• MI - our team attempts all identified exploits except Denial of Service attacks. This posture is the most common posture assumed for most Penetration Tests

• HI - our team attempts all identified exploits including Denial of Service attacks. This posture is generally assumed when an organization has reason to believe that it may be targeted by a malicious user. It is also used as a means of testing an organizations Incident Response capability

Typically one of the following Stealth postures is assumed:

• Quiet - our team assumes the posture of a typical malicious user. We are neither intentionally furtive nor noisy during our testing. We do not make any efforts to hide our ongoing activities. This posture is most typically used during normal investigate Penetration Testing or to assess Incident Response Capability in organizations whose CMM is low in this area

• Stealth - our team assumes a stealth posture during the testing period. Foot-printing operations are done with the assumption that all ports are firewall filtered (e.g., packet fragmentation used), that Network Intrusion Detection Systems are in place (e.g., packet fragmentation, signature alterations, scans spread over longer periods of time), and that monitoring is in place. This posture is most typically used during Penetration Testing for organizations with well developed Security Infrastructures and Incident Response Capability

• Secret Ops - our team assumes a covert posture during the testing period. In addition to the typical stealth operations, additional efforts are made to hide the testing, for example, scan locations are spoofed and rotated, logs are altered to remove evidence, and indirect scanning methods (e.g., idles can) are leveraged. This posture is most typically used during Penetration Testing for organizations with well developed Security Infrastructures with a high risk posture

Internal Penetration Tests are often further scoped by Business Objective, Data Classification, Audit Objectives, Device Segmentation, Network Segmentation, Business Unit Segmentation, and other mechanisms. The number of potential scoping options is unlimited but may include:

• System Specific (e.g., Primary Authentication Server, DNS Server)

• Application Specific (e.g., ERP Application, Financial Application)

• Data Specific (aka, Capture the Flag, e.g., source code, Patient Info, M&A info)

• Business Unit Specific (e.g., Human Resources)

• Network Segment (e.g., Extranet Servers)

Typically one of the following Intensity postures is assumed:

• Investigative - our team assumes the posture of a "typical" hacker. Our Penetration test is done with the same curiosity as that of a typical hacker. In the event that intriguing or easy compromises do not appear in the amount of time that a typical hacker might extend, we assume that the typical hacker would have moved on to easier opportunities and move on to other challenges. This posture is typically assumed if an organization wants to gain a quick assessment of their overall security posture

• Tenacious - our team assumes the posture of a "determined" hacker (e.g., a disgruntled employee). Our Penetration test is done with an increased fervor, level of effort, and tenacity. More aggressive forms of hacking including dumpster diving, war dialing, war driving, and social engineering may be employed, dependent upon the clients' objectives

• This posture is typically assumed if an organization wants to gain a truer assessment of their overall security posture

The Point of Origin is another means of further defining the scope of a Penetration Testing engagement.

• Single - our test team is limited to a Single Point of Origin for the Penetration test. For example, in a Capture the Flag engagement, our Point of Origin might be a network segment that is fire walled from the data we are trying to capture. In the vent that our test team can not cross the firewall, the Penetration Test is terminated

• Multiple - our test team is allowed Multiple Points of Origin during the Penetration test. Using the same Capture the Flag example from above, after determining that our test team could not access the target data, our point of origin would be moved to another Network Segment and our efforts would resume. The advantages of a Multiple Point of Origin engagement are that it better reflects the reality of ever changing security postures:

• New exploits are identified on a daily basis, accordingly, the firewall may be easily compromised the next day, and the security posture of the secondary segment would not have been validated in a Single Point of Origin engagement

• An actual malicious user may gain access on a network segment other than the one chosen in a Single Point of Origin engagement