Pantone 641C Pantone 377C
Penetration testing systems since 1989
Enex TestLab offers fully independent, cost effectiveand flexible penetration testing services.
Our prices are compelling—just ask—but we also strive to deliver more value than anyone else. We’re the only truly independent, pure-play testing company around.
When it comes to trusting a third-party with your secured networks and systems, independence is invaluable. It’s why security sensitive organisations like the Australian Government have worked with Enex TestLab for decades. They can genuinely trust the re-sults we produce—and our advice.
Enex TestLab also works across many different indus-tries and organisations delivering testing programs that range from traditional networking security to gaming systems or even traffic systems.
It means that the penetration testing we do for you just happens to be backed up by teams of technical ex-perts from all of our other testing activities—meaning we’ve got know-how in just about everything—yes, even toasters.
We can help you plan and design tailored testing to suit your environment and technologies.
If you’re not sure about what should be tested or what might be effective and efficient, chances are we’ve done this before.
You may just want a few extra testing resources, or your compliance sorted out, but you might prefer all the extra help and advice from someone you can trust.
We’re still independent and trusted after 25 years, talk to us about what’s of value to you.
testlab.com.au
Ph. 1300 662 592
Testing:
AUSTRALIAN GOVERNMENT
DEPARTMENT
OVERVIEW:
In 2013, Enex TestLab undertook penetration testing for a major Australian Government Department to help it vali-date the security of one of its websites.
Penetration testing and evaluation of specific aspects of the site was undertaken, including interrogation of the security implementations associated with the site’s data protection and handling of personal information.
As a result of Enex TestLab’s testing, the Department was able to clearly understand the security posture of its ser-vices.
INTRODUCTION:
This Department provides a vast range of valuable commu-nity and industry services. This website comprises one of its key public interfaces.
Enex TestLab has worked closely with this Department on a number of projects. Over many years Enex TestLab has provided frank, independent advice and support to the De-partment on critical issues including security, procurement and other technical issues.
As part of the Department’s security assurance program, the Department invited Enex TestLab to verify key compo-nents of its web application security by penetration testing the site.
REQUIREMENTS:
(Enex TestLab respects the confidentiality of its customers.) In broad terms, the requirements for testing included deter-mining if:
> data collection and management by the site was secure, and > information hosted on the site was vulnerable to
manipula-tion or attack
Enex TestLab advised the department about suita-ble areas for focus, assisted in scoping out the technical requirement for testing, and maintained close communication throughout the planning and testing to keep all stakeholders informed as activity was undertaken.
TESTING:
Testing was undertaken over two days. Methods included a range of commonly available exploit tools, as well as a suite of more skilled and targeted approaches designed to fully test the website’s security—reflecting OWASP.
REPORTING:
A detailed report explaining any issues identified was provided to the Department, aligned to their assurance requirements, and advising technical staff of any further actions.
Enex TestLab penetration test reporting typically includes detailed findings, a summary of the issue, risk assessment, a detailed description, an analysis of the business impact assess-ment and further recommendations.
OUTCOME:
The Department was given the assurance,
certainty and advice it needed to securely
handle personal information and continue
to provide high quality advice and services
to Australians.
Advice to
Australians.
FOR A GOVERNMENT
EDUCATION AUTHORITY
OVERVIEW:
Enex TestLab delivered pen-testing on key web services for this Department’s Enterprise Service Bus (ESB).
This was undertaken in a pre-production environment, enabling augmentation of the Department’s system archi-tecture for services requests via internet-based hosts.
INTRODUCTION:
As part of its centralised Enterprise Service Bus for schools, the Department engaged Enex TestLab to scope and implement pen-testing that would interrogate its application layer web services, and also look at the industry standards applied to specified servers.
REQUIREMENTS:
The Department required testing of specific web services. Testing was limited to a clearly defined scope:
> Penetration testing of a specified number of SOAP actions for a nominated web service from the perspective of an internet-based attacker.
> Penetration testing of specified web service hosting IP address(s) from the perspective of an internet based at-tacker.
Enex TestLab’s focus was to identify if any of the Open Web Application Security Project’s (OWASP) top 10 Web Applica-tion Security Risks were evident.
> Injection
> Cross-Site Scripting
> Broken Authentication and Session Management
> Insecure Direct Object References
> Cross-Site Request Forgery
> Security Misconfiguration
> Insecure Cryptographic Storage
> Failure to Restrict URL Access
> Insufficient Transport layer Protection
> Un-validated Redirects and Forwards
TESTING:
Within the scoped systems, a se-curity assessment of key security controls was performed, looking at factors such as Authentication, Session Management, Data Validation, Au-thorisation, Data Security and Exception Handling. Criteria for each control were defined and tested, providing evidence of each aspect of the system’s performance against a range of attacks and techniques.
Testing was undertaken over a number of days, with the report delivered within the month.
REPORTING:
For any identified issues, Enex TestLab provided an eval-uation, summary and detailed description (including code snippets and screen shots) as well an analysis of the busi-ness impact and further recommendations.
A detailed Table of Compliance with CIS standards outlined gaps between existing and recommended security configurations.
OUTCOME:
All testing and reporting was delivered
with-in scope, on time, on budget, without fuss.
The Department was able to quickly
un-derstand, prioritise and address any
is-sues identified, with the additional benefit
of advice and support from Enex Testlab’s
security experts.
Enex TestLab’s indepenence from technology
or other interests meant this Department
was able to be completely confident in the
findings and recommendations.
Enex TestLab helped ensure this
De-partment met its industry standards
expectations.
Traffic
MANAGEMENT NETWORK
UPGRADE PROJECT
Enex TestLab provided penetration testing of the security of key networks and systems associated with a major road-way upgrade, addressing one of the most sophisticated road management system in existence.
The roadway’s complex management systems are re-sponsible for the safe journeys of hundreds of thou-sands of daily commuters. They are critical to the safety of its users, so could not simply be taken down for testing. To deliver this penetration testing project successfully, Enex TestLab worked closely with the management author-ity’s traffic engineers, guiding them through the testing process from start to finish.
Testing had to be undertaken in the live—production environment, so we scoped out a program that would shift testing to the night time when traffic loads would be mini-mal. Testing was concentrated on an agreed set of specific network components.
As a result of Enex TestLab’s guidance, support and de-livery, the roadway’s management team now has a clear understanding of the security condition of these parts of its network, helping to keep thousands of daily road users safe from cyber-attack.
INTRODUCTION:
With massive expansion of its network infrastructure and systems to support one of the busiest and most techni-cally sophisticated roads imaginable, this traffic manage-ment authority engaged Enex TestLab to perform security testing of its operational project and corporate networks supporting the roadway.
REQUIREMENTS:
Specific requirements for testing included answering key questions:
> Is it possible for an attacker to gain access to the roadway network from the authority’s corporate network?
> If access to the protected road network is achieved, what can an attacker gain access to?
> Are the network device configurations aligned to expected security standards?
The testing scope extended to identify constraints, issues and risks associated with the environment, including:
>Determining the likelihood of threats
> evaluating the associated risks
> advising of appropriate mitigation
TESTING:
As a fully operational freeway, testing was undertaken without impact on the operations of the network.
Internal attack: In order to simulate an attack originating from the corporate network, Enex TestLab performed pene-tration testing of a number of key hosts, as well as any hosts visible through the firewall.
Testing was both active—including brute force attacks and exploitation of any identified vulnerabilities, and passive— sniffing and analysis of network traffic.
Assessment of the network: Enex Testlab per-formed testing of a number of internal networks us-ing a similar active and passive approach to the attack phase testing.
NETWORK DESIGN, PROCESS AND
FIREWALL REVIEW:
This project also included an evaluation of selected devic-es and firewalls including:
>firewall rules
> configuration of routers, switches and firewalls
> alignment with industry standards and guidelines
> physical security of devices
Enex was able to provide a detailed, and customised, risk evaluation for each item, including assessment of impact and likelihood.
REPORTING:
For any issues identified, Enex TestLab’s cus-tomised reports included an evaluation, summa-ry and detailed description of the issue, as well as analysis of the business impact assessment and further recommendations.
