Cybersecurity Penetration Testing Services

As cybersecurity threats continue to intensify, organizations in every industry face unrelenting challenges. Securing intellectual property, data stores, personally identifiable information and other critical assets becomes more difficult every day. Achieving and maintaining a secure cyber environment now requires keeping up with constantly changing regulatory and compliance obligations as well as staying vigilant for zero-day vulnerabilities. As the risks increase, so does the likelihood that organizations will fall victim to a devastating cyberattack if they are not proactively identifying and eliminating cyber weaknesses.

Meet the Team

Thomas J. DeMayo

Partner, PKF O’Connor Davies Advisory LLC

Nick DeLena

Partner, PKF O’Connor Davies Advisory LLC

Scott Goodwin

Director, PKF O'Connor Davies Advisory LLC

Penetration testing – commonly referred to as “pen testing” – has become essential to mitigating the debilitating risk of hijacked data, compromised privacy, operational shutdown, reputational damage, financial penalty and substantial fiscal loss. These tests, which simulate a cyberattack within an organization’s existing information systems, are the only safe way to discover where cyber vulnerabilities exist – the first and critical step in cyber risk mitigation.

Only real-world tests of threat actor tactics, techniques and procedures can enable immediate cyber risk mitigation and peace of mind.

Comprehensive, Customized Testing

With a nuanced understanding of each client’s operations, technology, constituency and objectives, we are ideally equipped to investigate the most relevant cyber gaps, flaws, misconfigurations and deviations from information security best practices. As thorough as they are tailored, our tests probe the full range of technology environments and cyber attack scenarios, including:

• Internal Penetration Testing – Vulnerability analysis and exploitation executed from within an internal local area network, including network-level and host-based exploitation.
  
  
• External Penetration Testing – Detailed vulnerability enumeration and exploitation of client-owned or managed internet-facing assets, including the collection of open-source intelligence and testing of breached credentials.
  
  
• Cloud Penetration Testing – The identification and exploitation of vulnerabilities and misconfigurations in cloud-native environments.
  
  
• Social Engineering – The execution of sophisticated email, SMS and/or phone-based social engineering campaigns in an attempt to gather sensitive information, bypass multifactor authentication or execute malicious code on managed end points.
  
  
• Physical Security Assessment – The execution of in-person social engineering attacks in an attempt to gain unauthorized access to facilities.
  
  
• Wireless Penetration Testing – The identification and exploitation of vulnerabilities that are specific to an organization’s wireless network infrastructure.
  
  
• Web Application Penetration Testing – A detailed enumeration and exploitation of application code-level vulnerabilities that can be abused to gain unauthorized access to organizational information or back-end systems.
  
  
• Source Code Analysis – A detailed review of application source code to identify vulnerabilities resulting from insecure application development practices.
  
  
• Password Analysis – A test of password hygiene by systematically attempting to crack end-user, service account and administrator passwords using powerful hardware components.
  
  
• Adversary Emulation – A collaborative purple team approach to test security monitoring and alerting strategies in response to the most common attacker tactics, techniques and procedures.
  
  
• Red Teaming – An unannounced penetration test of the effectiveness of existing incident response capabilities.

Recommendations that Drive Mitigation

Once cybersecurity testing is complete, our pen testers report the precise information required to prove the existence of each vulnerability and how it might be exploited by cybercriminals. To help prioritize remediation activities, every finding is risk-rated. Our reports are comprehensive yet clear, presented in an easily understood narrative that describes the penetration test from beginning to end and details the overall attack chain.

Talented Cyber Specialists, Actively Engaged

In an arena that evolves faster than lightning speed, specialists must be directly and continuously engaged in industry research, interaction and innovation. Ours have identified previously unknown vulnerabilities in commercial software platforms, including cross-site scripting, SQL injection, privilege escalation and information disclosure. Working closely with vendors and external stakeholders, they identify remediation strategies and communicate these risks industry-wide by registering Common Vulnerabilities and Exposures (CVEs).

Highly credentialed, our team members hold the full range of certifications, including Offensive Security Certified Professional (OSCP), Practical Network Penetration Tester (PNPT), Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP), among others. They present regularly at industry conferences to ensure the cybersecurity community is apprised of common gaps and misconfigurations. As new attack tactics and techniques appear, they publish articles describing these issues in clear, compelling language to help our clients, colleagues and peers remain fully equipped to spot and dismantle emerging threats.

Hands-on Risk Evaluation

Advancements in artificial intelligence and automation enable our team to tap commercial, open-source and custom software components to focus on specific environments and attack vectors. Nevertheless, every penetration test is led by experienced information security specialists and every decision is made in collaboration with the client. This hands-on approach vastly strengthens the identification of threats likely to be overlooked by those who rely on automated scripts only. It also limits any negative impact on production systems and end-users while yielding the most valuable results for clients.

Effective Remediation Strategies and Solutions

Following the identification of deficiencies, our pen testers are adept at leading the implementation of practical remediation solutions. The strategies we develop are informed by our extensive experience and the latest industry insights, such as those concerning Digital Assets: Cybersecurity Considerations in an Acquisition. Often, the client’s existing resources can be deployed. If not, our professionals customize solutions to protect multi-layered systems and those with large amounts of confidential data. A complete remediation program also includes internal training that educates employees on their vital role in safeguarding the organization and its data.

Risk Exists. Proactive Cyber Protection is Essential.

Identifying and remediating technical cyber risk is a challenge for every organization, more so for those without a dedicated information security function. Working with knowledgeable advisors to continually harden networks, systems and applications against emerging threats is a cost-effective way to establish a mature information cyber security program. Proactively addressing material risks before they are exploited is a must as cyberattacks become more costly – operationally, reputationally and financially.