Here at 0meta Security, our mainstream service is tailored penetration tests. Penetration testing is a method for proving how effective your organization’s defenses are against external and internal threats.
A failure of your defenses can result in damage to data, loss of trade secrets, extortion, disruption of activities, loss of reputation with partners or customers, or even criminal charges.
Until you’ve tested your current defenses, how can you know where to improve?
A penetration test serves as a data point against the unknown, quantifying risks into actionable items that can be addressed by your organization. Testing is useful before embarking on new business ventures to design infrastructure and supporting policy. Testing is useful in understanding old or inherited networks and computers. Testing is useful for finding risks where you didn’t even know it was lurking.
0meta’s penetration testing services are low-volume, thorough engagements designed to simulate an external threat to your organization. We do this through the use of tools and procedures that mimic how an adversary would compromise your business. Because of the scrutiny we place on your networks and services, we typically insist on a 2 week minimum for the engagement period, and prefer longer if the scope of the test demands it.
As a result, we have somewhat lengthy lead-in times, both for scheduling and getting to know a client in order to assure all parties that 0meta is a good match for your business, and vis versa. Setting expectations for our clients is the first step to a successful test.
During the test, your business is our only client, and we focus our full attention on your engagement. Our low-volume model allows us to address a wide variety of attack vectors, and even allows for some interesting campaigns that don’t make sense in a checkbox-style one week engagement.
For 0meta Security, our penetration tests are a matter of professional pride and ethics; a good test isn’t just scanning for vulnerabilities and submitting a report. If your business is just looking for a regulatory checkbox, we probably aren’t the company for you.
When you meet with us, or contact us by email or other means, you always speak to a penetration tester, and not a salesperson. We aren’t here to upsell you on testing that is irrelevant to your organization, or to try to scare your into buying our service. You have risks you want to understand, and our goal is to help you understand your risks through focused testing and enumeration.
Our initial meeting will involve understanding your business or organization, what you do, how you do it, and most importantly, your goals for the test. We will create a statement of work and present our contract that covers the rights of all parties and the risks involved. Once the scope of the test is finalized and partial payment rendered, the testing will begin on the schedule agreed to up front.
The frequency of contact during the engagement is a matter determined during negotiations, but in general more frequent updates make a test take longer. Our preference is for communication only when we are going to do something that involves elevated risk, or at pre-determined engagement goals such as the breach of the network perimeter or total control of a Windows domain. If the scope of the test should be widened based on findings we make during the engagement, the statement of work and contract will have to be amended before the extra scope can be addressed.
At the end of the engagement, our deliverable is a report with the full details of our findings, copies of custom code written during our testing, and all relevant methodologies used. We will meet with stakeholders to go over the findings if possible, to make sure that IT personnel understand our results. At that point, final payment is rendered and it is up to the organization to address the findings internally.
If you’re interested in a more in-depth rundown of the stages of an engagement, we have a PDF with a full explanation here.