Who is this service for?

The service was developed with start-ups and SMEs in mind, the assessments are fairly quick, and the mix of automated and manual testing, aligned with efficient report automation makes this a great option for smaller organizations that need to be up to part with enterprise-grade assessments and at a significantly lower price point.

Internal Vs External

It makes no sense to distinguish internal from external assessments given today’s distributed infrastructure - in the majority of modern organizations about 30% of workstations sit in offices, 70% connect through VPN¹, and most information services moved to the cloud (this reality may even have played part in the naming of the company); whatever assets are in scope will be tested, regardless of where they sit on the infrastructure, and of course, access and authorization granted to do so.

Methodology

Gathering inspiration from actual real-world attacks but also industry standard frameworks, such as the Open-Source Security Testing Methodology Manual (OSSTMM), the National Institute of Standards and Technology (NIST) Special Publication 800-115: Technical Guide to Information Security Testing and Assessment, the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) Testing Guide v4.x, Chaosnet’s methodology aims to deliver accurate and repeatable results that fully comply with most regulatory compliant bodies (PCI, HIPPA, etc.)

Outputs

Vulnerability Report

Each vulnerability will be listed in a table following the template below:

Vulnerability Register

The Vulnerability Register is an excel spreadsheet that allows to visualize and parse every single finding in a way that may be friendlier to parsing than the Vulnerability Report. Typically this register can be used to populate a vulnerability management platform, for example, but it may also be used as a stand-alone tool that with minimal changes, and depending on the size of the organization, may be sufficient to track the status of mitigation.

Attestation Letter

For compliance purposes an Attestation Letter may be necessary to show proof of a vulnerability assessment or penetration test having been performed, this document can be provided upon request with every PTVA assessment.

Data Management

Data in Transport

All data transmitted over the internet during the course of the assessment will necessarily be encrypted, chaosnet always leverages on VPNs and remote access methods that allow for industry-standard encryption schemes, and surpassing those whenever possible. All connections are authenticated using PKI and/or MFA based on FIDO2 hardware tokens.

Note: If the protocols being accessed aren't encrypted (http, ftp, telnet, et al.) there can be no expectation of the data being encrypted in traffic.

Data at Rest

Data Is kept on the assessor’s workstations only during the course of the assessment. Once the assessment is closed, all data is encrypted and stored for the duration of 3 years, being automatically deleted after that period.

For recurring clients, exceptions to this policy can be made for long term metrics or historical reporting.

Data Retention

For recurring clients, exceptions to this policy can be made for long term metrics or historical reporting.

Data Deletion Policy

In addition to the data policy described above, at the end of the assessment all the data is deleted from the remote host if one is being used, after deleting the data, the partition where assessment data was kept is subject to multiple write and delete actions, the system is then rebooted into recovery mode which re-install the operating system and ‘calls back’ to the chaosnet back-end flagging it ready for shipment. Only after these automatic steps are taken, does chaosnet expect the equipment be shipped back, avoiding the unnecessary risk of transporting hardware devices with assessment data.

Equipment

Send-Box

The send-box is a small form factor computer loaded with all the assessment tools required to execute the assessment. The system leverages on a closed VPN to establish a channel of communication back with the chaosnet back-end once it’s been installed on-site. All data will be transported though this VPN. A remote desktop connection protocol may be used as contingency in case the VPN fails, it uses TLS 1.2 to secure the traffic and 2048bit RSA or 256bit Elliptic curve DH asymmetric key exchange and AEAD to verify every connection. Multi-Factor authentication based on FIDO2 hardware tokens is required to establish any of those two connections.

Wireless

In case the assessment includes wireless 802.x the Send-box will include two other device:

Pineapple wifi

The pinapple is an 802.x multi NIC device that contains tools for reconnaissance, man-in-the-middle attacks, tracking, logging and reporting. More information

Alfa Card

The alfa card is a wifi usb network device that uses a particular chipset that allows for traffic manipulation that is otherwise not possible with other, more common chipsets. Those added features are crucial for wireless assessments.

Input

In order to start the assessment certain data and documentation has to be exchanged:

You provide the scope.

Internal subnets or host IPs

External assets (IPs, domain names, etc)
Other identifiable assets that may be in scope
You provide the deny list (optional)
Any assets you want to specifically leave out of testing

If this step of the process appears challenging, we can schedule a scoping call to identify the scope list.

I provide a Letter of Authorization, you digitally sign it
Non-Disclosure Agreement
If you don’t have one, I will provide one, and you digitally sign it
If you provide one, I will sign it

About

Services

Blog

Client_Portal

Contact

Pentests/Vulnerability Assessment - a primer