Who is this service for?
The service was developed with start-ups and SMEs in mind, the assessments are fairly quick, and the mix of automated and manual testing, aligned with efficient report automation makes this a great option for smaller organizations that need to be up to part with enterprise-grade assessments and at a significantly lower price point.
Internal Vs External
It makes no sense to distinguish internal from external assessments given today’s distributed infrastructure - in the majority of modern organizations about 30% of workstations sit in offices, 70% connect through VPN1, and most information services moved to the cloud (this reality may even have played part in the naming of the company); whatever assets are in scope will be tested, regardless of where they sit on the infrastructure, and of course, access and authorization granted to do so.
Methodology
Gathering inspiration from actual real-world attacks but also industry standard frameworks, such as the Open-Source Security Testing Methodology Manual (OSSTMM), the National Institute of Standards and Technology (NIST) Special Publication 800-115: Technical Guide to Information Security Testing and Assessment, the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) Testing Guide v4.x, Chaosnet’s methodology aims to deliver accurate and repeatable results that fully comply with most regulatory compliant bodies (PCI, HIPPA, etc.)
Outputs
Vulnerability Report
Each vulnerability will be listed in a table following the template below:
Vulnerability Register
The Vulnerability Register is an excel spreadsheet that allows to visualize and parse every single finding in a way that may be friendlier to parsing than the Vulnerability Report. Typically this register can be used to populate a vulnerability management platform, for example, but it may also be used as a stand-alone tool that with minimal changes, and depending on the size of the organization, may be sufficient to track the status of mitigation.
Attestation Letter
For compliance purposes an Attestation Letter may be necessary to show proof of a vulnerability assessment or penetration test having been performed, this document can be provided upon request with every PTVA assessment.
Data Management
Data in Transport
All data transmitted over the internet during the course of the assessment will necessarily be encrypted, chaosnet always leverages on VPNs and remote access methods that allow for industry-standard encryption schemes, and surpassing those whenever possible. All connections are authenticated using PKI and/or MFA based on FIDO2 hardware tokens.
Note: If the protocols being accessed aren't encrypted (http, ftp, telnet, et al.) there can be no expectation of the data being encrypted in traffic.
Data at Rest
Data Is kept on the assessor’s workstations only during the course of the assessment. Once the assessment is closed, all data is encrypted and stored for the duration of 3 years, being automatically deleted after that period.
For recurring clients, exceptions to this policy can be made for long term metrics or historical reporting.
Data Retention
Data Is kept on the assessor’s workstations only during the course of the assessment. Once the assessment is closed, all data is encrypted and stored for the duration of 3 years, being automatically deleted after that period.
For recurring clients, exceptions to this policy can be made for long term metrics or historical reporting.
Data Deletion Policy
In addition to the data policy described above, at the end of the assessment all the data is deleted from the remote host if one is being used, after deleting the data, the partition where assessment data was kept is subject to multiple write and delete actions, the system is then rebooted into recovery mode which re-install the operating system and ‘calls back’ to the chaosnet back-end flagging it ready for shipment. Only after these automatic steps are taken, does chaosnet expect the equipment be shipped back, avoiding the unnecessary risk of transporting hardware devices with assessment data.
Equipment
Send-Box
The send-box is a small form factor computer loaded with all the assessment tools required to execute the assessment. The system leverages on a closed VPN to establish a channel of communication back with the chaosnet back-end once it’s been installed on-site. All data will be transported though this VPN. A remote desktop connection protocol may be used as contingency in case the VPN fails, it uses TLS 1.2 to secure the traffic and 2048bit RSA or 256bit Elliptic curve DH asymmetric key exchange and AEAD to verify every connection. Multi-Factor authentication based on FIDO2 hardware tokens is required to establish any of those two connections.
Wireless
In case the assessment includes wireless 802.x the Send-box will include two other device:
Pineapple wifi
The pinapple is an 802.x multi NIC device that contains tools for reconnaissance, man-in-the-middle attacks, tracking, logging and reporting. More information
Alfa Card
The alfa card is a wifi usb network device that uses a particular chipset that allows for traffic manipulation that is otherwise not possible with other, more common chipsets. Those added features are crucial for wireless assessments.
Input
In order to start the assessment certain data and documentation has to be exchanged:
You provide the scope.
Internal subnets or host IPs
-
External assets (IPs, domain names, etc)
-
Other identifiable assets that may be in scope
-
You provide the deny list (optional)
-
Any assets you want to specifically leave out of testing
If this step of the process appears challenging, we can schedule a scoping call to identify the scope list.
-
I provide a Letter of Authorization, you digitally sign it
-
Non-Disclosure Agreement
-
If you don’t have one, I will provide one, and you digitally sign it
-
If you provide one, I will sign it
Other Documents
-
Pre-engagement I will provide a Statement of Work, you digitally sign it
-
Post-engagement I will provide a Statement of Deliverable Sign-off, you digitally sign it
-
Zippia. “25 Trending Remote Work Statistics [2022]: Facts, Trends, And Projections” Zippia.com. Oct. 16, 2022, https://www.zippia.com/advice/remote-work-statistics/ ↩︎