Penetration testing consists of evaluating the security of the customer’s cyber assets by attempting to gain, with the organization’s permission as with all services described herein, unauthorized access into the computer system, application, or network.
The process involves an active analysis for any potential vulnerabilities that can result from poor or improper configuration, known and unknown software/hardware flaws, or operational weaknesses in processes and technical countermeasures.
The analysis is carried out from the position of an advisory/hacker/threat emulator and involves active exploitation of vulnerabilities where the Red Sea Information Security team attempts to compromise cyber assets.
The team shall attempt to gain initial access and leverage that in order to gain additional privileges or access other hosts throughout the defined scope of the assessment. The Penetration Test service attempts to exploit vulnerabilities that have been identified in an organization’s systems (hosts, applications, database, or other computer related resources). The results of this service shall detail the risk exposure for an organization’s systems and demonstrate how vulnerabilities can be exploited to gain access to these systems. Suggested remediation actions to lower an organization’s risk exposure shall also be provided.
During the penetration test, the Red Sea Information Security, LLC team shall not delete any live data, make every attempt not to disrupt current operations, and not perform any Denial of Service attacks. The team shall only concern themselves with discovering and exploiting vulnerabilities which provide greater than intended system access to the system or network that is being tested. The Red Sea Information Security team shall be limited to the agreed upon scope identified in the Rules of Engagement, even if the test team identifies access to other networks. A data ex-filtration test of pseudo PII is an option within the Penetration Test as well.