Download Your Copy of the Ransomware Penetration Test Sample Report Today!

The ransomware assessment included in OBPT is limited to only assessing the technical aspects. The ransomware risk assessment service offering not only assesses the technical aspects but also looks at the non-technical side to gain a deeper understanding of the risks and preparedness of an organization.

The ransomware penetration test includes: An analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374) to identify gaps in people, processes, and technology. A technical assessment of security controls to identify the likelihood and readiness for a Ransomware attack.

From our experience, we have found that intruders continuously find the weakest link and utilize the path of least resistance to enter an organization’s network. This path circumvents a firewall’s configuration and implementation. The purpose of a firewall is to only allow specified traffic in or out as authorized – but if an attacker can hide within permitted traffic, they can undoubtedly use it to enter and exit as required. Common examples can include utilizing web, DNS, or email traffic to keep from being discovered. In most cases, the common weakest link in organizations are the staff that fall victim to phishing-based attacks that can be used to gain a foothold into the internal network that may lead to an intruder exploring sensitive assets.

Depending on the scope and size of the engagement, most security testing engagements fall between the range of weeks to months. In that time, the assessment of the network infrastructure involves testing all assets in scope, which can include a large number of services, applications and protocols being used by those assets. Given the budget of the client, time restrictions, and scope of allowable testing rules, in most cases the time and budget spent would be better utilized on the actual testing of the assets. Our team of consultants can spend the entire allocated time and budget on trying to bypass external defense mechanisms or create a sophisticated phishing campaign (as is done in objective-based penetration testing) until we gain entry, but by that time the budget may be well spent, leaving little opportunity for the actual security assessment. As such, in most situations, providing our consultants with VPN credentials or planting a device inside the network to ensure the network infrastructure can be thoroughly tested in its entirety will provide the most value.

The advantage of performing security testing in production environments is that it allows the testing to be conducted within the actual network conditions using the latest developments the staff has configured. This also helps to discover how attacking certain parts of a network or individual systems may affect other areas of the architecture. In many of our engagements, we have found that there are multiple ways to successfully infiltrate a network or laterally move within a network based on how well the services were connected with each other. By performing a test in a production environment, these paths can be explored and provide a level of insight not possible in situations where pre-production isolated systems exist. One of the small, possible disadvantages to full production environmental testing is that live systems may experience interference during normal operations. In most cases, this interference is minimal and is usually not even detected, but capturing relevant data can be absolutely critical to the result outcome. If special circumstances exist where these systems are inherently sensitive, it is possible to perform testing in pre-production environments. The difference being that the consultant would not have the opportunity to evaluate how the regular services accessed by this system would typically run for the organization’s users, customers or vendors. The pre-production test would simply focus on assessing the pre-production infrastructure integrity on its own.