Noblis has extensive experience in vulnerability assessment and penetration testing of networks and systems. Our methodology for system testing incorporates automated testing tools that are used to assess vulnerabilities along with a flaw hypothesis driven testing protocol that attempts to discover and exploit the proposed system-level flaws. Noblis has developed data mining tools that reduce the flood of information collected during the assessment process into a manageable subset that provides helpful guidance for the penetration tester.
Noblis has performed both physical- and cyber-penetration attempts against clients. We have performed white-box testing (where all system details are known to the tester) and black-box testing (where the tester has no prior information). We also perform independent, unannounced penetration testing to determine if an organization is prepared to resist attacks. Noblis assessment experience includes application level assessments as well as network-level assessments.
As an example of Noblis capabilities in penetration testing, Noblis worked for an agency which handles and oversees large value financial transactions. The agency's audit department is responsible for oversight of the internal information systems. Their oversight responsibility includes verifying the confidentiality and integrity of all the transactions that the organization processes. However, the audit department has limited ability to see what actually takes place in the organization's day to day operations. The internal Information Technology (IT) department that ran all internal data systems was far too large for the audit department to effectively oversee. As a result, the audit department was unable to satisfy themselves that the internal security controls were being effectively and consistently implemented. The potential for significant security flaws existed that the auditors could not verify.
Noblis worked with the audit department to understand the types of systems and software being used in the agency and used that information to identify systems where compromise of those systems would be particularly serious. With that information, Noblis then used public information to help identify methods of penetrating the agency's network. These included testing the systems for vulnerabilities over the Internet, use of automated dialing software ("war dialers") to find unprotected modems, and the use of manual penetration attempts to try to breach the security of the agency's systems. Noblis uses commercial and freely available tools to do much of the initial testing during these penetration tests, but also relies heavily on the experience of its network security professionals for finding and exploiting unprotected systems. A side effect of the penetration testing is that the audit department learned how effective the IT department was at detecting break in attempts - initially the probes were done slowly and were able to avoid detection. It was not until the penetration attempts were ratcheted up to a high rate that the probes were detected.
As a result of the penetration testing, Noblis was able to find information on an internal web server that led to compromise of one of the sensitive financial systems within the agency. The audit department was able to demonstrate that an outsider could compromise the system to the IT department. This demonstration led to corrections for the problems found along with an improvement in the daily operations of the agency to avoid the specific issues that led to the compromise. The application of Noblis's unique expertise in defending against computer system penetration led to finding a flaw before it was exploited and improved the security awareness within the agency.