Physical Penetration Testing
Cyber vectors aren’t the only way your infrastructure security will be attacked – physical security is just as necessary to ensure your organization’s well-being. At Bishop Fox, we take an in-depth approach to testing physical security measures.
Bishop Fox’s social engineering methodology uses physical and electronic mediums to create sophisticated confidence games, which are designed to manipulate employees into performing sensitive actions or divulging proprietary information. These zero, partial, or full-knowledge assessments begin with in-depth research of the target employees and organizations. Next, the gathered information is assembled and analyzed by the team to provide a firm background for the creation of tailored, social engineering scenarios. As required, the team manufactures an elaborate body of evidence such as fake websites, planted evidence, and custom attack payloads. Using a combination of confidence tricks, fraudulent claims, and impersonation, the assessment team systematically attempts to manipulate target users, using email or phone, into performing actions that grant the team access to secured electronic assets. Finally, the assessment team leverages the illegitimately acquired access to perform unauthorized transactions and breach the security of confidential information. The social engineering assessment methodology adheres to industry leading practices while being tailored to each organization’s employee security policies, standards, and guidelines.
Telephony Penetration Testing
Bishop Fox’s telephony penetration testing methodology identifies and eliminates threats introduced by insecure modem deployments within an organization’s infrastructure. Modems used in tandem with remote access software on exposed systems create backdoors that could potentially render network perimeter controls such as firewalls, intrusions detection systems (IDS) and secure VPN solutions ineffective. Testing begins with automated war dialing all direct inward dialing (DID) ranges in scope to locate accessible modems and identify their associated applications. These results are manually confirmed before the assessment team performs targeted penetration testing against any discovered modems and attempts to gain unauthorized remote access to exposed resources.