Pentesting by real hackers
What is Pentesting?
Pentesting is a term often thrown around carelessly and marketed by people who think all you do is run Nessus and some scripts.
In reality, pentesting is the ability to expose and exploit vulnerabilities in hardware, software, infrastructure, and people. The ability to custom code exploits for the environment and understand the overall impact.
Pentesting involves several phases: recon (including scanning), exploitation, persistence, exfiltration and cleanup, reporting. It truly is hacking yourself to see how others might hack you, and then hardening your systems or code, then repeat until you are virtually resilient against anything. The key is to build pentesting into your lifecycle.
An educated user, is the greatest defense against a cyber adversary
At Ockom our goal is to educate and inform, as well as secure. We want to ensure our customers know why a vulnerability is a high risk with medium probability, and how you should remediate and sustain. To Ockom, the "why" is the most important goal.
Data breaches exposed 4.1 billion records in the first half of 2019 graph
The average cost per data breaches in 2019 was over $3.9 million.
Red Team Services
Embedded / Web App / Infrastructure / Mobile / Hardware
At Ockom, we don’t believe that each pentest is cookie cutter. We don’t even like to lead people into certain terms and ideas such as crystal and black box testing. We offer true tactical and strategic analysis and our goal is not to offer a blanket service, but rather help you understand the problem, solve the problem, and stay resilient.
Our pentesters, while proffesional, are hand selected by our founding team. Our team is curated from CTF winners, 0 day exploit writers, former NSA, USAF, or Group 8200 members, and less well known hackers who have made an impact in their domain of expertise. This ensures that our team is comprised of not only the very best in each area, but also works well together in a effective and efficient manner.
We believe that every company and every problem is different, which means every solution is different. Therefore regardless of size of company or issue, we’d love to begin the conversation and see how we can help.
Identification without exploitation
A vulnerability assessment characterizes the cybersecurity and resilience of a system in an operational context and provides reconnaissance information about the system in support of the tests providing information for a penetration test or adversarial assessment (black box test).
Where this type of assessment differs from a pentest, is that there is no exploitation involved and it is generally completely cooperative (e.g., not black box or adversarial). A vulnerability assessment generally attempts to identify all potential weaknesses, for example:
- Organizational processes
- Cyber infrastructure
- Physical infrastructure
People hacking people
Most hacks are conducted by exploiting the weakest link: the human. Humans are also the greatest variable in any organization, and often the least focused on. Our team can not only help expose previously unknown areas of potential weakness, but help to create effective training programs for all employees to stay vigilant.
While most people tend to think of social engineering attacks to be face-to-face or phone-to-phone interactions, the attack types can include:
- Phishing emails. These type of attacks usually include emailing an unsuspecting user a link to click on, which will allow the attacker to gain information or access.
- Shoulder Surfing. Where a user tries see sensitive data, such as someone inputting a pin number.
- Tailgaiting. Attempting to follow someone into a restricted area or where they do not belong
Cybersecurity Test & Evaluation
Cybersecurity Test & Evaluation (T&E) is defined by DoD 5000.02 and is process required in Development and Operations of DOD systems. It includes various types of cyber testing to be done at iterative stages of the information or product lifecycle. The goal of cybersecurity DT&E is to improve the resilience of your capabilities before beginning production and deployment. Early discovery of system vulnerabilities can facilitate remediation to reduce impact on cost, schedule, and performance.
The cybersecurity DT&E process consists of four steps: the first two steps are generally an analysis of the system or product requirements, design, operating environment, and early test artifacts; the third step is focused on identifying and closing vulnerabilities; and the fourth step is cybersecurity T&E in a representative environment against a robust cyber threat to confirm readiness for production. Steps 1–3 identify the specified, implied, and essential tasks1 necessary to improve cybersecurity in support of mission accomplishment.
The Ockom team can assist government agencies or contractors (or private companies wishing to adopt cyber T&E) in properly implementing cyber T&E (DT&E and OT&E) in their lifecycle and ensuring information systems and products are built and maintained securely.
Shift your security left
Product security involves more than supply chain security and ensuring that products have the right security controls. It goes all the way to the code which developers write, even before they import 3rd party libraries. Ockom believes that product security should go beyond the PSIRT, and encompass all of the product development lifecycle.
Ockom's expertise in exploiting all manner of devices and software, as well as our strategic capabilities gives us the edge in designing a solution into creating and building secure products and infrastructure. The Ockom Team can help with:
- Strategic product security planning
- Portfolio management
- Maintenance and product life planning stage
- Education and awareness
- Project planning
- Risk assessment and threat modeling
- Security requirements
- Secure coding
- Incident response
Let us hack you
Ready to begin a more secure future?
The Ockom team can help you