Penetration Testing

Penetration Testing service provides cyber-attack simulations using real-world tactics, techniques and procedures (TTP).

Penetration Testing employs blended threat scenarios to test the effectiveness of your IT security defenses, policies and staff.

We deliver an integrated approach to assess your information security defenses by combining multiple testing strategies into a comprehensive offensive engagement, with the sole objective of gaining access to critical assets.

With Krypton Security, you can:

  • Improve your team’s organizational readiness
  • Gauge current performance levels
  • Improve training for defenders
  • Increase end-user information security awareness
  • Evaluate the effectiveness of your IT security defenses and controls
  • Gain objective insight into vulnerabilities that may exist within your environment

Red Team | Adversarial Attack Simulation

Red Team consists of conducting precision attacks against an organization in order to test the effectiveness and responsiveness of different parts of a security program.

Traditional penetration testing often excludes some of the avenues of attack and tactics that real attackers or threat communities are currently using in the wild.

Unlike traditional testing, an Adversarial Attack Simulation takes an integrated approach to assess your information security defenses by combining multiple testing strategies into a comprehensive offensive engagement, with the sole objective of gaining access to customer assets.

Krypton’s Adversarial Attack Simulation is comprised of the following engagement phases and components, customized to meet your security objectives:

  • Reconnaissance
  • Threat modeling
  • Attack planning
  • Electronic and physical perimeter testing
  • Exploitation and post-exploitation
  • Key findings and recommendations

Application Security - Code Audit

For Application Security Testing, Krypton can analyze any type of web application regardless of the language it is written with. A software code audit, when implemented early in the SDLC (Software Development LifeCycle), will result in a smaller overall attack surface and lower the risk of potential data loss.

We use the OWASP Testing Guide for its assessment methodology, while for other assessment types Krypton has created and developed solid methodologies for testing any type of application. Krypton web application testing relies on the use of real-world tactics, techniques, and procedures.

Testing ensures complete coverage of the OWASP Top 10 web application risk categories:

  • A1. Injection
  • A2. Broken Authentication and Session Management  
  • A3. Cross-Site Scripting (XSS)
  • A4. Insecure Direct Object References
  • A5. Security Misconfiguration
  • A6. Sensitive Data Exposure
  • A7. Missing Function Level Access Control
  • A8. Cross-Site Request Forgery (CSRF)
  • A9. Using Components with Known Vulnerabilities
  • A10. Unvalidated Redirects and Forwards

Black Box Testing

Automated web application scanning with validated results to reduce false positives.

White Box Testing

Manual and automated source code analysis of application code base to determine the source of issues that could result in exploitation.

Grey Box Testing

Manually utilizing credentials to gain access to the inner workings for the application.

Hybrid (White/Grey) Testing

White Box Testing results being fed into a Grey Box Test to reduce time and provide actionable prioritized list of issues.

Web Services & API Testing

Accessing the API services is based upon building attack scenarios upon the endpoints provided. This includes both credentialed and un-credentialed testing.

Mobile Apps

iOS and Android & services they connect to

Social Engineering

Krypton will execute Social-Engineering attacks on an organization’s target employees. Social-Engineering provides a baseline to the effectiveness of the education and awareness program and how well an organization can withstand a targeted social engineering attack. 

Social engineering attacks have been increasing in frequency, due to the ease of attack and the ability to circumvent a number of security controls to gain access to sensitive information. Attackers are finding it significantly easier to circumvent stringent perimeter defenses by targeting the organization’s user population.  Krypton performs a varying level of social-engineering attacks based on the maturity level of the organization which increases in sophistication as the information security program is enhanced.

With Krypton Security, you can:

  • Simulate advanced threat emulation with targeted attacks and test both education and awareness as well as technical controls from advanced attackers.
  • Evaluate the success of user education and awareness training.
  • Increase end-user information security awareness.
  • Evaluate the effectiveness of your IT security defenses and controls.
  • Improve training for defenders.
  • Supplement awareness training, required by PCI DSS, SOX, FISMA, HIPAA, etc.

This comprehensive process, when custom-tailored to the organization’s specific requirements, will allow us to discover as many potential attack vectors as possible – with the end-result of generating true, actionable intelligence so the necessary steps may be taken to eliminate these identified weaknesses using both technical and procedural safeguards before they may be used against the business and compromise operational integrity.

During this process, Krypton will work hand-in-hand with the client’s security and technical teams to complete the assessment. The output always includes a pragmatic report that details implementable solutions in a manner that is both useful to the organization’s technical department and clearly understandable to the management team.

Vulnerability Assessment

Vulnerability Assessments identify and rank the exposures present within our clients’ systems and network.

Industry-leading automated scanners, configured with optimized settings, are utilized to analyze the target environment. This process discovers misconfigurations, unsupported software, missing patches, unintentionally open services, and publicly disclosed exploits, to name a few. The information can then be used to formulate a plan to eliminate the threats or reduce them to an acceptable level of risk.

Krypton performs this assessment from a secure public server. We offer Vulnerability Assessments as a standalone service, but also includes scanning at the end of our Penetration Tests. The vulnerability scanning phase is used as validation to ensure only the most common exposures were identified, as well as confirms that each of the findings identified through vulnerability scanning is validated.

The Krypton Security consultants perform validation of the discovered vulnerabilities, excluding denial-of-service (DoS), and removes all false-positives.

Our report outlines various findings and includes the pertinent validation screenshot or data.

Physical Security

During physical security assessments, Krypton bridges both the physical security components with the technological component to bring a blended approach to attacking physical locations. 

Depending on the organization, Krypton can perform full attacks on physical locations which include piggy backing, lock picking, impersonation, badge cloning, and multiple other techniques to gain access to a facility. Krypton can also perform a physical security assessment that is overt in nature and does not rely on physically attacking the location itself.

With Krypton Security , you can:

  • Simulate a physical break-in varying on sophistication levels to gain access to sensitive areas of a location.
  • Combine the technology aspects and attempt to penetration the network once inside the organization.
  • Identify key areas of deficiencies within a physical location to determine improvements from preventing loss and breaches.
  • Test education and awareness program to identify if employees recognize patterns of attack such as piggy backing and badge cloning.
  • Improve and strengthen the overall physical security program by identifying direct weaknesses that an attacker can use to gain access to a location.