Penetration Testing

The CyberGRC penetration test is utilized to validate proper implementation of all remediation recommendations and strategies documented during the vulnerability assessment phase. Unlike the vulnerability assessment phase where our white hat staff passively identify vulnerabilities on the network without impacting the business, the penetration test is more aggressive and attempts to actually compromise the network environment. A penetration test validates your network can withstand attacks like denial of service and is not susceptible to exploitation tools used by the black hat intruders intent on damaging your brand.  Any final vulnerabilities are identified from a more finite perspective and once removed, your network perimeter is considered hardened at that point in time.  It is common for our white hat staff to completely breach a customer network during this phase and is the ultimate opportunity for training and creating a long term security strategy within the organization. This gives your team the ability to defend against common attack strategies such as malware, active directory breaches and post breach persistent connections to external attack servers which is vital to the success of your business.

CyberGRC is the de facto expert in the penetration testing sector and covers a variety of technologies!

Here are just a few:

  • Perimeter Segments (DMZ, RAS, & Extranet)
  • Internal Segments (LAN, WAN, & VPN)
  • Wireless Networking (WLAN & WWAN)
  • Telephony (VoIP & Traditional TDM)
  • Virtualization Infrastructure (Server, Desktop, Cloud)
  • Application Architecture (Web, Database, & Stand-Alone)
  • Mobile Cloud Computing (BYOD Systems)

Social Engineering

Social engineering is the art of evaluating the security posture of an organization’s user community and physical security systems. This is done through specialized hacking techniques such as but not limited to “phishing”, random phone calls, information gathering, and tailgating. Social engineering is an attack on humanity and reveals weaknesses in the characteristics of employees due to improper training programs implemented within an organization’s security program. Social engineering further reveals gaps in the physical security system of the organization.

Social engineering is absolutely everywhere and all around us today, just think of the larger social media sites. The more sophisticated the hacker, the more effective this type of exploitation can be when utilized to attack a customer. Notice we didn’t say customer network?  Social engineering refers to what is commonly called “Poor Man’s Hacking” or “No-Tech Hacking”. This is where the black hat will track specific employees physical habits such as taking pictures of their employee badge to reprint with their face or tailgating into a physical location to socialize with employees as though he/she was part of the team. Tasks such as these are often the beginning of a more sophisticated breach and is just as critical to create a risk mitigation plan as it is to harden your perimeter.

This unique assessment enables clients to discover their overall security and defense posture against these generic but sophisticated attacks. CyberGRC will then build a remediation strategy to enable the business to operate in a more secure and efficient manner.


CyberGRC has built a state of the art social engineering methodology to conduct our ethical hacking engagements. This methodology allows our consultants to quickly pinpoint and re-mediate security risks existing within an organization security program which is critical in the prevention of black hat hackers exploiting these vulnerabilities to quickly identify and gain access to key corporate assets.

Example Social Engineering Tasks:

  • Lock Picking
  • Magnetic Door Brute forcing
  • Alarm System Avoidance
  • Ventilation System Entrance
  • Access Door Tailing / Piggy Backing
  • Access Badge Procurement
  • Access System Bypass
  • Surveillance Camera Redirection

Vulnerability Assessments

A typical relationship with CyberGRC usually begins with a vulnerability assessment where we take the initial steps a black hat hacker would take in order to begin a breach of your network.  The methodologies used by our team are similar to those used by the black hat community.  The tools, tips and tricks are learned over many years of working to protect our customer’s networks.  After years of doing these assessments for our customers in production environments, we tend to see the same mistakes made repeatedly.  This is not due to customers lacking talent on their IT teams, but more so that they are short staffed and have vendors with myopic security strategies that don’t protect them holistically.

External Vulnerability Assessment

The public side of your network accessible via the internet presents the largest risk globally to an external breach. CyberGRC will conduct a complete assessment of your perimeter, develop a remediation strategy and assist in the implementation process to prevent attacks such as denial of service or a long term breaches.

Internal Vulnerability Assessment

A large percent of breaches are commonly reported to occur from within the corporate network. This is usually from a disgruntled employee, contractor or individual targeting the organization. CyberGRC will assess your internal environment in order to identify potential vulnerabilities that could allow access to confidential assets. During this process, CyberGRC will further conduct tasks such as reviewing password complexities, encryption systems, patch strategies and virus protections. We’ll also sample the hardening of workstations and servers to shed light on the organizations security posture.

Application and Database Assessments

During an attack and breach, it is common for the hacker to compromise system applications and databases. The CyberGRC application assessment exposes vulnerabilities in the database architecture and all tiers of the application. Sub-system exploitation is common to the more sophisticated black hat groups, securing these elements on both the client and server side of the network is the goal.

The CyberGRC white hat methodology used in our application penetration test is the most comprehensive technique to establish application security. The combination of code review and manual testing delivers the most accurate, real life view of your application security available.

No application is immune from exposure to the black hat, our team performs assessments on applications for small and large organizations.  Regardless of the complexity or security features, our team has the experience to deliver.

Application Code Review

The assessments utilize various database and application attack strategies:

  • SQL Injection
  • Cross-Site Scripting
  • Arbitrary Code Execution
  • Authentication Bypass
  • Input Validation / Input Tampering
  • URL Manipulation
  • Hidden Variable Manipulation
  • Buffer Overflows
  • Cookie Modification

Application Penetration testing is used to expose the exploitable risk of vulnerability.  Testing applications manually are often the only way to validate the use of security controls like centralized authentication gateways, UR- based access control mechanisms and web app firewalls.

The CyberGRC application code review is completed by our most experienced white hat hackers.  Software vulnerabilities are exposed via manual review.  We’ll use state of the art tools to expose these vulnerabilities and support returning the application to a secure state.

We help your team deploy secure applications that will allow you to align IT with your business drivers!

Secure Network Design

CyberGRC uses an industry standard best practices methodology which is comprehensive, yet flexible and will work “within” business process objectives. CyberGRC provides professional security services for the full life-cycle of an internetworking system; including planning, design, implementation, operations and optimization (PDIOO), and maintains expertise in the most complex security technologies and multi-vendor environments.

Our expertise encompasses all aspects of today’s technologies such as:

  • Network Infrastructure
  • Voice Over IP (VoIP)
  • Wireless Networking
  • Server & Desktop Virtualization
  • Mobile & Cloud Computing

Cyber Security Policy and Procedures

Policy Assessment Review & Gap Analysis

CyberGRC will conduct an assessment on all documented security policies and procedures for proper adherence as related to ISO 27001 / 17799 industry standard best practices. This assessment will allow CyberGRC to conduct a gap analysis between the organization and industry standards. From there, CyberGRC will be able to recommend additional policies & procedures or modifications to existing policies that have been or need to be created.

Security Policy and Procedure Creation

For organizations that do not currently have any security policies in place, CyberGRC can assist in the creation of foundational security policy and procedures applicable to the business and operational needs of a network. This can also be done with respect to any compliance regulations governing the organizations business model.

Risk Management

CyberGRC security risk management experts work with you to assess your information security policies, processes, and technologies to identify weaknesses, categorize security risks, and recommend improvements. Our Security Risk Analysis and Assessment service helps fortify your environment and improve compliance with industry regulations by providing a comprehensive assessment of each important aspect of your security program including:

  • Internal and external controls
  • Policies & procedures
  • Gaps vs. regulations and best practices
  • Vulnerabilities & threats

Disaster Recovery / Business Continuity

CyberGRC has become a leading provider of continuity planning services and consulting to the government and private sectors. CyberGRC develops procedures that address and document the steps for responding to a crisis event, recovering operational capability and resuming critical business functions, and eventually restoring all functions to “business as usual”.

The key to our success is the ability to provide customers with unparalleled project management and planning facilitation services combined with our powerfully equipped web based planning system. Utilizing these strengths, CyberGRC has been able to successfully train countless government agencies and corporate enterprises through the process of designing, developing, and maintaining their continuity plans.

Using lessons-learned and client feedback to continually improve our planning and project management approach, CyberGRC has established a proven method of leading organizations through the continuity development process more efficiently and intuitively than other available alternatives.

CyberGRC is capable of managing continuity projects of all types and sizes and can provide planning services which include staff training, plan development, meeting facilitation, and on-going plan development support. By selecting a customer-service focused company like CyberGRC with a proven web-based planning tool, our projects are guaranteed to be completed on time, on budget, and in a successful manner.

Digital Forensics / Incident Response

The CyberGRC security teams chose to prepare ahead of time for a digital breach. If you operate a large network, you may not be able to buy perfection but you can certainly buy protection. It’s common knowledge among IT professionals that there is no silver bullet to completely protecting your network. The rule of thumb is to do everything you can to provide the best environment possible and run the best available software and somehow keep it all up to date and secure. To further complicate things, most networks are designed by individuals who do not necessarily have the proper cyber-security expertise to secure the environment. In this situation, an industry best strategy is to always operate from a perspective that there will eventually be a breach.

According to 2014 breach reports, the majority of reported data loss events actually that took place externally and are usually due to the same mistakes made over and over. It’s not that IT people want to leave their networks open to vulnerabilities but due to many factors outside their control; it regularly happens. Once a breach occurs, having white hat hackers on your team will prove to be an invaluable asset. CyberGRC can help plan ahead, during and after a breach. Some factors CyberGRC will address with you are breach identification, isolation, archiving for legal, data preservation, malware removal, restoring service, computer forensics, electronic evidence, federal agency communication and if necessary a board response.

With risk increasing every day, customers face data loss from both internal and external threats. This is fueled by the inter-networking technologies such as web apps, mobile apps and overall network complexity. Traditional thought process around protection must change to the perspective of the black hat.

Expert Testimony & Reporting:

CyberGRC experts often serve as expert witnesses or a special master in post-breach litigation.

Hard Drives Analysis:

Utilizing our methodologies, we’ll locate and document the digital footprint of a breach and prepare a report for your management, shareholders or federal agencies.

Data Collection:

The typical breach is often discovered  after many months of data loss with sometimes many hundreds of persistent malware connections being used.  It can be a daunting task to collect this data adequately so our team will use best practices regardless of size and complexity of the breach.

Data Preservation:

In the event of an investigation or litigation, CyberGRC offers cost-effective and defensible methodologies and solutions to identify and preserve electronic data.

Data Recovery and Forensic Analysis:

Whether data was deleted or manipulated on purpose or by accident, CyberGRC’s digital forensics experts analyze the digital clues left behind to quickly and defensibly uncover critical information.

Cyber Crime Investigation:

We examine physical and digital evidence to uncover what did or did not happen, using CyberGRC’s combination of computer forensic expertise and traditional investigative techniques.

Network Forensics:

Forensics assessment of network appliances for evidence of intrusion or undue activity.

Rootkit Detection:

Detection of root kits, back doors, Trojans etc for forensic purposes.

Virus / Malware Outbreak:

Onsite malicious code detection, clean up, and incident management.

Physical Security

Video Surveillance

CyberGRC Networks has done video for casinos, enterprises, airports, prisons, military, and innumerable more.

Facial Recognition

CyberGRC has been reporting and presenting on Facial Recognition for over 6 years. We’ve talked about it at the biggest Information Security conferences in the world. We can discuss it with you.

How could someone break into your facility?

Video Analytics

Need to find out how many people are in videos? Or unattended package detection? Machinery not working correctly at a remote site, and need to be inspected?

Forensics for Video

Did someone delete video the lawyers need?

Access Control and Biometrics

If it locks, we can pick it or build it better.