Internal Infrastructure and Internal Web Application Assessments typically involve a Pentest People consultant attending the client’s premises, connecting their laptop and security toolset to their network, and performing a series of automated and manual testing to identify software and configuration vulnerabilities. However, there are often situations where it is inconvenient or even impossible for a consultant to physically be onsite, such as highly secure data centres that forbid external entities from accessing hardware, or client locations that are geographically difficult to reach.
In order to facilitate a service for these situations, Pentest People have developed a solution that provides the same level of internal access without the need to have a consultant on the client site to perform the required assessment. This solution is called SecureGateway and this can be delivered either as a standalone appliance or a downloadable VMWare image.
The SecureGateway appliance is a small but powerful remote access server that allows Pentest People consultants to perform their assessment remotely. Its small form factor is convenient for transportation to client locations, and its automated processes do not require any configuration by the client. All that is required is a standard 10/100/1000 Ethernet port and a DHCP server to allocate an IP address.
Once attached to the client’s network, the device establishes a secure encrypted connection to Pentest People’s ISO/27001 accredited Security Operation Centre, whilst introducing minimal risk to the client’s internal or external infrastructure.
Allow Pentest People to perform an infrastructure test remotely without an engineer on site
SecureGateway creates a secure outbound connection back to our Security Operations Centre
All data collected during the assessment is held securely at our ISO27001 Security Operations Centre
What Assessments Can Be Performed With SecureGateway?
These types of tests traditionally rely upon an engineer being onsite at the client’s location for the duration of the assessment.
In an Internal Infrastructure Assessment, SecureGateway provides the Pentest People consultant with an in-band secure network connection that provides the same security toolset required to perform the assessment that the consultant would normally bring to site with their laptop.
This allows the consultant to perform the infrastructure assessment as if they were sat within the client’s location and connected to the client’s network.
Web Application Assessments
Web Application Assessments are usually performed externally, however, we do also perform assessments on applications that are internal within an organisation.
In these cases we usually have to send a Web Application Security Consultant to a client’s site where the application is tested from within the client’s network.
SecureGateway can be used by a client to provide a secure in-band connection for the Pentest People consultant.
With this connection, the consultant can configure a secure proxy so that all of the testing can be performed from a remote location as if the consultant was physically connected to the client’s network.
What are the Risks?
Pentest People are aware of the risks involved with adding a new device to your corporate network and understand this implicitly. Which is why we’ve established a series of technical and administrative controls to mitigate the risk to the client’s infrastructure when using the SecureGateway device.
The device establishes an encrypted SSH connection to Pentest People's ISO27001 Compliant Secure Operations Centre, with authentication handled by public/private key pairs (rather than with passwords). This configuration mitigates the risk of the data being intercepted and/or modified during transit, and mitigating the risk of automated wordlist attacks against the SSH endpoint.
The device does not advertise any services on the client's network. In order to manually administer the device, Pentest People consultants can access the device remotely via the device's outbound SSH tunnelled connection, or the device can be configured with a standard keyboard and mouse with physical access.
The local accounts configured on the device (used by Pentest People's consultants to perform testing) use a strong methodology rather than weak passwords, ensuring that hashes can withstand off-line cracking techniques should they be compromised, and that any attempt to brute-force services are unlikely to succeed.
Following an assessment, the results are securely transferred from the device via SSH and securely uploaded to SecurePortal. The device's image is then deleted with an industry-standard 'zero overwrite' and replaced with the default image build ready for the next assessment. This ensures that client data is securely destroyed and cannot be retrieved from the device should it be lost or stolen.
All software installed on the device (including the operating system) is fully patched during the installation of a new build image following an assessment. This mitigates the risk of software vulnerabilities that could be exploited by an attacker to elevate privileges.
The device is further locked down to ensure that it is secure on the client's network and follows industry-leading security standards.
Advantages of SecureGateway
There are many advantages to using SecureGateway.
At present, there is a lockdown within the United Kingdom due to COVID-19 that is restricting the travel of our consultants. By utilising SecureGateway, Pentest People can still perform an internal assessment without requiring a consultant to be onsite.
Using SecureGateway can reduce the cost of an engagement as there are no travel expenses incurred by Pentest People which would be recharged to the client.
SecureGateway also brings efficiencies in time-saving due to travel and clients are paying purely for testing time rather than consultant travel time.
Understand how the SecureGateway can bring you all the benefits of a standard Penetration Test.
- Your Penetration Test can be completed without the need for a consultant to attend your site
- SecureGateway can either be delivered as a VMWare Virtual Machine Image or a shipped Standalone Network Appliance
- Automatically creates a secure channel to the Pentest People Security Operations Centre allowing a consultant to access your appliance remotely
- Your test through the SecureGateway will still allow all the benefits of the SecurePortal
When using SecureGateway, all of the data is stored at the Pentest People ISO27001 compliant Security Operations Centre where it is analysed and then uploaded to SecurePortal in the same way as it is when performed manually by a consultant.
There is no further risk to the client's data by using SecureGateway.
SecureGateway allows Pentest People to perform Internal Infrastructure & Web Application Penetration Tests, where both are performed without the need to visit the customer site.
An assessment performed utilising SecureGateway does not differ from one where the consultant is onsite at the client's location. The consultant's toolset is identical and the methodology is common across both assessment types. The service and deliverables from the assessment will be to the exact same standard and procedure as a service in which the consultant comes to your company's premises.
If you have an existing VMWare server infrastructure that can provide the required network visibility to the devices being tested, then it is easier to utilise the VMWare image as this can be downloaded over a secure one time link and then up and running within your infrastructure very quickly.
If you do not have a VMWare server or the server is in a protected network segment than the use of the standalone network application would be recommended.