Penetration Testing

The OCIO's ISSLOB Services help you protect your network and applications

OCIO's ISSLOB Penetration Testing team provides a real-life snapshot of your security controls' effectiveness.  OCIO’s professionals are experts in the latest attack methods and techniques used to exploit information systems. Our team attempts to break into your network to find vulnerabilities before attackers do. This unique process identifies vulnerabilities and threats; tests the reaction and identification capabilities of your agency; and provides a measurement of continuous improvement.

Why Do I Need This Test?
Penetration testing is a controlled attack simulation that helps identify susceptibility to application, network, and operating system breaches. By locating vulnerabilities before the adversaries do, you can implement defensive strategies to protect your critical systems and information.

What Does Penetration Testing Actually Test?

OCIO ISSLOB performs both black box--no knowledge--and white box--with knowledge and/or privileges--Penetration Testing.   Assessments include:

• Web Application Vulnerability Assessment – These assessments focus on the security of Web-based applications by attempting to exploit faulty application logic. Fixes and approaches are recommended that will increase the security of the application, host server, and network.
• External Network Vulnerability Assessment – These assessments focus on the security of the net-work perimeter. They check the effectiveness of firewalls, routers, intrusion detection systems, operating systems, and services available to the Inter-net or untrusted networks.
• Internal Network Vulnerability Assessment – These assessments apply to the security of your internal networks and systems. They mirror actual at-tack scenarios launched from an internal source or gauge the extent to which an external attacker could roam through internal networks. This test can also check the security of your wireless LAN infra-structure.
• Wireless Assessment – This type of assessment identifies vulnerabilities in wireless 802.11 based networks through a process called war walking.  Once misconfigured or rogue access points are located, further attempts are made to connect to the network and leverage vulnerabilities.
• War Dialing – This type of assessment identifies vulnerable modems by dialing a predetermined set of numbers. Once an active modem is located, at-tempts are made to identify the service and penetrate the system.

What Is the Procedure for a Penetration Testing Test?

Our security professionals have a written methodology that is constantly updated with new techniques and vulnerabilities. The attack scenario often begins with passive probing to provide a map of the target network, and then progressively escalates. Configuration weaknesses and vulnerable systems are exploited to gain unauthorized or privileged system access. Throughout the test, ISSLOB works with you to identify appropriate target systems and to keep you up to date on the attack's progress. A brief summary re-port provided on the last day of testing identifies all discovered vulnerabilities and the affected systems.

Results

OCIO’s Penetration Testing team can perform a realistic hands-on simulated attack of your network and applications. We will not only find out where the holes in your systems are, we will also determine how good your current intrusion monitoring devices are at recognizing and re-porting the attack. With the results of our tests and recommendations, you can optimize your agency’s security stance and be confident that your network will resist malicious intrusions. We don't just identify problems-we help define a solution balanced around your business objectives.

Rapid Engagement

No separate contract is required. 
No sole source justification is required.

The OCIO ISSLOB COE is positioned to provide Assessment and Authorization (A&A) services to DOI and federal government agencies.  As an OMB designated ISSLOB, work is initiated through an Inter-Agency Agreement (IAA) with the Interior Business Center Line of Business. 

The IAA will reference an agreed upon Memorandum of Understanding, with supporting Proposal, Statement of Work and Rules of Engagement documents.  Authority Under Which A&A is Provided:  Economy Act – 31 USC 1535 and Working Capital Fund, 43 USC 1467, 1468.