Implementing FairCo's Base Methodology
Implementing FairCo's Base Methodology
FairCo's base methodology is modified in accordance with each client's business and operational requirements and encompasses the following procedures:
- Strategic Reconnaissance
- Vulnerability Identification
- Penetration Testing
- Vulnerability Validation
We begin the process with Strategic Reconnaissance (aka: Casing). Strategic Reconnaissance enables FairCo to quickly learn about the target infrastructure's technology, services, versions, supported protocols, security technologies, etc. It includes but is not limited to port scanning, banner grabbing, network mapping, operating system fingerprinting, firewall ACL discovery, etc.
Once the Strategic Reconnaissance phase is complete FairCo moves into the vulnerability identification phase. Vulnerability identification involves correlating information discovered about the network against known vulnerabilities and other intelligence that FairCo has at it's disposal. Any successful correlations will be recorded and analyzed more deeply at the conclusion of the engagement.
If the client chooses Penetration Testing, FairCo will move from the Vulnerability Identification stage to the Penetration Testing stage. Penetration Testing involves the actual exploitation of correlated vulnerabilities. If penetration testing against a particular target is successful the client can optionally have FairCo perform Distributed Metastasis.
If the client chooses to opt out on Penetration Testing then FairCo will move into the Vulnerability Validation stage. The vulnerability validation stage is not required if penetration testing has been done as penetration tests validate the existence of vulnerabilities.
The Vulnerability Verification stage is a strictly hands on stage where FairCo's security professionals manually validate any correlated vulnerabilities which eliminates false positives. FairCo's security professionals will also dig deeper into systems to uncover any false negatives, or missed security issues.
At the conclusion of the testing FairCo's will produce a detailed, actionable report with effective methods for remediation. If a client implements the recommended fixes within a 30 day period, FairCo will re-evaluate the network to ensure that the fixes resolved the discovered security issues.