Penetration testing (ethical hacking or pen-testing) is the practice of testing a computer system, network, or application to find and exploit vulnerabilities that an attacker might target in the field. The main objective of a penetration test is to determine security weaknesses in systems and to exploit these weaknesses to determine if a system is vulnerable to external attacks or threats.
EXTERNAL NETWORK RISK ASSESSMENT
SLI Compliance will perform a port scan of supplied IP addresses, followed by an attempt to exploit any vulnerabilities found. Exploits that are known to either cause a denial of service, be non-reversible, or leave the affected devices more vulnerable to an unauthorized attack than they were when SLI Compliance started, will not be attempted.
- Verify the security of outward facing services allowed by the firewalls.
- Attempt to gain access via discovered vulnerabilities.
- Enumerate and/or scan what is on the other side of any firewalls if sufficient access / information is acquired.
APPLICATION PENETRATION TESTING
SLI Compliance thoroughly examines all aspects of a modern election infrastructure application by combining a dynamic penetration test with the depth of source code analysis. The dynamic penetration analysis includes back-end APIs and mobile components, which allows SLI Compliance to become intimately familiar with the solution from the ground up. This familiarity allows understanding of where the application may be vulnerable to an attack. The code review analysis allows SLI Compliance to dive deeper into an application from a development stance. This approach results in the ability to test for a broader range of vulnerabilities and provide higher confidence results.
Application Penetration Testing helps to:
- Ensure data and functionality is protected from unauthorized access, malicious use, and subversion.
- Find business and logic flaws that regular testing cannot find.
- Verify whether issues identified in the Source Code Review are “real world” exploitable.
PHYSICAL PENETRATION TESTING
The central intention of a physical penetration test is to assess the depth of existing physical security controls and expose their flaws before an attacker can discover and exploit them. Testing helps to reveal real-world opportunities for malicious insiders or bad actors to be able to compromise physical security controls in such a way that allows for unauthorized physical access to sensitive areas of election technology.
- Examination of election solution physical security controls.
- Overall physical system design and implementation analysis for election specific hardware solutions.
- Analysis of ballot storage containers and ballot boxes to confirm secure storage and transfer of ballots.
EXTERNAL PENETRATION ASSESSMENT
During the External Penetration Assessment, SLI will validate the vulnerabilities found during the vulnerability scanning. Unlike the vulnerability scans, the penetration testing is mainly a manual process of evaluating the security of your election system / solution by simulating an attacker. This process involves an active analysis of your system for any weaknesses, flaws, or vulnerabilities. SLI Compliance will manually probe the target host for common misconfigurations or flaws because a vulnerability scanner can fail to identify certain vulnerabilities.