Penetration Tests

Agio’s penetration testing experts evaluate the security of your IT assets from the vantage point of a malicious hacker. More targeted than vulnerability assessments, pen tests are designed around a specific goal – to access and compromise protected resources.

More than just a scan, our penetration tests are performed using both automated tools and manually by a team of talented security engineers who operate with the highest level of integrity and professionalism. We will show you what we did and how we did it – scanning for vulnerabilities, enumerating attack vectors, and running exploits. All of your results are provided in our reports. Then we recommend remediation such as software patches, configuration changes, and other fixes.

Regular penetration testing is an essential part of network security and should include all potential threat vectors, including external, internal, cloud, and wireless.

External Penetration Testing

This testing assesses the security of externally facing IT assets for an organization. After discovering potential vulnerabilities and gaps, we attempt to access the internal network and capture sensitive data.

Cloud Security Penetration Test

Agio Healthcare helps navigate the complexities of conducting penetration testing of your cloud instance. This generally involves close collaboration between you, your cloud provider, and the pen tester.

Internal Penetration Testing

Testing efforts begin with the assumption an attacker has already gained access to the internal network. Once inside, the pen tester determines how easy or difficult it is to move laterally through the network and exfiltrate confidential information.

Wireless Penetration Test

This testing assesses the protocols, access points, technical flows, and policies to determine the security of private and guest Wi-Fi networks. Tactics include sniffing, brute-forcing, and session hijacking.

With the proliferation of software-as-a-service (SaaS) offerings, interconnected web applications, mobile apps, and APIs, a strong application security program in healthcare organizations is more important than ever.

Web Applications

Agio Healthcare’s application assessment methodology is guided by the OWASP Top Ten Lists of web application and API vulnerabilities. To protect against data theft, ransomware, and other threats, continuous application security testing has become indispensable to ensuring security, confidentiality, and availability.

Software Development Lifecycle Review (SDLC)

Software development life cycle frameworks define the process that organizations use to build applications from start to finish. It is invaluable to “build-in” security controls during the application development process by adhering to best practices, adding security reviews at each stage of development, and full testing prior to release.

incident-response

Mobile Applications

While sharing many of the potential vulnerabilities of web applications, mobile application penetration tests focus even more on client-side security, file systems, hardware, and connectivity. In recent years, mobile devises and apps have also emerged as frequent targets for phishing schemes and harmful malware.

People continue to be the least secure “endpoint” in most organizations. In fact, no matter how strong your security technology protections and compliance policy controls, no program can truly be effective without a “cyber aware” workforce.

Here are some of the customized training, testing services and simulated attacks we offer:

Phishing

The most frequent type of social engineering attack, phishing, is generally described as sending a fake email to a person, group, or company. Fake attachments or bogus links can infect computers and networks with dangerous viruses and malware, such ransomware.

Vishing

Vishing attacks rely on phone calls, direct line, auto-dialers or may even involve infiltrating or imitating an interactive voice response (IVR) system.

Targeted Pretexting

Most often, this involves a scripted scenario such as convincing the target to dial into a phony help desk/call center or login to an online meeting. Pretexting can also be used in person to gain access to a secure facility by using a fake ID, employee badge, or business card.

Tailgating

Accepting the help of an authorized person to gain access to restricted area where sign-in, or other security checkpoint is present.

Security Awareness Training

With onsite training and 24/7 access to a full library of courseware, we provide customized social engineering programs that enable you to test your employees in context and measure their results over time.

incident-response

Spear Phishing

Spear phishing is a more targeted phishing attack –often directed at senior level executives, corporate departments, or specific individuals within an organization.

bubble

Smishing

Smishing refers to fake requests, messages, links or attachments sent by SMS text.

Baiting

Using digital devices giveaways (such as USB drives) infected with viruses, “call home” applets, or other malware.

OSINT

Open source intelligence gathers information (both publicly-available and dark web) on employees or executives to inform our social engineering campaigns and provide further protection for your organization.