- Network penetration tests are used to evaluate the susceptibility of information systems to network attacks by identifying and exploiting weaknesses found in networks, hosts, and devices to help assess the level of risk posed by specific vulnerabilities in accordance with PTES and PTES-TG.
- Web application security testing is focused on evaluating the security of a web application. The process involves an active analysis and exploitation of the web application for any weaknesses, technical flaws, or vulnerabilities in accordance with the OWASP Testing Guide 4.1.
- Software application testing is focused on evaluating the security of internal software applications. White box testing is generally used during the developmental phase to find and remediate system flaws in the application prior to deployment. Software testing generally utilizes reverse engineering and its techniques.
- Social engineering testing is focused on evaluating the human aspect of the organization or agency. Social engineering testing is a way to test the organizational security awareness training program through means such as email phishing or other social or non-technical means.
- Wireless network penetration tests are used to evaluate the susceptibility of the Agency’s wireless information network. This pentest focuses on wireless network components, including but not limited to access points, Internet of Things (IoTs), and hosts. It helps to assess the level of risk posed by specific vulnerabilities in accordance with PTES and PTES-TG.
- The primary objective for a physical penetration test is to measure the strength of existing physical security controls and uncover their weaknesses before bad actors are able to discover and exploit them. Physical penetration testing, or physical intrusion testing, will reveal real-world opportunities for malicious insiders or bad actors to be able to compromise physical barriers (i.e.: locks, sensors, cameras, mantraps) in such a way that allows for unauthorized physical access to sensitive areas leading up to data breaches and system/network compromise.
- Test performed at the request of the Incident Response Federal Lead or Information Security (IS) Division Directors with approval from GSA CISO in response to an identified incident on an external facing Web Application. Incident response penetration tests utilize SANS TOP 25 and can be either authenticated or unauthenticated. The test can include specific exploits that were observed during the incident. Additionally, internal testing may be done to determine the extent of the incident.
- Phishing testing is performed regularly agency wide by the Security Operations Division (SecOps). GSA currently uses CoFense but any other tool can be used. Phishing emails are sent to randomly selected GSA federal employees and contractors. By request from the associated Federal Information Security Management Act (FISMA) systems the Information System Security Manager (ISSM)/Information System Security Officer (ISSO) or GSA CISO, a phishing attack can be designed and carried out on any provided end users and admin role GSA users. At the end of the attack a report will be provided demonstrating the success of the attack identifying users who were successfully phished.
- Stress testing is a procedure to find out whether a computer, application, device or the entire network can withstand high loads and remain operational. A stress test can be a simulation of an adverse condition that takes a system down or at least decreases its performance. These types of tests are recommended for any component on the GSA network. This type of test is not recommended for any Amazon Web Services (AWS) component without prior AWS approval.
- The type of penetration tests take place in the cloud environment, during this process the penetration tester will review cloud security configurations as well as systems, web apps and another component associated with the cloud environment.
- Applications that run on serverless providers such as AWS lambda and Google Cloud Functions use this form of penetration testing focusing on new perspectives and vulnerabilities from a Serverless environment such as Hypertext Transfer Protocol (HTTP) Application Programming Interfaces (APIs), messages, cloud storage, and IoT devices, including protocols used for these components. Taking into consideration the attack surface complexity, and overall system complexity, testing is performed based off of OWASP Serverless Top 10.
- Purple teaming is a security methodology whereby red and blue teams work closely together to maximize cyber capabilities through continuous feedback and knowledge transfer.
- Open-source intelligence (OSINT) is a highly diverse form of intelligence collection and analysis of data collected from overt and covert sources to be used in an intelligence context by the executives to make proactive decisions based on imminent risks facing the organization at a tactical and strategic level. OSINT assessment may include active scanning for sensitive domain data on darknet as well as listening for darknet chatter of upcoming attacks which will assist executives in long term strategic decision making. OSINT may also include passive techniques including using web crawlers such google search indexing engine to identify accidental data/vulnerability exposure on the internet as well as organizational threat discussions on social media.
- Business Logic Assessments (BLAs) are manual assessments of application security weaknesses that cannot be tested effectively in an automated manner. BLA’s consist of reviewing internal policies and procedures and applying those to an application's business logic to identify and limit risk factors to the Agency.