Foo Lion Information Security
Foo Lion|InfoSec offers two categories of services: penetration testing (pen testing, or red teaming) and advanced persitent threat (APT) level analysis. At present, we are contractually obligated to a single client, and cannot perform work for pay for additional clients. However, we are at liberty to perform pro bono work and we wish to keep our minds and tools sharper than a single statement of work allows, so please contact us if you are interested in a consultation to see what services we can provide for you at no cost. This applies to commercial and not-for-profit organizations.
Pen testing, a.k.a. red teaming or tiger teaming, applies an attackers mentality to the risk assessment of your hosts, networks, applications, and even your buildings. Each of these targets can be tested in isolation, but the greatest value comes from having them tested in the large. Pen testing will reveal how attackers are infiltrating your systems, and how they may exfiltrate data from your business.
Prior to an assessment, our assessors will meet with your CISO, CTO and/or CIO to establish the bounds within which the testing will occur (dates, times, subnets, hosts, buildings, etc. that are off limits, whether data and hardware can only be flagged as compromnised, e.g. creating a new record in your database or labeling with a sticker, or can be exfiltrated or mirrored). We will also establish which of your IT focals will be forewarned of the testing. Some companies prefer a true black hat operation, while others opt for an exercise pitting their IT teams against ours to demonstrate readiness and capability, provided that an attack is detected.
After an assessment is concluded, our team will host a half-day or full-day seminar for managers and executives on our own techniques, how to think like a black hat hacker, and how to build security into your systems and products while mitigating the risks we’ve identified.
Advanced persistent threats (APTs) are those intentions and actions against a target that threaten network, host, and application integrity over time and with the resources (advanced skills, significant funding, broad teams, etc.).
A recent report (Alperavitch, 2011) revealed that “70+ global companies, governments and non-profit organizations” were successfully targeted through an advanced persistent threat (APT) by a single aggressor over the preceding five years. This includes only the targets that were definitively identifiable by McAfee’s careful logging and analysis on the hosts they were able to secure. If you think your industry is not a target, or that your company is too small to fall victim, or that your defenses are strong enough, please read Alperavitch’s whitepaper.
APTs are typically not reported in the media, or even to other organizations within a victim’s company. However, APTs are frequently falsely reported when a relatively unskilled hacker haplessly finds low hanging fruit and takes down a large companies mail server, or disrupts services to customers.
Foo Lion will assess the threat level of your company to APTs based on a thorough pen test, a risk analysis based on the value of your company’s data (proprietary data, and customer data), as well as describe what types of attackers may target your business.
Is it Safe?
Let’s clarify the question: can we be trusted with your data and systems? Absolutely. We have a perfect track record of ethical behavior. None of our assessors has stepped outside the law, and many of us have active secret clearance through the Department of Defense. You can rest assured that we will respect your data and property, and that we’ll treat your business as a partner in building security.
However, while pen testing offers great insights into your business’s security weaknesses, it is not without its risks. Pen testing development and pre-production environments introduces artifacts into the findings, and necessarily prevents assessors from accessing the real targets, i.e. your production systems, as attackers do. Further, where intrusion detection systems and reactive intrusion prevention systems (IDS/IPS) aren’t perfectly mirrored in pre-prod systems their effectiveness cannot be accurately assessed.
What’s Right for Your Business?
New clients typically first choose a pen test over a weekend, or a few nights, just after deploying new services, or adding new infrastructure. Through this, we help them ensure compliance with best practices, effective IDS/IPS configuration, and identifying weaknesses in their logical and physical security. In addition to our half-day and full-day Many new clients also request security design training for developers and testers, as well as infrastructure technicians.
Most clients then work out a schedule with us for repeat pen tests (following their roadmap for deploying new services and infrastructure), and also arrange forsome level of APT analysis. Typically, APT analysis is performed between the pen tests, and reported on quarterly.
How Do I Get Started?
Browse to our contact page <link> if you have preliminary questions, or request <link to form> an in-person visit at your offices, ours, or at a security conference of your choice <link to list of upcoming conferences>.
Alperavitch, D., (2011). Revealed: Operation Shady RAT. McAfee Whitepapers. Retrieved from http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf