Penetration Testing Services
We deliver proactive identification and exploitation of vulnerabilities across applications and networks to produce actionable guidance to improve your security posture.
What is Penetration Testing?
Penetration Testing – also known as pen testing – evaluates the security controls of applications and infrastructure using the same tactics, techniques and procedures (TTPs) that attackers may use to identify and exploit vulnerabilities. The objective of testing is to identify vulnerabilities and deviations from security best practices that can result in unauthorized access and compromise of sensitive data or systems. Results from testing are provided to clients with action points to help improve the overall security posture and harden environments against attack.
Penetration Testing: The Why and When
Explore the research and data points below to learn more about why penetration testing can be an important value-add for organizations at time of rising cyber security risk:
New software vulnerabilities disclosed annually. (01)
Increase in cost to remediate vulnerabilities if discovered in production vs. in the requirements/architecture phase. (02)
Average cost of a data breach in the U.S. (3)
Applications, networks and employees create a significant attack surface for an organization’s environment. More recently, with the increasing adoption of a remote workforce and new technologies, including cloud computing, the Internet of Things and blockchain, the attack surface has significantly grown at many businesses. It is critical that organizations perform penetration testing to help identify vulnerabilities and deviations from best practices.
How Aon Can Help
Application Penetration Testing
Application Penetration Testing helps an organization determine whether their websites, APIs, thick clients and other custom applications are resilient to application-specific attacks and vulnerabilities, including those outlined in the OWASP Top Ten, OWASP Code Review Guide, CWE/SANS Top 25 Most Dangerous Software Errors and others.
Manual penetration testing techniques are supplemented with a blend of tools and methodologies — proprietary, open-source and commercial — to help identify vulnerabilities within applications. Testing is performed from the perspective of both unauthenticated and authenticated users across various application roles. Our testing services include:
Dynamic Application Penetration Testing. The Aon team tests a running instance of an application for vulnerabilities including:
- Injection vulnerabilities (cross-site scripting, SQL injection, command injection, etc.)
- Sensitive data exposure and cryptographic failures
- Broken access control
- Authentication failures
- Security misconfigurations
- Vulnerable and outdated components
- Security logging and monitoring failures
- Application / business logic flaws
Secure Code Review. The Aon team reviews source code and configurations of web and mobile applications, APIs, thick clients, firmware, operating systems and more. Our methodology incorporates checks using a variety of industry standards and best practices. When a vulnerability is identified, the codebase is searched for additional occurrences and similar patterns. Secure code reviews can help organizations identify systemic security vulnerabilities and root causes in source code developed during the software development lifecycle (SDLC), enabling development teams to catch vulnerabilities sooner, before they are exploited by attackers.
Hybrid Application Penetration Testing. This is a combination of Dynamic Application Penetration Testing and Secure Code Review techniques. Clients benefit from having both a live running instance of the application to develop proof-of-concept exploits and source code to pinpoint root causes. These assessments allow for broader and deeper coverage — along with a higher degree of confidence in the vulnerabilities discovered.
Mobile Penetration Testing
Aon performs Mobile Penetration Testing for iOS and Android devices and applications. This testing is guided by the OWASP Mobile Top 10 and extends Aon’s Application Penetration Testing methodology. Mobile application penetration testing activities include identifying vulnerabilities in server-side APIs that the mobile applications communicate with, as well as identifying client-side vulnerabilities in the mobile applications themselves (e.g., improper use of mobile platform security controls, insecure storage of sensitive data on the mobile device, weak client-side security controls, etc.). Aon can employ a combination of static and dynamic analysis using manual testing techniques supplemented by proprietary, open-source and commercial tools.
Network Penetration Testing
Network Penetration Testing focuses on identifying vulnerabilities within different types of networks and scenarios:
External Network Penetration Testing. This testing focuses on internet-facing infrastructure, hosts, services and applications. Our team can simulate an attacker aiming to breach perimeter controls and gain access to the internal network and sensitive information.
Internal Network Penetration Testing. This testing simulates an attacker who has already gained access and is moving laterally within the network. It evaluates how well security controls impede internal movement. While many organizations focus on hardening the external perimeter, most attacks originate from phishing, insider threats, zero-day exploits or other attacks that bypass external security controls to gain access to the internal network. Results from internal penetration testing help harden the internal environment to aid in defending against such attacks.
Wireless Network Penetration Testing. This testing is designed to evaluate networks for both common and sophisticated wireless security vulnerabilities, including access point discovery, RF signal range testing, traffic analysis, vulnerability profiling, vulnerability exploitation, rogue device detection, encryption evaluation, weak authentication methods and insecure configurations.
Network Device Security Review. This review includes analyzing the configuration of firewalls, routers and switches used in the network to validate secure configurations of authentication protocols, password strength, routing rules, VLAN security, security zones and more.
Cloud Security Services
Cloud Security Services from Aon aim to help evaluate an organizations’ cloud environments that are hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure and Oracle Cloud Infrastructure (OCI). Aon can provide an open-box assessment where configurations for the platform’s microservices are audited to help identify vulnerabilities, and prioritized recommendations are provided for hardening the cloud environment. Additionally, the impact of certain misconfigurations can be evaluated through proof-of-concept exploits during Network Penetration Testing. Aon’s methodology aligns with industry standard best practices including platform-specific recommendations, CIS Benchmarks, NIST and others.
Social engineering attacks target the human factor in an organization’s overall security posture, making employees the primary target. These attacks use psychological manipulation to deceive employees into divulging sensitive information, granting unauthorized access, or taking actions that may compromise the organization’s security. Social Engineering testing evaluates an organization's susceptibility to these types of attacks. By identifying weaknesses in security defenses and employee awareness, this can help to build a more robust security posture and reduce the risk of a breach or incident.
To combat the persistent risk of social engineering attacks, realistic campaigns can be created in collaboration with clients to improve employee cyber awareness and organizational security controls:
Phishing. Aon performs real-life phishing campaigns targeting high-value employees. These campaigns help to evaluate the willingness of employees to provide sensitive information on a look-alike website, open malicious attachments or run malware.
Vishing (voice phishing). Campaigns that include vishing incorporate techniques, such as spoofed caller ID, automated recordings and live calls, with the intent of coercing employees to divulge sensitive information or grant unauthorized access.
Physical Penetration Testing. Aon simulates an onsite attacker attempting to gain physical access to high-value targets such as corporate offices, manufacturing facilities or data centers. This type of assessment evaluates covert entry and tailgating possibilities, badge cloning attacks and social engineering attacks to gain access to restricted areas. Once inside, activities can include identifying high value and sensitive locations, unlocked computers, network access, paths to confidential data or other predefined goals. By evaluating an organization’s detection and response to such scenarios, it is possible to better identify weaknesses in physical security controls, such as access control systems, physical barriers, surveillance coverage and security personnel.
Blockchain and Cryptocurrency Security Testing
Blockchain and cryptocurrency are relatively new technologies at most organizations and assessing their security requires a highly technical team with diverse knowledge and skills. The Aon team can customize a client’s Blockchain and Cryptocurrency Security Testing which includes these elements:
Blockchain application review. This review assesses the software holistically by employing a combination of web application security testing, network penetration testing, cloud and host configuration review and security source code review. Special attention is given to components that communicate with blockchain networks or wallets (e.g., a web API that communicates with a hot wallet) and custom test cases can be crafted to reflect the design.
Cryptocurrency custody assessment. This service can measure an organization’s ability to safely store and move cryptocurrency using custom threat modeling exercises and technical testing. The Aon team can hold workshops with the client team, conduct one-on-one interviews with key business stakeholders, analyze technical documentation and review the implementation of hot and cold storage. This allows Aon to better outline a detailed inventory and profile of custodial assets and further help to identify associated potential risks of accidental loss, insider threats and external compromise.
Custom blockchain review. This review assesses the security of a custom blockchain solution — either built from scratch or using popular frameworks such as HyperLedger Fabric and Cosmos SDK. The Aon team uses a variety of manual and automated security code review methodologies and tools.
Smart contract code review. Using Aon’s proprietary, industry-proven methodologies and tools, smart contracts can be evaluated for potential security vulnerabilities and deviations from best practices. The Aon team can identify obscure weaknesses and the lines of code where security flaws may occur. By using techniques such as fuzzing and symbolic execution, Aon can verify the correctness of smart contracts to a degree that traditional security source code reviews cannot. Aon works to help identify smart contracts’ key invariants — properties that should not be violated — and write formal tests to help validate them.
The Aon Team
Our penetration testing services are delivered by a global team of highly qualified professionals with decades of combined experience. The overall team holds more than two dozen certifications in penetration testing, red teaming, cloud security, blockchain security, security leadership and management — and other disciplines. The team publishes security blogs, contributes to open source software projects and are engaged in a variety of continuous security research projects. Speaking engagements have included Black Hat, SANS, RSA, OWASP AppSec, CircleCityCon, REcon, ShmooCon and others.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.