usd OrangeBox makes remote pentests simple

24. June 2020

Many companies ask themselves whether attackers are able to compromise their IT infrastructure. Pentests provide reliable results to this question and pave the way for increasing the long term IT security.

There are two approaches on how our security analysts can perform the pentest: on-site or remotely. Pentests via remote access are performed if the IP address range is accessible via the internet. That is the case for websites or online shops. Usually, IT security assessments of systems and applications in internal networks are performed on-site.

What if an on-site pentest is not possible, but the systems within the scope are located in the internal network?

For this purpose, usd AG has been offering their customers to use a site-to-site VPN to establish a secure connection between the high-security network of usd HeroLab and the customer’s network for years. However, the setup of the site-to-site VPN requires technical personnel on the customer’s side.

In order to facilitate the setup of a secure connection even more, the security analysts of usd HeroLab have developed a solution: the usd OrangeBox. By using the usd OrangeBox, remote pentests can be performed more efficiently and securely. The solution is based on very reliable and open technologies and operates based on VPNs. In this way, the usd OrangeBox enables an automated and secure connection between the high-security network of usd HeroLab and your network.

As a result, remote pentests using the usd OrangeBox can cover the same scope and attack scenarios as an on-site pentest. This includes questions like: Can privileges of specific user roles be escalated? What are the attack vectors of unauthenticated attackers?

What does that mean in concrete terms?

The usd OrangeBox is available as a virtual appliance or a hardware implementation. It is connected to the network that is supposed to be tested. Only one outgoing HTTPS connection is required (direct or via internet proxy) to the network of usd AG. Further access to the internet or reachability from the internet is not required. If the only condition is fulfilled and the usd OrangeBox is connected to the systems that are supposed to be tested, there are no additional steps required: the box automatically sets up the encrypted VPN connection to the high-security network of usd HeroLab.
Remote pentests meet the highest quality and security standards: Secure and latest authentication methods and encryption functions ensure that your network is only connected to the high-security network of usdHerolab. Dedicated firewalls and strict permissions guarantee that only security analysts actively participating in the pentest have access to the connected network. The VPN connection is terminated as soon as you unplug the hardware or shutdown the virtual machine.

The usd OrangeBox can be put into any kind of network and can be adapted to your individual needs at any time. This can include the connection of multiple locations or multiple networks.

Your advantages at a glance

✓ easy and fast setup

✓ minor risk to your IT infrastructure, since no incoming connections are necessary

✓ reduction of effort and costs

✓ fulfillment of highest quality and security standards

✓ hardware can be delivered by mail and the virtual appliance can be sent digitally

✓ health protection by avoidance of face-to-face contact

✓ no third parties involved

✓ high flexibility regarding different operational scenarios

✓ instant termination of the VPN connection after unplugging/shutting down the usd OrangeBox

Are you interested or do you have any questions? Please contact us. We will be glad to assist you.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories