Charlotte, North Carolina Penetration Testing

2015-06-21 00:00:00 -0400

Introduction

Hi there. We are Consoltec. We know InfoSec. Consoltec is an Information Security company specializing in penetration testing. We are located in Charlotte, North Carolina. We specialize in network penetration testing, infrastructure penetration testing, web penetration testing, social engineering, exploitation development, and custom exploits. Consoltec is owned and operated by Jon Molesa. Jon has over 15 years experience in Information Technology and Information Security. Jon holds the OSCP, CISSP, and a BS from North Carolina State University in Business Management and Management Information Systems.

Consoltec is ready and willing to perform ethical hacking intrustion attempts against networks authorized by it’s clients. In order to have a true idea of what an attacker sees when they look at your assests please contact Consoltec today to schedule your assessment. Penetration assessments differ from vulnerability scans by attempting to exploit the identified vulnerabilities. Depending on the scope of the pentest, custom exploitation may be required to gain unauthorized access to in-scope targets.

An ethical hacker, such as Consoltec, will attempt to gain unauthorized access to your company’s assets. In doing so, your company will have a better idea of what an advasary may do in order to gain access and what they may do with that access once granted. Attackers may chose to target your company for a marid of reasons or motives. A smapling of possible motives include: fame, revenge, corporate espinoge, hate, regelious beliefs, to prove a point, to “punnish” the company and/or it’s employees, extortion, blackmail, and to embarrass the company.

Maintaining a patching program can go a long way to protect your company against the known knowns, but it isn’t enough. In order to test for the unknowns you need to hire Consoltec to perform advanced penetration testing activities against your organization.

Typical Assessment Outline

  • Contact
  • Statement of Work (SOW)
  • Reconisance
  • Exploitation
  • Reporting

Make Contact

A typical assessment begins by you first contacting Consoltec in order to schedule the initial discussion. Following the initial discussion, Consoltec will prepare a Statement of Work including a definition of scope. The scoping portion of the SOW defines what the goals and authorized targets are. The SOW also defines the schedule that the work will be performed as well as the final deliverables.

Recon

Once the signed SOW is received by Consoltec, we will begin by gathering as much information as possible about the target organization and its assets. This is known as the reconisance, information gathering, or Open-Source Intelligence Gathering (OSINT) gather phase. This may include research into your company owners, employees, shareholders, their affiliations, relationships, public information, leaked information, and any other source of information that may be useful to our goals.

Exploitation

The next phase of the assessment is the exploitation phase. Exploitation attempts to use the information found in the reconisance phase against the target organization and its assets. This can include social engineering and attacks directly against your organization’s assets. Basically any and all information gleaned in the information gathering phase will now be used against that organization.

Reporting

Reporting is the final phase of the assessment. During this phase Consoltec will provide the organization with a report detailing all of the information gathered, exploitation attempts, as well as successful exploitation, risk identification, and recommeded remediation.

Conclusion

Introductions

2014-10-16 19:42:04 -0400

Please allow me to introduce myself. My name is Jon Molesa. I have around 15 years of experience in IT and Information Security. I am local to Charlotte, NC and a North Carolina native.

I became insterested in anything electronic at a very young age. I would tear apart every toy that took batteries or had moving parts. Mostly because I wanted to see how it worked. I also used to tell everyone that I was an inventor and would attempt to reassemble the components into something else more useful for my purposes. Understandly, this really got to my parents. They could not understand why I was destroying toys that they had worked so hard to purchase for me.

After sometime I guess they realized that their oldest son was a geek and they bought me a 180-in-1 electronics kit. This kept me busy for a while building various alarms, motion sensors, fm receivers and broadcasters, and studying diods, resistors, transformers, relays, leds, capacitors, and switches.

Some years after that my parents were offered a time-share sales pitch get-away weekend. For staying the whole weekend they would get a Commadore 16. I now realize that they did this mostly for me. Thanks Mom and Dad. I can’t tell you the number of hours that I spent on that computer hooked up to a really old Television. It had no permanent storage and no Internet. But, I could write programs on it. The libraian at my elementary school learned of my computer and copies a bunch of programs from some where for me.

I would key each one in and then run it. If I made a mistake, I had to retype the whole thing all over again. If I wanted to run the code more than one, I had to type it all over again. Dispite this, I was in love. I couldn’t wait to get home to write code again.

It wasn’t until 1997-1998 that I experienced the Internet. I had purchased my own laptop from Gateway and an account with a local ISP. I would spend every night, until far past everyone else had gone to sleep, surfing the Internet. Downloading content. Reading various pages that interested me. Chatting with new “Internet” friends and girl friends.

I missed the whole BBS era and even AOL. I did try AOL, but quickly determined that it wasn’t for me and was some weird AOL only version of the internet.

After a false start I finally setteled on going back to school. The goal was to become an Architect. I went 2 years to Catawba Valley Community College. I worked hard on my grades and graduated with an Associate Degree in Science. I then went to North Carolina State University. Unfortunately I didn’t get into the School of Design. Which meant that I wasn’t going for Architecture. I thought that I would get a degree, any degree and something easy, and afterward I would go to graduate school for Architecture.

Somewhere early in my first semester I became interested in computers, cryptography, servers, websites, and other creative Internet related technologies. Not only was I interested in it. The knowledge came easy. I could pick up the necessary skills rather quickly compared to my friends. They all would ask me for help.

I looked at switching my major to Computer Science, but I had taken the wrong math classic at the community college. I needed Calculus based math and science credit. Most of the ones that I had were Trig based. I would essentially have to start back at year one to switch to Computer Science. This was something the parent were not willing to pay for.

About that time the NCSU College of Management began offering a concentration in Management Information Systems. I promptly signed up for those classes. It was sold as a ciriculum to teach students how to speak to the geeks and the managers. Kind of like that guy from Office Space. “I’m a people person. Why don’t you understand that?”. I did very well in these computer classes, but the rest of management wasn’t as easy or interesting as I had hoped.

After graduating NCSU I took a couple of job doing Microsoft Access Database development. I worked for a Fortune 100 company. Like most orgs that size they had a web proxy in place. I didn’t like them seeing what I was surfing so I would tunnel my traffic to bypass the filters.

After almost 2 years in that job I decided that I wanted to start my Information Security Consulting business. I opened shop in downtown Taylorsville, NC. The problem was, that no one in that little town needed or was interested in hiring me for security related projects. Everyone wanted a website or viruses cleaned from their computers. So, I changed focus. I started developing php websites. I did it mainly because of customer demand and the need to pay bills.

This continued until around 2007. Two of my largest cleints began having financial troubles and one completely shut down. Eventually I had to look for a full-time job as I know had a wife and a mortgage.

I started working for Classic Graphics, Inc. as a developer/sys admin. Since most of my background was in linux I ended up taking on various responsibilities for our linux servers. I continued to learn all along the way and picked up new skills relatively quickly. I still had a deep interest in infosec and would look to give suggestions or advice for hardening or securing our sevices and servers.

When we became ISO 27001 certified I was offered the job title of “Information Security Manager”. It has been a fun filled 7 years with Classic. I have learned a lot and have certainly grown professionally. All the years of quiet study, following every security related blog or website I could find, and going to conferences on my own dime was paying off.

I then earned my CISSP certificate. And I hope to have soon completed the requirements for the OSCP certification. I now once again attempting to build an Information Security Consulting practice. Rather than focus on the broader scope of Information Security, I am currently only offering penetration testing services.

I have played around with various attacks and techniques over the years. The nice thing about the OSCP is that it brings them all together in a formal program. It has provided the validation that I have needed in this area.

subscribe via RSS