x
SERVICES :
PENETRATION TESTING

Penetration tests can uncover critical bugs or reveal even the more subtle flaws in your IT applications & infrastructure that may put your entire ICT at risk. Detection and timely remediation of application vulnerabilities is necessary for companies that leverage software applications to support critical business processes.

Our comprehensive and timely reports will also deliver meaningful, prioritized remedies to help you defend against security threats and safeguard your valuable business data.

What is a Penetration Testing?

Penetration testing is an assessment of computer networks, systems, and applications to identify and address security weaknesses.

Benefits of Penetration Testing:
  • Identify Risks: Penetration tests help identify vulnerabilities in your IT and allows you to remediate them, before an adversary takes advantage of them.
  • Identify Threats – A penetration test helps your dive deeper into your IT assets and identify cyber threats posed to your business.
  • Existing Breaches - Know if your company has already been breached and identify any existing security weakeness such as a misconfiguration or a backdoor.
  • Protect your Clients – Regular penetration tests shows your clients that you take cyber security seriously, and it builds trust and a good reputation, that you’re doing everything you can to mitigate the risks of a cyber breach.

The Penetration Test

Based on the specific objectives as agreed with the client, acceptable levels of risk, and available resources we tailor build a plan for each penetration ahead of time.

1. Defining a Scope

We usually conduct any penetration test with a well-defined scope that has been agreed upon with the client. As the target is to compromise critical business assets and the scoping process may define parts of the organisations ICT to be entirely excluded from an assessment. We also request from clients a letter of authorization and sign a non-disclosure agreement to protect the rights of clients and ours.

2. Information Gathering and Reconnaissance

The initial work done in any black-box assessment is information gathering. It combines a myriad of Open Source Intelligence (OSINT) resources for gathering data on the target organization, and it is critical to the operation. Aggregating both public and private methods of intelligence gathering allows us to develop an early structure for a plan or attack. The following are some examples of information we target during reconnaissance:

  • Public IPs, service providers, and open ports or services
  • Published applications (Web/Mobile) and any associated API endpoints
  • Personnel identities, contact details, and related data
  • Previously breached credentials and other information sources
  • Other network enabled devices in use by the organization
3. Mapping and Planning

After all initial information has been gathered, we move on to mapping our strategy and attack methodology. The approach is dependent on the intel from the previous stage and the developed footprint, thus may vary based on the job. General steps include:

  • Enumerating subdomains, discovering hosts and prepping applications
  • Analyzing servers and endpoints for possible misconfigurations
  • Checking authentication forms for weak or default credentials
  • Correlating network and web applications to publicly- and internally-known vulnerabilities
  • Mapping any identified vulnerabilities for potential manual attack-vectors
  • Crafting social-engineering pretext scenarios
4. Execution Stage

The variety of information gathered in the beginning phases lay the foundation for a whole host of attack options across all relevant vectors. These attack options may include the following:

  • Services with previously mapped vulnerabilities from the previous phase
  • Any servers using breached credentials or brute force
  • Targeting personnel using various social engineering techniques
  • Combining attack vectors such as exploiting client-side vulnerabilities
5. Reporting and Remediation

Reporting is critical to understanding the value you receive from our asessment. The reports are designed to be easily understood but complete in the findings, giving both the exploitation likelihood and detailed impact for each vulnerability. In addition, each vulnerability reported will include a remediation strategy for mitigating the risk associated with the vulnerability.