Secure Web & Network Infrastructure
Pen test focuses on network infrastructure, systems and web. This involves assessing for the presence or absence of vulnerabilities in an organization’s IT infrastructure before the bad guys. Our pen test team would simulate real attack scenario leaving traces.
A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name).
Pentest assesment phases
- External: An External Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear from outside the organization’s security perimeter, usually from the Internet. The goal of an External Security Assessment is to demonstrate the existence or absence of known vulnerabilities that could be exploited by an external attacker.
- Internal: An Internal Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear to internal users operating within the organization’s security perimeter. Through the Internal Security Assessment it is possible to assess the risks associated to attacks originating from compromised internal host or by disgruntled employees.
Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
This is the focus of most targeted attacks and hackers would go to any extend to achieve their goals. For this reason organizations should zealously protect their servers from both physical and logical access. Our job involves assessing Server security for vulnerabilities as a result of SSL & TSL protocols, the server software version, digital certificates, cross site scripting (XSS), SQL injection, cookie poisoning, malware among other vulnerabilities.
Our team will assess for insecure APIs & plugins, data encryption, shared technology vulnerabilities, data Breaches ,data Loss , account hijacking, DDOs attacks among others
Technical and social techniques to solicit confidential and sensitive information from organizational staff members.
Wireless & Mobile
Existence or absence of vulnerabilities that are visible and exploitable through wireless networks and mobile devices both from the outside and inside the organization’s facilities. This Assessment Module addresses both desktop and laptop computers as well as modern mobile devices such as smart phones, iPad and any other device which has wireless connectivity. This Module is both technical and process oriented in nature assessing both the technical vulnerabilities and the overall process for managing mobile security risks.
Assessment Module is to demonstrate the existence or absence of vulnerabilities in a given Web application providing internal or client facing services. Web Application Security Assessment Methodology is designed as a superset of the Open Web Application Security Project (OWASP) guidelines for application security assessment.
Source code review
The aim of the Source Code Review module is identify the existence of any coding vulnerability that affect the normal execution of software which may have been missed by the standard software development process and software assessment. This Assessment Module begins with a review of the software design documentation and it consists of a review of the individual software modules and module inter-communications down to the review of source code with the aim of finding any logical, programmatically, implementation and accidental inconsistencies.
Demonstrate the existence or absence of vulnerabilities related to the physical controls adopted by an organization to protect access to secure areas and to organizational information assets. The assessment includes a review of the access control design and fire and environmental monitoring and controls.
Networks & systems architecture
Assess the security posture of the organization’s network and systems infrastructure by reviewing the current network design and deployment of security devices (network and Web application firewalls, IDS/IPS, HIDS and HIPS) against security best practice and the stated organization’s business objectives, risk evaluation criteria and acceptable risk levels.
Our team will analyze the findings and prepare a written report upon completion of the assessment for:
- Executive/ Management: An executive summary that delivers quantified risk to the organization to inform senior-level decision making.
- Technical Report: The technical report provides the position of the organization, vulnerabilities and practical advice on how best to mitigate any identified risks. Full technical information is also presented within the report, including step-by-step instructions for remediation of security issues.
Fees & Charges
Different organizations have varying security requirements and thus willing to invest accordingly. The risk level accepted by an organization, amount of time and effort required to do assessment will be taken into consideration when determining the cost.
Why Penetration Testing?
Security breaches and service interruptions are costly
Prevent financial losses & damaged organization reputation
It is impossible to safeguard all information, all the time
Secure your organization against new vulnerabilities through regular assessment
Penetration testing identifies and prioritizes security risks
Regularly evaluate your organizations security status & prioritize remediation efforts
Pen Test Benefits
Intelligently manage vulnerabilities
Identify and manage vulnerabilities by prioritization: Most critical, which are less significant, and which are false positives.
Avoid the cost of network downtime
Save millions of dollars related to IT remediation efforts, customer protection and retention programs,legal activities, discouraged business partners,lowered employee productivity and reduced revenue.
Meet regulatory requirements & avoid fines
Comply with general audit / compliance and proper due diligence.
Preserve corporate image & customer loyalty
Preserve organization’s public image hence improve reliability, get customer loyalty and retention
Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:
- New network infrastructure or applications are added
- Significant upgrades or modifications are applied to infrastructure or applications
- New office locations are established
- Security patches are applied
- End user policies are modified