Penetration Testing

Secure Web & Network Infrastructure

 

 

Pen test focuses on network infrastructure, systems and web. This involves assessing for the presence or absence of vulnerabilities in an organization’s IT infrastructure before the bad guys. Our pen test team would simulate real attack scenario leaving traces.

A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name).

Pentest assesment phases

  • External: An External Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear from outside the organization’s security perimeter, usually from the Internet. The goal of an External Security Assessment is to demonstrate the existence or absence of known vulnerabilities that could be exploited by an external attacker.
  • Internal: An Internal Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear to internal users operating within the organization’s security perimeter. Through the Internal Security Assessment it is possible to assess the risks associated to attacks originating from compromised internal host or by disgruntled employees.

Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.

Modules

Servers

This is the focus of most targeted attacks and hackers would go to any extend to achieve their goals. For this reason organizations should zealously protect their servers from both physical and logical access. Our job involves assessing Server security for vulnerabilities as a result of SSL & TSL protocols, the server software version, digital certificates, cross site scripting (XSS), SQL injection, cookie poisoning, malware among other vulnerabilities.

Cloud services

Our team will assess for insecure APIs & plugins, data encryption, shared technology vulnerabilities, data Breaches ,data Loss , account hijacking, DDOs attacks among others

Social Engineering

Technical and social techniques to solicit confidential and sensitive information from organizational staff members.

Wireless & Mobile

Existence or absence of vulnerabilities that are visible and exploitable through wireless networks and mobile devices both from the outside and inside the organization’s facilities. This Assessment Module addresses both desktop and laptop computers as well as modern mobile devices such as smart phones, iPad and any other device which has wireless connectivity. This Module is both technical and process oriented in nature assessing both the technical vulnerabilities and the overall process for managing mobile security risks.

Web application

Assessment Module is to demonstrate the existence or absence of vulnerabilities in a given Web application providing internal or client facing services. Web Application Security Assessment Methodology is designed as a superset of the Open Web Application Security Project (OWASP) guidelines for application security assessment.

Source code review

The aim of the Source Code Review module is identify the existence of any coding vulnerability that affect the normal execution of software which may have been missed by the standard software development process and software assessment. This Assessment Module begins with a review of the software design documentation and it consists of a review of the individual software modules and module inter-communications down to the review of source code with the aim of finding any logical, programmatically, implementation and accidental inconsistencies.

Physical security

Demonstrate the existence or absence of vulnerabilities related to the physical controls adopted by an organization to protect access to secure areas and to organizational information assets. The assessment includes a review of the access control design and fire and environmental monitoring and controls.

Networks & systems architecture

Assess the security posture of the organization’s network and systems infrastructure by reviewing the current network design and deployment of security devices (network and Web application firewalls, IDS/IPS, HIDS and HIPS) against security best practice and the stated organization’s business objectives, risk evaluation criteria and acceptable risk levels.

Reporting

Our team will analyze the findings and prepare a written report upon completion of the assessment  for:

  • Executive/ Management: An executive summary that delivers quantified risk to the organization to inform senior-level decision making.
  • Technical Report: The technical report provides the position of the organization, vulnerabilities and practical advice on how best to mitigate any identified risks. Full technical information is also presented within the report, including step-by-step instructions for remediation of security issues.

Fees & Charges

Different organizations have varying security requirements and thus willing to invest accordingly. The risk level accepted by an organization, amount of time and effort required to do assessment will be taken into consideration when determining the cost.

Why Penetration Testing?

Security breaches and service interruptions are costly


Prevent financial losses & damaged organization reputation

It is impossible to safeguard all information, all the time


Secure your organization against new vulnerabilities through regular assessment

Penetration testing identifies and prioritizes security risks


Regularly evaluate your organizations security status & prioritize remediation efforts

Pen Test Benefits

Intelligently manage vulnerabilities


Identify and manage vulnerabilities by prioritization:  Most critical, which are less significant, and which are false positives.

Avoid the cost of network downtime


Save millions of dollars related to IT remediation efforts, customer protection and retention programs,legal activities, discouraged business partners,lowered employee productivity and reduced revenue.

Meet regulatory requirements & avoid fines


Comply with general audit / compliance and proper due diligence.

Preserve corporate image & customer loyalty


Preserve organization’s public image hence improve reliability, get customer loyalty and retention

How often?

Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

Secure Your Organization Now

Call + 254 776 269 122 / +254 791 801 799