Pentest
- Since the beginning of 2022, many serious cyber attacks have been committed against large organizations worldwide
- Simulating cyber attacks is an important part of assessing the cyber resilience of infrastructure
What is a pentest?
A pentest or penetration testing is a form of ethical hacking
A simulated cyber attack on an IT infrastructure using tactics, techniques, and tools designed to access or exploit computer systems, networks, websites, and applications.
During a pentest, white hat hackers expose hidden flaws in systems and assess what the potential operational impact would be if these flaws were exploited by real attackers. A pentest helps reduce the risk that critical assets will be compromised and helps assess your organization's cyber resilience.
Objectives of a pentest
A pentest can independently assess an organization's security, in particular:
- identify existing infrastructure vulnerabilities;
- demonstrate practical attack vectors;
- evaluate the effectiveness of implemented security measures;
- establish an adequate plan to increase security;
- prioritize spending on cybersecurity;
- comply with regulators' recommendations and requirements.
sensor
Pentest methodology
Definition
objectives
objectives
Retest
Information
gathering
gathering
Report
and recommendations
and recommendations
Test
plan
plan
Work
What we can help you with
External pentest
An external pentest, or external penetration testing, is designed to comprehensively assess the security of the external perimeter, assess the effectiveness of tools for monitoring the security of the perimeter and detecting cyber attacks, and identify weaknesses in Internet-facing assets, such as web, mail, RDP, and FTP servers and applications.
Objectives of an external pentest
An external pentest can:
- assess an attacker's ability to penetrate the organization's internal network from the outside;
- detect vectors for penetrating the internal network;
- comply with regulators' recommendations and requirements;
- reduce the risks of data leaks, financial loss, and infrastructure failure.
External pentest methodology
Black box testing methodology
The initial objectives of external penetration testing are unknown. Cyber attacks are simulated without information about the infrastructure. An external pentest is conducted remotely and involves searching for vulnerabilities that can be exploited from the Internet.
Internal pentest
An internal pentest, or internal penetration testing, is a type of ethical hacking in which specialists focus on simulating attacks to compromise the network from the inside. Such attacks can be carried out by attackers who have already gained access to the network, or by insiders (they can be carried out remotely). Insiders with access to the corporate network are a particularly serious risk — they may steal financial resources and disclose confidential data. Cybercriminals use highly effective social-engineering attacks to penetrate the perimeter of organizations, so internal penetration testing is a critical part of any security program.
Objectives of an internal pentest
An internal pentest can:
- detect vulnerabilities and weaknesses in internal infrastructure, including errors in the configuration of the network, access rights, and security tools;
- assess the possibility of developing an attack within the organization's network;
- demonstrate how an external attacker or insider might gain unauthorized access to critical systems;
- assess the risks of access to confidential data;
- eliminate problems and develop measures to improve protection and reduce risks;
- compliance with regulators' requirements and recommendations.
Internal pentest methodology
Grey box testing methodology
An attack is simulated by specialists who have limited access to systems or who are located in a certain segment of the internal network. Specialists need to be granted access to the network or cloud infrastructure, depending on the scope of testing and the scenario being investigated. The work is performed on company premises or remotely using a VPN connection. Our team's internal penetration testing methodology is consistent with the best practices in the market.
Web app security review
Many organizations use web apps for digital services. They play a vital role in business success and are an attractive target for various cybercriminals. A web app security review (pentest) is an assessment of web apps' vulnerability to cyber attacks. Such vulnerability can lead to the loss of confidential user and financial information, cause system failures, and allow the company's local infrastructure to be penetrated.
Objectives of a web app security review
- detection of web app vulnerabilities that may lead to the theft of data or money, system failures, and reputational risks;
- assessment of the effectiveness of application protection and ways to bypass it;
- detection of vulnerabilities that may lead to the spread of attacks on users and internal resources;
- compliance with regulators' requirements and recommendations.
Web app testing methodology
We use the following approaches when analyzing web application security:
- Black box — an assessment carried without access in order to identify vulnerabilities available to an external attacker who lacks privileges and does not have any initial input application data or logical access to applications;
- Grey box — detection of vulnerabilities available to authorized users. Test accounts must be provided for this analysis;
- White box — an analysis of web app security, carried out with full access and complete information about the web app as well as its source code.
Security is assessed using automated tools and manually, based on international standards and best practices, including:
- Open Web Application Security Project (OWASP) Testing Guide
- OWASP Top 10 for Web, API security
- OWASP Application Security Verification Standard (ASVS)
- Web Application Security Consortium (WASC)
Mobile app security review
Mobile apps are the most important part of a business's online presence. Mobile apps facilitate financial transactions and store personal data and trade secrets. Mobile application security focuses on securing mobile apps across various platforms such as Android and iOS. The purpose of mobile app security testing is to detect vulnerabilities that can be used to gain access to the functions of a mobile app, compromise users, and carry out account takeover attacks.
Objectives of a mobile app security review
- detection of mobile app vulnerabilities that may lead to the theft of data or money, system failures, and reputational risks;
- assessment of the effectiveness of application protection and ways to bypass it;
- compliance with regulators' requirements and recommendations;
- recommendations for improving security and reducing risks, especially reputational risks.
Web app testing methodology
For mobile app security testing, we use a combination of the following approaches:
- Black box — an assessment carried without access in order to identify vulnerabilities available to an external attacker who lacks privileges and does not have any initial input application data or logical access to applications;
- Grey box — detection of vulnerabilities available to authorized users. Test accounts must be provided for this analysis;
- White box — an analysis of web app security, carried out with full access and complete information about the web app as well as its source code.
Security is assessed using automated tools and manually, based on international standards and best practices, including:
- Open Web Application Security Project (OWASP) Testing Guide
- OWASP Top 10 for Web, API security
- OWASP Application Security Verification Standard (ASVS)
- Web Application Security Consortium (WASC)
Our team
Our team consists of qualified specialists and has various international certificates:
OSCP, CISSP, CISA, CEH Practical, CompTIA Pentest+, CRTP
Got questions?
We'd be happy to get in touchto answer your questions
We'd be happy to get in touch to answer your questions
