Helping Your Company Find Security Vulnerabilities Before The Bad Guys Do

Vulnerability Assessment and Penetration Testing

Penetration testing, or colloquially referred to as pen testing/ethical hacking, is a simulated cyber attack where professional ethical hackers break into corporate networks to find vulnerabilities before hackers with malicious intent do. Usually identified as flaws in operating systems, services and applications, these vulnerabilities may impact the efficacy of an organisation’s network defence mechanism negatively, resulting in undesirable consequences.

CONSULT US TODAY

We Offer Three Pentesting Methods

01

vulnerability assessment and penetration testing

Black-box Testing

The penetration tester takes the role of an average hacker, with no knowledge of the target system. This type of pentesting determines the vulnerabilities in a system that are exploitable from outside the network. This method is the quickest to run, since the assignment length depends on the pentester’s skill to exploit external vulnerabilities.

02

Gray-box Testing

One step up from black-box testing, gray-box testing provides a more focused and efficient assessment of a network’s security. Here, the pentester has the access and knowledge levels of a user, perhaps with elevated privileges on a system. Assessment efforts are focused on the systems with the greatest risk and value from the beginning.

03

collect usage disclose store

White-box Testing

White-box testing falls on the opposite side of the pentesting spectrum. That is, pentesters are given full access to source code, architecture documentation, and more. Although this is the most time-consuming method of penetration testing because of the huge amount of data that needs to be analysed, it also offers the most comprehensive assessment.

About Our Vulnerability Assessment and Penetration Testing​

We answer your important questions.

Register appointed Data Protection Officer in ACRA BizFile+ ​
What Are You Testing For?​

Hackers will capitalise and exploit on errors made from incorrect coding practices and misconfigurations. Having a third-party run a penetration test avoids conflict of interest situations, resulting in an unbiased outcome.​

Who Needs Penetration Testing?​

You. Any entity that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and malicious hacking.​

Data protection policies and Data Protection Management Programme (DPMP)
What Are The Benefits of Penetration Testing?

Penetration testing pinpoints directly to the weaknesses within an infrastructure (from human negligence to networking systems), providing you with an accurate diagnosis and permitting IT management and security experts to arrange remediation efforts.This helps organisations avoid data incidents that may put their reputation and reliability at stake.​

Review of corporate website Privacy Policy to ensure PDPA compliance​
Will there be disruption or downtime?

No, businesses need not worry as our pentesters will adhere to a specific code of conduct and scope of work. In the event that we are able to gain access to your admin console or databases, the pentest stops there for that particular attack vector, and a proof of concept replicating the steps will be submitted in the final VAPT report. We also prefer to work on staging environments.​

Answer Data Protection related queries​
Who will be pentesting on our systems, websites or mobile apps?

Our team of trusted assessors will be conducting the pentesting on your systems, websites, and/or mobile apps. As mentioned elsewhere in our website, you can be assured that our pentesters will adhere to a specific code of conduct and scope of work. If you have additional enquiries pertaining to this question, please feel free to send us a message in the box provided on this page. Our best consultants will reach out to you at the soonest time possible.

Weekly emailer on latest PDPA breaches and regulations
How frequent should companies conduct VAPT?​

This will depend on your organisation's risk appetite. It goes without saying that pentests should be conducted any time: (a) security patches are applied, (b) significant changes are made to the infrastructure or network, (c) new infrastructure or web applications are added, and (d) the office location changes or an office is added to the network. That aside, we highly recommend that all organisations, regardless of their profile or value, have a penetration test at least annually.

Our Pentesters Certifications & Methodology

CREST Certification
OSCP - Offensive Security Certified Professional
OWASP - Open Web Application Security Project

Reasons to Invest in Pentesting Today

11%

increase in security breaches from 2018

- Accenture

43%

of cyber attacks target small businesses

-SCORE

78%

of customers won’t go back to a breached organisation

-Security Boulevard

Our Approach

Penetration Testing

Trusted by hundreds of businesses. Our approach consists of about 80% manual testing and about 20% automated testing. Actual results may vary slightly. While automated testing tools affords the test team greater efficiency on repetitive testing tasks, we strongly believe that an effective and comprehensive penetration test can only be realised through a rigorous manual driven approach.

1. Pre-engagement Interactions

  • Pre-engagement interactions are all the meetings and documentation that must occur prior to any penetration testing actions. The importance of properly documenting the penetration test cannot be emphasised enough. In this phase, we try to establish the following:
    1. Scope
    2. Goals
    3. Testing Terms and Definitions
    4. Establishing Lines of Communication
    5. Rules of Engagement
    6. Capabilities and Technologies Implemented
    7. Permission to perform the test

2. Intelligence Gathering

  • Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. Activities performed include:
    • Open Source Intelligence (OSINT)
    • Mapping network infrastructure via:
      1. Zone Transfers
      2. DNS Bruting
      3. Reverse DNS
      4. Ping Sweeps
      5. Port Scanning
      6. SNMP Sweeps
      7. SMTP Bounce Back
      8. Banner Grabbing
    • OS Fingerprinting
    • Social Engineering

3. Threat Modeling

  • Threat Modeling is the use of abstractions to aid in thinking about risks. It can help us to generate a list of prioritised threats applicable to the system that we are analyzing, as well as inform about the risk management process.

4. Vulnerability Analysis

  • Vulnerability Analysis is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range from host and service misconfiguration, or insecure application design. We utilise both automated tools as well as passive testing to detect vulnerabilities. The automated tools include but not limited to:
    1. Open Vulnerability Assessment System (OpenVAS) (Linux)
    2. Nessus (Windows/Linux)

    The tools that we utilize in passive testing includes:

    1. Wireshark
    2. Tcpdump
    3. Metasploit Scanners

5. Exploitation

  • The exploitation phase focuses soley on establishing access to the system or resource by bypassing security restrictions. After determining a collection of vulnerabilities that exist within the system, suitable targets are identified to begin an intrusive attack to test the system’s defences. The activities that comprises the exploitation phase includes:
    • Anti-Virus Bypass
    • Fuzzing
    • Sniffing via Wireshark and Tcpdump
    • Password Cracking, Password Guessing
    • Network Pivoting, Network Service Exploitation

6. Post-Exploitation

  • The purpose of Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The activities that comprises the post-exploitation phase includes:
    • Extracting blind files
    • Finding Important Files
    • Remote System Access
    • Binary Planting
    • Uninstalling Software
    • Obtaining Password Hashes in Windows

7. Reporting

  • Finally, a report summarising the penetration testing process, analysis and commentary of vulnerabilities identified would be submitted. Critical vulnerabilities identified should be addressed immediately to the overseeing management.

What Our Clients Say

Being in the accounting & corporate secretarial business, we deal with alot of Personal Data on a day to day basis. From the audit and training conducted by the guys at privacy Ninja, we have learnt alot and will be happy to refer more clients.

Serin Tan Managing Director of Quals

Privacy Ninja provides affordable and high quality Data Protection services. I highly recommend any business seeking to improve your PDPA compliance or don't know where to start to speak to them as soon as possible.

Roger Siow Managed Services Provider

Privacy Ninja is knowledgeable and professional in what they do. Engaged them to conduct PDPA training for my staff and everyone greatly benefitted, I am safe to say we are much more aware and aligned to the PDPA's obligations.

Alvin Decruz Data Protection Officer

I attended Privacy Ninja’s PDPA training and was extremely impressed. Andy is a great trainer and was able to impart a lot of knowledge in just a short 4 hour course. I went from someone who had no regards for PDPA to someone who now sees the importance of data protection and knows what to do to be compliant. I strongly recommend all business owners to take PDPA seriously and talk to the Privacy Ninja team and see how they can keep you, your employees and your customers safe.

Caleb Sim CEO of GENIA
CONSULT US TODAY

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection
× How can we help you?