Privacy Ninja

Helping Your Company Find Security Vulnerabilities Before The Bad Guys Do

Vulnerability Assessment and Penetration Testing

Penetration testing, or colloquially referred to as pen testing/ethical hacking, is a simulated cyber attack where professional ethical hackers break into corporate networks to find vulnerabilities before hackers with malicious intent do. Usually identified as flaws in operating systems, services and applications, these vulnerabilities may impact the efficacy of an organisation’s network defence mechanism negatively, resulting in undesirable consequences.

CONSULT US

We Offer Three Pentesting Methods

Asset 1

Black-box Testing

The penetration tester takes the role of an average hacker, with no knowledge of the target system. This type of pentesting determines the vulnerabilities in a system that are exploitable from outside the network. This method is the quickest to run, since the assignment length depends on the pentester’s skill to exploit external vulnerabilities.

Asset 2

Gray-box Testing

One step up from black-box testing, gray-box testing provides a more focused and efficient assessment of a network’s security. Here, the pentester has the access and knowledge levels of a user, perhaps with elevated privileges on a system. Assessment efforts are focused on the systems with the greatest risk and value from the beginning.

Asset 3

White-box Testing

White-box testing falls on the opposite side of the pentesting spectrum. That is, pentesters are given full access to source code, architecture documentation, and more. Although this is the most time-consuming method of penetration testing because of the huge amount of data that needs to be analysed, it also offers the most comprehensive assessment.

About Our Vulnerability Assessment and Penetration Testing​

We answer your important questions.

What Are You Testing For?​

Hackers will capitalise and exploit on errors made from incorrect coding practices and misconfigurations. Having a third-party run a penetration test avoids conflict of interest situations, resulting in an unbiased outcome.​

Who Needs Penetration Testing?​

You. Any entity that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and malicious hacking.​

What Are The Benefits of Penetration Testing?

Penetration testing pinpoints directly to the weaknesses within an infrastructure (from human negligence to networking systems), providing you with an accurate diagnosis and permitting IT management and security experts to arrange remediation efforts.This helps organisations avoid data incidents that may put their reputation and reliability at stake.​

Will there be disruption or downtime?

No, businesses need not worry as our pentesters will adhere to a specific code of conduct and scope of work. In the event that we are able to gain access to your admin console or databases, the pentest stops there for that particular attack vector, and a proof of concept replicating the steps will be submitted in the final VAPT report. We also prefer to work on staging environments.​

Who will be pentesting on our systems, websites or mobile apps?

Our team of trusted assessors will be conducting the pentesting on your systems, websites, and/or mobile apps. As mentioned elsewhere in our website, you can be assured that our pentesters will adhere to a specific code of conduct and scope of work. If you have additional enquiries pertaining to this question, please feel free to send us a message in the box provided on this page. Our best consultants will reach out to you at the soonest time possible.

How frequent should companies conduct VAPT?​

This will depend on your organisation's risk appetite. It goes without saying that pentests should be conducted any time: (a) security patches are applied, (b) significant changes are made to the infrastructure or network, (c) new infrastructure or web applications are added, and (d) the office location changes or an office is added to the network. That aside, we highly recommend that all organisations, regardless of their profile or value, have a penetration test at least annually.

Our Pentesters Certifications & Methodology

Reasons to Invest in Pentesting Today

11%

increase in security breaches from 2018

-Accenture

43%

of cyber attacks target small businesses

-SCORE

78%

of customers won’t go back to a breached organisation

-Security Boulevard

Our Approach

Penetration Testing

Trusted by hundreds of businesses. Our approach consists of about 80% manual testing and about 20% automated testing. Actual results may vary slightly. While automated testing tools affords the test team greater efficiency on repetitive testing tasks, we strongly believe that an effective and comprehensive penetration test can only be realised through a rigorous manual driven approach.

1. Pre-engagement Interactions

  • Pre-engagement interactions are all the meetings and documentation that must occur prior to any penetration testing actions. The importance of properly documenting the penetration test cannot be emphasised enough. In this phase, we try to establish the following:
    1. Scope
    2. Goals
    3. Testing Terms and Definitions
    4. Establishing Lines of Communication
    5. Rules of Engagement
    6. Capabilities and Technologies Implemented
    7. Permission to perform the test

2. Intelligence Gathering

  • Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. Activities performed include:
    • Open Source Intelligence (OSINT)
    • Mapping network infrastructure via:
      1. Zone Transfers
      2. DNS Bruting
      3. Reverse DNS
      4. Ping Sweeps
      5. Port Scanning
      6. SNMP Sweeps
      7. SMTP Bounce Back
      8. Banner Grabbing
    • OS Fingerprinting
    • Social Engineering
    requirements.

3. Threat Modeling

  • Threat Modeling is the use of abstractions to aid in thinking about risks. It can help us to generate a list of prioritised threats applicable to the system that we are analyzing, as well as inform about the risk management process.

4. Vulnerability Analysis

  • Vulnerability Analysis is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range from host and service misconfiguration, or insecure application design. We utilise both automated tools as well as passive testing to detect vulnerabilities. The automated tools include but not limited to:
    1. Open Vulnerability Assessment System (OpenVAS) (Linux)
    2. Nessus (Windows/Linux)

    The tools that we utilize in passive testing includes:

    1. Wireshark
    2. Tcpdump
    3. Metasploit Scanners

5. Exploitation

The exploitation phase focuses soley on establishing access to the system or resource by bypassing security restrictions. After determining a collection of vulnerabilities that exist within the system, suitable targets are identified to begin an intrusive attack to test the system’s defences. The activities that comprises the exploitation phase includes:

  • Anti-Virus Bypass
  • Fuzzing
  • Sniffing via Wireshark and Tcpdump
  • Password Cracking, Password Guessing
  • Network Pivoting, Network Service Exploitation

6. Post-Exploitation

The purpose of Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The activities that comprises the post-exploitation phase includes:

  • Extracting blind files
  • Finding Important Files
  • Remote System Access
  • Binary Planting
  • Uninstalling Software
  • Obtaining Password Hashes in Windows

7. Reporting

  • Finally, a report summarising the penetration testing process, analysis and commentary of vulnerabilities identified would be submitted. Critical vulnerabilities identified should be addressed immediately to the overseeing management.

What our clients say

CONSULT US

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× How can we help you?