5. 2. 2019

Penetration tests

Penetration testing

Knowing your strengths and weaknesses is important. However, discovering your weaknesses is one of the most difficult tasks. And that’s precisely why we’re here – searching for weak spots is what we love to do and we do it well.

We will help you to find weaknesses in your applications, infrastructure, and various processes and will then document it and propose countermeasures.

Relevant application​

If you have a list of your assets, a vulnerability scan implemented as well as a resolution process put in place, then it’s time to determine whether it is possible to accomplish an objective like the stealing of customer data, accessing a control panel, or the modifying of payment information.

Our procedure​

To begin, we will establish 3-5 objectives. Testing at the network level is carried out according to NIST 800-115. For the testing of web applications, we employ the OWASP method. We will assess our findings with the help of Common Vulnerability Scoring System (CVSS).

Options

Find out how your organization and colleagues react to an incident, or, if it is registered at all.

You will be informed of outside risks and threats (during the test we will work outside your perimeter, simulating someone who doesn’t yet have access to your network).

You will be informed of threats and risks within your perimeter (during the test we will be inside your perimeter, simulating, for example, a disgruntled employee). 

Practically every system utilizes or provides programmers with an interface. We will determine how your API reacts in this respect. Sometimes it is unnecessary to focus on an application when the entire database can be downloaded with a single API query.

Practically every system utilizes or provides programmers with an interface. We will determine how your API reacts in this respect. Sometimes it is unnecessary to focus on an application when the entire database can be downloaded with a single API query.

We will check your physical barriers (fences, gates, car entrances and others), locks, the possibility of tail-gating and ways of circumventing your entrance system.

We will analyze your camera and alarm systems and the way which incidents are recorded and evaluated.

In the pursuit of collecting all relevant information, we will even go through your trash.

Do you have an entrance system which uses contactless cards? We’re even prepared for that. We will check whether it is possible to circumvent it, copy a card, or even to slip in completely unnoticed.

We will examine how the system deals with sensitive data, such as finger prints or palms, and whether it’s possible to circumvent it and enter unauthorized. As a bonus, you will receive materials for dealing with GDPR.

And what about the camera system? Is it possible to outsmart or use as a point of entrance into your network? We will check what state it’s in and whether it’s possible to deactivate or if it has any blind spots.

Having everything immediately at our fingertips is great. But not when it’s in the hands of an attacker. We will check how your devices cope with this.

Infrastructure such as code, cloudification, service software, containers, and microservice speeds up development. However, it also creates new problems. We will test everything connected to the cloud environment from access rights to freely available data to logical errors from a design context.

Result

Reports from penetrative tests are customarily in the form of “Yes, we accomplished the specified objective,” or “No, we didn’t accomplish the specified objective.” We will also indicate all of the findings we came across along the way.

We will not provide you with a complete list of vulnerabilities or prioritized findings – this is what the vulnerability scan is for.

We also don’t like readings pages and pages of a boring document. That’s why we write our reports like a piece of literature that reads as a thriller. Of course it will include all the things that a good report should have – an assessment, calculations, competencies, and impact factor. Moreover, we are not merely concerned with what isn’t working. So when an attack is avoided, we will document it and give praise where due.