Penetration testing, or pentesting, is an independent and objective security assessment which simulates real world attacks on an IT system be it a web application, mobile application, internal network or external network. The aim is to proactively identify vulnerabilities and weaknesses ahead of your attacker.
At Cybergate we utilise the same penetration testing tools and techniques as real-world hackers do to offer comprehensive security assessments. These assessments are tailored to your environment and organisational needs, clearly highlighting the security shortcomings whilst providing actionable remediation advice to improve your overall security posture.
A Cybergate penetration testing methodology is made up of the following phases:
Your website is the face of your company! Web Applications (Web Apps) have become a necessity for organisations across the globe to establish their online presence and offer services internationally. It is therefore paramount that these technologies are thoroughly security-tested against the latest web attacks to ensure that the Confidentiality, Integrity and Availability of the data processed by them is not in jeopardy.
Cybergate’s Web Application Penetration Testing methodology is based on OWASP’s Application Security Verification Standard (ASVS) with a focus on the OWASP Top 10 vulnerabilities. Protect your website by ensuring that vulnerabilities are discovered before they’re exploited by cyber criminals.
Publicly accessible IT systems at the perimeter are a necessity to provide services to customers and to remotely administer internal resources (eg: VPN and SSH). These systems provide a gateway between the internal company and the outside world, drastically increasing the attack surface and opening doors to hackers.
Cybergate’s External Infrastructure Penetration Test (Network Pentesting) provides a comprehensive security assessment of your external landscape be it on-premise, i.e. hosted by you, or in the cloud. Not only will this assessment identify potential issues that your organisation’s exposed services could introduce, but also reveals superfluous ones which can be removed to drastically reduce the attack surface, leaving only the necessary services for your business to function.
Reach out to us to close all your doors to hackers.
Internal networks contain the crown jewels of the company. Disgruntled or rogue members of staff could pose a serious security risk due to the elevated privileges these members are implicitly trusted with. Whilst securing the perimeter is an invaluable exercise, the protection of internal systems from an assumed compromise perspective is just as valuable.
Cybergate’s Internal Infrastructure Penetration Test provides a comprehensive mapping and security assessment of your internal landscape. The level of segregation of the internal network is assessed to ensure that access to internal resources is granted on a need-to-have basis. The internal network pentest will also identify potential issues that your organisation’s services could introduce to insider threats and reveal superfluous ones which can be removed to drastically reduce the attack surface, leaving only the necessary services for your members of staff to do their work.
Organisations are leveraging mobile (Android & iOS) applications to provide services at the palm of everyone’s hands. From transferring money to interacting on social network platforms, mobile apps are constantly entrusted with sensitive and personal information such as user and financial data. This makes them an ideal target.
Cybergate’s Mobile Application Penetration Testing methodology is based on OWASP’s Mobile Application Security Verification Standard (MASVS) with a focus on the OWASP Top 10 vulnerabilities. Protect your mobile application by ensuring that vulnerabilities are discovered before they’re exploited by cyber criminals.
FAQs
A penetration test ensures that your organisation and its digital assets are secure from cyber attacks and data breaches. Regular pentests also demonstrate to your business partners and clients that you are concerned about the security of their personal and corporate data and hold this in high regard. Most cyber security regulations and compliance requirements also mandate pentesting.
As a general rule, a penetration test should be performed in the following situations:
Most cyber security regulations, such as PCI DSS, ISO 27001, and SOC2, are in line with these guidelines.
The length of a penetration test engagement is determined by the number of systems tested, the type of testing performed, and the complexity of the assessed asset. A website with an authenticated area and multiple user roles, for example, would take longer to assess than one without. Similarly, a network with a few machines will take longer than one with tens of machines. The average testing time for a typical engagement is 3-7 days.
The cost of a penetration test is directly proportional to the amount of effort and time required to assess the cyber security resilience of the asset(s) in scope.
A vulnerability scan is primarily an automated process in which a tool (vulnerability scanner) is launched at the target and the results are manually verified to eliminate false positives. A pentest is largely conducted by hand and is as close to a real-world attack by a black-hat hacker as possible. A penetration test may also include automated tools and scripts, the majority of which are proprietary, but these are mostly used to automate simple tasks and identify low-hanging fruit.
Cloud infrastructures (such as those based on Microsoft Azure, Amazon Web Services or Google Cloud Platform) vary in implementation paradigms. If a serverless architecture is used, an organization will need a cloud security assessment as well as an external infrastructure pentest if it has publicly accessible endpoints. External and internal infrastructure pentests are recommended if the cloud infrastructure contains Virtual Machines and is not based on the serverless architecture.
Related Blog Posts
Penetration testing is not a one-time effort but an integral part of any organisation’s Cyber security strategy. Both internal systems and the external environment constantly change and evolve thus penetration testing needs to be carried out periodically to identify any holes and vulnerabilities cyber criminals can possibly exploit....
25 May, 2021
Penetration testing of websites, web applications, Android and iOS mobile apps, APIs and more - an important part of any organisation's cyber security strategy....
06 April, 2021
Physical penetration testing should be part of any organisation's Information, IT and Cyber security Strategy. Physical penetration testing identifies any weaknesses and vulnerabilities that attackers might use to infiltrate an organisation....
05 March, 2021