Penetration Testing

Let us launch a controlled cyber-attack on your network, applications, processes or environments. Security is a very important component to any organization that is connected to the Internet. Please feel free to send us an email to begin a conversation about what types of tests your organization could use.

We adhere to the NIST Cybersecurity Framework, and ISO/IEC 27002.

If you would like to fill out a scope document click here to download.

• Black Box Penetration Testing: In this approach, the tester assesses the target system, network or process without the knowledge of its details. They just have a very high level of inputs like URL or company name using which they penetrate the target environment. No code is being examined in this method. 

• White Box Penetration Testing: In this approach, the tester is equipped with complete details about the target environment – Systems, network, OS, IP address, source code, schema, etc. It examines the code and finds out design & development errors. It is a simulation of an internal security attack.

 • Grey Box Penetration Testing: In this approach, the tester has limited details about the target environment. It is a simulation of external security attack.

This first step often involves port scanning to work out the topology of a network, and to establish which computers are connected to the network and the operating system and services they are offering. 

This involves contacting the machines on the network and extracting information from them such as the applications they are running, operating systems, software manufacturer and type, etc.

Network sniffing is used to examine traffic flowing over the network and to search for unencrypted data including passwords or VoIP traffic. .

A vulnerability scan can reveal whether any machines have insecure versions of software or other known vulnerabilities that can be exploited, or whether any wireless access points are open or have weak passwords.

This stage of penetration testing attempts to exploit any known vulnerabilities to gain control of a system.

Once a single vulnerable system is compromised, you can leverage this to penetrate the network further. 

We can implement social engineering in the context of information security, by using psychological manipulation on your organization by performing certain actions or divulging confidential information.     

Remote Tests are used to trick an employee into compromising confidential data using electronic means. The tester could conduct such an attack via a phishing email campaign.    

Physical Tests require direct contact with the employee to retrieve sensitive information. It may also involve tactics like Dumpster Diving, Imitation, Intimidation or trying to convince the subject via telephone calls. 

The documentation will contain an introduction, scope, executive summary, test methodology, vulnerability description, recommendations, and conclusions, listing of tests completed, findings, methodology, and threat rankings.