NETWORK PENETRATION TESTING (INTERNAL AND EXTERNAL)

Internal Penetration Testing is an authorised internal hacking attempt aimed at identifying and exploiting vulnerabilities within an organisation’s perimeter defences.

Testers are typically given onsite access through an Ethernet cable (similar to the way employees or contractors could connect to an internal environment). They then attempt to escalate privileges and gain access to critical information. 

For certain environments, such as data centres, we can supply specific jump posts that we use to test remotely via your organisation’s VPN access.

Benefits of Internal Penetration Testing:

• Reduce risk to business continuity and the cost of being non-compliant
• Ensure compliance with PCI DSS and other security standards
• Harden your network against information leakage through current or terminated employees, or through data that may be available online
• Detect installations which are non-compliant with your organisation’s internal policy, and which may serve as a pivot for external attackers
• Provide management with a proof of exploit, which outlines the assets that an attack can compromise.
• Avoid adding unnecessary security layers before receiving an independent attestation on the effectiveness of current systems
• Detect known vulnerabilities and discover unknown vulnerabilities, which may be exploited to access privileged information
• Audit security monitoring procedures and test your incident response tactics.

External Penetration Test is an authorised hacking attempt against an organisation’s internet facing servers such as web and email servers and ecommerce sites.

This test is aimed at hardening the external facing network against attackers attempting to compromise vulnerable hosts from outside an organisation’s perimeter.

Benefits of External Penetration Testing:

• Reduce risk to business continuity and the cost of being non-compliant
• Provide management with a proof of exploit, which outlines the assets that an attack can compromise
• Avoid the costs of adding unnecessary security layers before receiving an independent attestation on the effectiveness of current systems 
• Detect known vulnerabilities and discover unknown vulnerabilities which may be exploited to access privileged information
• Audit external security monitoring procedures and test your incident response tactics
• Detect installations which are non-compliant with your internal policy and which may serve as a pivot for external attackers
• Harden systems and network against host compromise
• Get independent security verification of your organisation’s internet facing presence 

WEB APPLICATION PENETRATION TESTING

A web application penetration test aims to identify security issues resulting from insecure development practices in the design, coding and publishing of software or a website.

A web applications test will generally include:

• Testing user authentication to verify that accounts cannot compromise data;
• Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting);
• Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities; and
• Safeguarding web server security and database server security.

The vulnerabilities are presented in a format that allows an organisation to assess their relative business risk and the cost of remediation. These can then be resolved in line with the application owner’s budget and risk appetite, inducing a proportionate response to cyber risks.

THICK CLIENT PENETRATION TESTING

A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done at the client side and involves only aperiodic connection to the server.

The most common thick clients are the three tiers where the applications talks to the application server via communication protocol such as HTTP/HTTPS.

 Application security assessments of web applications are comparatively easier than thick client application, as these are web based applications which can be intercepted easily and major processing takes place at the server side.

Since the thick client applications include both local and server side processing, it requires a different approach for security assessment. The type of web based vulnerabilities such as Cross Side Scripting and Clickjacking Attacks which are browser based vulnerabilities are no more applicable.

The critical vulnerabilities faced by thick client application such as sensitive data storage on files and registries, DLL, Process and File injection, Memory & Network Analysis are sample techniques utilized by Condition Zebra’s consultants in assessing thick client’s vulnerabilities.

WIRELESS PENETRATION TESTING

A Wireless Penetration test is an authorised hacking attempt, which is designed to detect and exploit vulnerabilities in security controls employed by a number of wireless technologies and standards, misconfigured access points, and weak security protocols. 

Benefits of Internal Penetration Testing:

• Ensure Compliance with PCI DSS and other security standards
• Audit security monitoring procedures and incident response tactics
• Detect vulnerabilities, misconfigured wireless devices, and rogue access points
• Reduce the risk and legal ramifications of a business breach 
• Harden the wireless access path to your internal network
• Get independent security verification – of encryption and authentication policies – for devices interacting with your wireless network
• Prevent unauthoriseduse of your wireless network as a pivot for cyber attacks, which may be traced back to your organisation
• Provide management with a proof of exploit, which outlines the assets that an attack can compromise; such as, compromising critical data or gaining administrative level rights over routers and switches

DATABASE PENETRATION TESTING

Database Vulnerability Assessments are integral to a systematic and proactive approach to database security. This form of penetration testing reduces the risk associated with both web- and database-specific attacks, and is often required for compliance with relevant standards, laws & regulations.

Benefits of Database Penetration Testing:

• Quickly identify configuration errors, default settings, coding errors, and patch management issues in an automated manner in an economical fashion;
• Capable of being run on automated, regular basis to provide baseline and ongoing vulnerability management metrics; and,
• Can be used to focus other database assessment activities on those areas of greatest concern.

HOST ASSESSMENT

A host assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.

Benefits of Host Assessment:

Identify known security exposures before attackers find them.

Create an inventory of all the devices on the network, including purpose and system information. This also includes vulnerabilities associated with a specific device.

Create an inventory of all devices in the enterprise to help with the planning of upgrades and future assessments.

Define the level of risk that exists on the network.

Establish a business risk/benefit curve and optimize security investments

MOBILE APPS PENETRATION TESTING

A Mobile Application Penetration Test is an authorised and simulated hacking attempt against a native mobile application such as Android, Windows, and iOS. The purpose of this test is to identify and exploit vulnerabilities in an application, and the way it interacts and transfers data with the backend systems.