Our security experts act out the role of a hacker, trying to compromise IT systems and employees to discover any potential weaknesses that could be exploited by real hackers. We collect the results of our simulated hacker attacks, summarize them and present our findings in a high-level report that contains an executive summary, found vulnerabilities ranged according to CVSS v3 including our specific recommendations for fixing them.
According to the Cisco 2018 Annual Cybersecurity Report, 31% of security professionals reported that their organization had already experienced cyber attacks on their IT infrastructure. Further, ransomware attacks are growing by more than 350 per cent annually.
Penetration testing is considered to be one of the most common vulnerability assessment activities for companies. It is a proven method of evaluating the security of computing networks, infrastructure and application weaknesses by simulating a malicious attack.
Taking good care of your IT environment means ensuring your assets are not vulnerable to cyber criminals and cyber threats.
PENETRATION TESTING TYPES
Web Application penetration testing
Web applications like portals, microsites or other online tools allow users to perform actions rather than web pages that can only display content. Almost every web application processes sensitive data like user and financial information, which makes a web application an attractive target to cybercriminals. With the increasing complexity of web applications, the chances of finding a multitude of exploitable weaknesses is becoming higher.
It is almost impossible to detect application vulnerabilities with the help of an automated penetration test or security assessment, since there is no software that can perform comprehensive security testing of a customized web application.
A Verizon 2017 Data Breach Investigation Report found that “almost 60% of breaches involved web applications either as the asset affected, and/or a vector to the affected asset”.
We looked into the most common threats that web applications normally face and that businesses have to tackle to protect their customers’ sensitive data.
App developers often ignore data input and output testing when creating applications. With many business owners believing their applications do not process critical data and hence will not be targeted by malicious actors.
Application programming interfaces (APIs) may also be compromised to hack into a web application and get access to its code. HackControl offers API penetration testing to check it for all the known vulnerabilities and provide you with a comprehensive report with recommendations on fixing found bugs.
In many web applications there is no blocking of SQL commands on login forms, thus attracting hackers,who could use automatic tools to send thousands of SQL requests to exploit access points and take control over a whole database.
DoS and DDoS Attacks
One of the most feared types of attack by system administrators.. We can optionally include DoS and DDoS resistance testing into the scope of pentest of your web application.
Hackers may inject a script, take over an administrator session and, hence, control over the whole website and its content.
Mobile Application (iOS, Android) testing
Mobile applications have become a significant part of everyday life, the number of those who use mobile devices has been increasing heavily. With the increasing adoption of mobile application usage, it becomes crucial for businesses to protect their users by providing proper security for their personal sensitive data stored on iOS and Android devices. This becomes quite a challenge, since mobile devices have become an attraction for hackers due to the number of exploitable vulnerabilities.
According to Arxan cybersecurity research, 90% of tested mobile devices and specific applications had at least 2 mobile common vulnerabilities out of 10 from OWASP Mobile Top 10 Risks. So what are the most widespread threats for mobile devices and their operating systems?
Vulnerable server side mechanism
Servers are where mobile end users’ data is stored and where the communication between a mobile application and a user happens. Basic security server side policies are not taken into account, which results in hacking of servers
No Multifactor Authentication
Most users have the same password for multiple accounts on different applications. Those passwords do not follow basic security recommendations and are gifts for hackers who want to compromise those applications and systems
Many messengers on mobile platforms and more than 13% of mobile devices have not proper encryption, so that adversaries, who managed to hack into those systems see personal data and other valuable content practically in plain text.
Malicious Code Injection
An intruder may inject malicious code into a login form to intercept the credentials and get access to a user’s personal information. We define a security assessment criteria for and perform grey-box testing, which means you let us know the necessary information about your application, like access roles, credentials, functions etc.
Inappropriate session management gives hackers a good opportunity to escalate privileges. There are many other factors that constitute security threats to mobile devices and their users but we’ve enumerated the most important ones.
Sensitive Data Storage
It is common practise to store data on client side. Best practice is to create another encryption layer to the one provided by the operating system.
NETWORK AND SYSTEM TESTING
Our approach is to identify the most serious risks and security flaws first and then focus on the less obvious areas as the project proceeds. Firstly, we test the network for vulnerabilities from the outside, conducting the test from the point of view of an uninformed attacker. We then gradually increase the amount of information given to our testers until they assume the role of a trusted user of the network trying to access an unauthorized resource or service. The following list provides additional details regarding the specifics of each access level.
The consistent deployment of this approach is ensured by the use of leading security solutions. Further, the expertise of our staff, combined with the use of comprehensive work-programmes that enhance quality control procedures allow us to consistently deliver the best customer experience.
We combine both manual and automated techniques to unveil vulnerabilities that could exist in your networks. To ensure your security we create real-world attack scenarios in a controlled and professional fashion. HackControl helps to ensure your sensitive data is properly protected and compliance requirements are being met by imitating the attacks of real hackers.
External pentest with access level as “naive” hacker
The purpose of a hacker is to establish if it is possible to gain unauthorized access, having either limited or no knowledge about the targeted network.
External pentest with access level as supplier/customer
The goal is to establish if a hacker can gain unauthorized logical access through external network. A hacker has the same access level as customer or supplier.
Internal pentest with access level as unauthorized user
Define whether unauthorized use can be gained via internal penetration testing using loopholes in resources and network services.
Identify if a user can manipulate key controls that protect the company’s system(s). Estimate if the company has procedures in place to respond to such activities and protect the system effectively.Security assessment of sensitive servers and workstations, if there are any.
Firewall and security systems review
Analyze the effectiveness of policies employed by your firewalls and administrative infrastructure Review the following: Configuration of the operating system to ensure secure implementation.
Procedures and processes responsible for the monitoring and reporting of incidents on the firewall.
Network and host security components (e.g. IDS).
Our methodology is based on the is based on generally accepted industry-wide approaches to perform penetration testing:
Manual complemented by the custom security testing process and experience. We identify vulnerabilities that can be used to steal funds or damage the reputation of the project.
Phases of Penetration Testing
1. Opening Phase
We commence with a kick-off meeting with your responsible technical staff to define exactly what IT systems or employees should be tested. This highly depends on your current pain points, which we are going to find out using an individual and client-oriented approach. The necessary user accounts and access credentials will be provided and responsible contact persons and escalation channels will be defined.
2. Planning and Reconnaissance
We collect information based on the agreement we made in the Opening Phase. Depending on the IT systems that are going to be tested, we will perform automated vulnerability scanning or port scanning to get our security experts prepared for the next active phase. This may also include gathering information about your employees to prepare for a phishing campaign
3. Information Validation
Our security experts validate the information gathered during the course of Planning & Reconnaissance to prove its consistency. This will help them identify potential vulnerabilities.
4. Manual Testing
Based on industry-trending methodologies our security experts try to exploit identified weaknesses, escalating access privileges and attempting to gain access to stored data.
5. Report Preparation
You will receive a report with an executive summary and all found vulnerabilities franked according to CVSS v3, along with our recommendation on how to fix them.
Based on the report your professionals fix identified vulnerabilities.
At this stage there is an option for us to check the remediated points and provide you with a final report on how to fix the vulnerabilities we initially found.
What We Offer
We offer 3 main types of web application pentest:
our security experts act the role of uninformed hackers, trying to break into the application without any information from you
you provide us with the information the application’s functionality, credentials and access roles
you provide us with the access to your application’s source code
Consultant Technical Report with a detailed findings section. Findings section contains: