Simulated Cyber Attacks against a company to look at how a hacker could exploit a vulnerability in real life_
In today’s digital age, businesses are becoming more reliant on Online and Cloud services to interact with customers and provide products to the public. As a result, the rewards for people who can compromise such organizations’ digital security are seeing similar increases.
Not only are threats increasing daily, but they are becoming more dynamic in their complexity. This can leave defence technologies exposed – technologies which are, by nature, more static and less dynamic than the threats they face. For this reason, regular penetration tests are essential to any organization’s defensive arsenal.
Penetration tests can be useful for determining:
- How well the system tolerates real-world attack patterns.
- The likely level of sophistication an attacker needs to successfully compromise the system.
- Additional countermeasures to mitigate threats against the system.
- The defender’s ability to detect attacks and respond appropriately.
Our methodology is aligned with the Open Web Application Security Project (OWASP) testing guide, as well as a “Top 10” references and vulnerabilities system, ensuring a focused and systematic approach.
The stages involved during testing are:
- Information Gathering: Determining the type of information that can be gathered from the web application in relation to the perimeter network or system.
- Administrative Interface: Investigating the security of administrative functions and interfaces.
- Authentication and Access Control: Investigating the authorisation, authentication and access control configurations.
- Configuration Management: Investigating the configuration management activities undertaken.
- Input Validation: Determining whether the web application can be manipulated by inserting invalid inputs to extract sensitive info or perform unauthorised functions.
- Parameter Manipulation: Identifying whether parameters in the web applications can be manipulated to extract sensitive information or perform unauthorised functions.
- Session Management: Establishing the session mechanism used and determining any security control weakness.
- Business Logic: Determining whether business logic controls can be bypassed.
Discover previously unknown, exploitable vulnerabilities.
Ongoing testing mitigates future issues.
Learn how to mitigate a potential attack.
Assurance of the security of a system.
Evaluate how a potential threat-actor could gain access.
Prioritise which flaws to deal with first.
How it works
Our testing methodology was developed in line with recommendations from the following sources:
- Open Web Application Security Project (OWASP) Testing Guide version 4.
- OWASP Top 10 2020 – The Ten Most Critical Web Application Security Risks
- Payment Card Industry (PCI) Penetration Testing Guidance (PCI-DSS PTG v1.1)
- Technical Guide to Information Security Testing and Assessment (NIST 800-115)
- MITRE Attack Framework
These recommendations have been combined into a common testing methodology which is agile and can be customised according to various testing scenarios and environments.