Penetration Test | Infrastructure & Applications Pen-Test
Our Penetration test team are veterans of elite cyber & intelligence units and cyber security experts. Together they have many years of experience in applying the methodologies according to the accepted standards, with emphasis on applying creative thinking to take full advantage of any uncovered vulnerabilities.
The purpose of the Penetration Test is to examine the resiliency of the IT infrastructure and applications in withstanding external and internal attacks. Penetration tests, also called resiliency tests, are required to identify and close any breaches and vulnerabilities in the organizational systems and applications, which can be exploited with malicious intent. Penetration tests may be required following the conclusions of a information security risk review conducted in the organization, or due to tender requirements, or due to a regulatory requirement, such as: GDPR, privacy protection regulations and cyber and information security standards.
Automated Pen-Test tools vs. Manual Pen-Testing
Cyber companies perform different types of penetration tests. It is important to distinguish between them:
Automated Penetration Tests – Vulnerability Scans
These tests use scanning and attack tools designed to identify weaknesses, lack of security patches, unencrypted protocols, use of weak or outdated security systems, etc. We view these scans as a preliminary stage preceding the main part of locating information security vulnerabilities in the organizational IT infrastructure or in the application code.
Manual Penetration Tests
A thorough manual resiliency testing procedure performed by a team of ‘ethical hackers’, which creatively examines the possibility of penetrating the organization, gaining administrator privileges, accessing sensitive information, etc. The procedure is mostly done after the automatic scans. The practical result of these tests provides significant added value to the organization, as it simulates live criminal cyber activity and industrial espionage scenarios.
Red-Team vs. Gray-Box Pen-Testing
There are different approaches to performing penetration tests, depending on the level of prior knowledge that the testing team possesses. A “White Box” penetration test is where the testing team has all possible information, including app/site code, whereas a “Red-Team”, AKA “Black Box” pen-test, means the team has no prior knowledge of the organization, its systems and/or the software code.
Force Majeure’s cybersecurity team is equipped to perform penetration tests in whichever approach the customer chooses. In most cases, for infrastructure tests in the business sector (organizations that do not deal in security, R&D, etc.) we recommend the “Gray Box” approach since it is safe to assume that basic company information will be gathered by potential attackers with relative ease, and therefore in most cases it is unnecessary to prolong the process and complexity required to collect these data can be avoided.
Cyber Attack Simulation
As part of the Penetration Tests, Force Majeure’s taskforce will simulate the following:
- Random Attack against the organization’s systems by external hackers.
- Targeted Attack by hackers / a business competitor, seeking to specifically target the organization, disrupt its activity or take over its assets, trade secrets and databases.
- “Insider Attack”, i.e. an employee of the organization committing deliberate malicious activity, an agent being controlled without his knowledge, or a random guest in the office who, under some false pretext, seeks to steal information or infect the system with spyware or malware.
Website and Application Penetration Test
A similar application-oriented penetration test is conducted to test for vulnerabilities and breaches in websites or web and mobile apps on iOS and Android operating systems – from two aspects:
- User-based attacks – for example, employees reporting various trading transactions via an organizational app.
- External hacker attack: for example in an attempt to steal customer data, to corrupt data etc.
Internal Penetration Test
An internal penetration test examines the organization’s level of exposure to internal threats, such as company employees, external providers or random visitors arriving at the company offices, and who may carry out an attack by logging into the company systems from within. An internal penetration test will also examine the preventive circles, alarm and and security mechanisms.
For example: obtaining standard employee authorization (username and password) to the organization’s internal system in an attempt to exploit the authorization to obtain administrator privileges.
External Penetration Test
An external penetration test examines the resiliency of the organization’s IT infrastructure and information security systems against an attack originating from outside the company, and the ability of the organization’s security tools to stop such attacks, including: exploitation and bypassing of security tools, examination of the possibility that the security tools are not up-to-date and enable penetration which the manufacturer has already blocked in the past, exploitation of weak system remote connection settings, testing of the security tools’ ability to stop brute-force attacks on user passwords, finding vulnerabilities which enable insertion of a Trojan horse, access to sensitive databases, DDoS and more.
Penetration Test Combined with a Cyber Attack Exercise
Penetration Tests are carried out in collaboration with Force Majeure’s pentest experts and the organization’s IT / information security department. Occasionally and upon request, and in order to drill the IT team and the organization management on responding to a real-time cyber attack, an attack can be simulated and feedback can be provided at the end of the drill. Of course it is possible, on demand, to run a double-blind penetration test – Red-Team / Black-Box Pen-testing – in which the readiness of the organization’s Incident Response Team to cyber incidents is assessed.
Tags: IBM AS/400 Penetration Test, Black-Box Pen-Testing, iOS Penetration test, Android Pen-test