Efficacy. Trust. Sustainability.

Penetration Testing Services – Overview

Network Penetration Testing also known as Penetration Testing is a method of assessing the security posture of a network infrastructure. It involves identifying and classifying the targets, Fingerprinting, Identifying Vulnerabilities and Exploitation of Vulnerabilities. Through this exercise, we can measure the strengths of controls put in place to defend the network and its systems and also ensure adherence to compliance requirements and security policies.

The primary goal of Pen-Test is to identify potential vulnerabilities and to report them to the management, along with recommended remediation methods. SecuritySkool Penetration Testing services assess your network security defenses and ensure compliance over appropriate Government and industry regulations.

SecuritySkool – Penetration Test Methodology

Our Penetration Testing Methodology is refined and evolved to handle the latest emerging threats. The methodology is established using standard frameworks, which includes OWASP, NIST Special Publication 800 Series guidelines, OSSTMM, ISSAF & WASC. We adopt the most up-to-date penetration testing tools and Manual testing methodologies. In most scenarios we would employ combination of both automated scanners. Automated Scanners are used to categorize the asset and fingerprint them and to identify known and common vulnerabilities. This will cover only a small scope of the overall Security Scan. The major part of Penetration testing and Vulnerability testing is executed using custom-made manual testing methodologies.

SecuritySkool – Penetration Testing Types

Basic Penetration Test
Covers the basic essentials from compliance and due care perspective. This includes Network testing, Configuration review, Patch management and detailed reporting on remedial plans and on how to improve overall security posture of the company.

Advanced Penetration Test
Here we go a level more beyond the basic Penetration testing and involve few methodologies from Forensics and provide more insight into the stategies used by hackers over your network. This includes defences over more complicated attack methodologies used in Advanced Persistent Threats or APT.

IT Threat Evolution in Q1 2015

Why does your organization need Penetration Testing?

  • Find and Fix the Vulnerabilities before they are identified and exploited by attackers
  • Continuous assessment of security posture of Critical systems
  • Unbiased Security-Posture evaluation and Risk-reporting to management
  • Continuous Identification and Prioritization of risks
  • Security Evaluation, Awareness and Training for employees
  • Compliance requirements
  • Discovering vulnerabilities in new Technologies or Applications

OWASP Top 10 – Compared

The OWASP or Open Web Application Security Project is an international organization dedicated to enhancing the security of web applications. One of the most popular OWASP sponsored security projects is the OWASP Top 10 Project. This is a ranking of the top 10 web application security risks worldwide. OWASP top 10 list not only ranks and defines the Vulnerabilities but also provides examples and also suggests methodology and best practices in handling the Vulnerability.

The latest OWASP Top 10 – 2013 was published in June 2013 and it precedes the list published in 2010. OWASP prioritizes the Top 10 list based on their prevalence and on other factors like Exploitability, Detectability and Impact. The OWASP 2013 Top 10 list is based on data from seven application security firms, spanning over 500000 vulnerabilities across hundreds of organizations.

OWASP Top 10–2010 (Previous)

A1

Injection

A3

Broken Authentication and Session Management

A2

Cross- site Scripting (XSS)

A4

Insecure Direct Objects References

A6

Security Misconfiguration

A7

Insecure Cryptographic Storage – Merge with A9

A8

Failure to Restrict URL Access – Broadened into

A5

Cross-Site Request Forgery (CSRF)

A6

buried in A6: Security Misconfiguration

A10

Unvalidated Redirected and Forwards

A9

Insufficient Transport Layer Protection

OWASP Top 10–2013 (New)

A1

Injection

A2

Broken Authentication and Session Management

A3

Cross- site Scripting (XSS)

A4

Insecure Direct Objects References

A5

Security Misconfiguration

A6

Sensitive Date Exposure

A7

Missing Function Level Access Control

A8

Cross-Site Request Forgery (CSRF)

A9

Using Known Vulnerable Components

A10

Unvalidated Redirected and Forwards

A6

Merged with 2010-A7 into new 2013-A6

OWASP Mobile Top 10 Risks

M1

Weak Server Side Controls

M2

Insecure Data Storage

M3

Insufficient Transport Layer

M4

Unintended Data Leakage

M5

Poor Authorization and Authentication

M6

Broken Cryptography

M7

Client Side Injection

M8

Security Decisions Via Untrusted Inputs

M9

Improper Session Handling

M10

Lack of Binary Protections

Darkhotel’s attacks in 2015

Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of... Readmore

Kaspersky Lab sheds light on “Darkhotels”

Kaspersky Lab’s Global Research and Analysis Team experts researched the...Readmore

Visa Security Bulletin

According to recent forensic investigations, small merchants remain targets... Readmore