Security Testing

  • Home
  • Security Testing
Security Testing

Penetration Testing

Penetration Testing is a useful vulnerability detection and security flaw method. The objective of the test is to examine, under extreme circumstances, the behavior of systems, networks, or personnel devices  in order to identify their weaknesses and vulnerabilities. [1]

There are four typical types of penetration testing [2]:

  1. External Testing
  2. Internal Testing
  3. Blind Testing
  4. Double Blind Testing

Cyberhelix can perform any type of test after request of the client.

Internal Penetration Test

This testing refers to test the application or network with the active presence for analyzing internal structure and security policy of system. The purpose of this test is to evaluate internal security of network or application access. [3]

This type of penetration test is the only one in the list that must be performed by an on-site Cyberhelix engineer that will test the security posture of your network from the perspective of an insider and inform you with a detailed report about any vulnerability or misconfiguration that he/she may have found.

External Penetration Test

External penetration testing, often considered a form of ethical hacking, is a crucially important way that information security professionals probe for the weaknesses and vulnerabilities in a system. This test is one of the oldest methods for assessing the security of a system. [4]

The goal of external penetration testing, is simple: by approaching the system as an outsider, the security professional can understand it as a would-be hacker, not as someone provided a view of the entire system at once. [5]

This type of penetration test is performed by an off-site Cyberhelix engineer whilst remote from your private network.

Blind Penetration Test

Blind penetration test aims at imitating the actions & procedures followed by an attack onto a network into a real time environment. In this type of testing, it occurs like a real life time hacking attempt, into which the testing team is supplied with either no information or limited information about an organization. [6]

Double Blind Penetration Test

It is an extended version of the previous Blind testing. In the Double Blind penetration testing strategy, the organization’s IT staff & other resource persons that are responsible for the organization’s security, don’t know about the planned penetration testing activities, nor they are being informed about it. It is a very important aspect of penetration testing that, as it tests and maintains the organization’s security parameters and responsive countermeasures that must be taken after intrusion detection. [6]

Red teaming

A red team is a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment. [7]

The key difference between penetration testing and red teaming is one of focus, says Moore. “When you’re doing a penetration test of a system, you’re looking at trying to get full coverage of the technical vulnerabilities within the defined scope of work,” she says. “So if you’re looking at an application, you’re looking to find all the vulnerabilities of whatever type that are present within that application. If you’re looking at the network, you’re looking at finding all the vulnerabilities that you can exploit.” [8]

You could be forgiven for thinking that penetration testing, with its attempt to find all the holes in your system, is generally the more worthwhile approach. But while it might reveal technical vulnerabilities, it rarely goes beyond that. When a red team acts like hackers trying to compromise a specific target, you get to evaluate far more than just the effectiveness of your security solutions. “It’s a holistic assessment of people, process and technology all together,” [8]

All of the above are succeeded by utilizing all the kinds of controversial techniques that an attacker may use, such as Social Engineering and physical penetration testing (i.e. lock picking).

Web Application Testing

Today’s society is heavily reliant on Web services and the Internet in general. As the importance of the Internet grows, malicious activity is growing too. That makes the field of Web application security more relevant than ever, as a seemingly small bug in a web service can cost a lot of resources or even lives.

Security vulnerabilities in web applications may result in stealing of confidential data, breaking of data integrity or affect web application availability. Thus the task of securing web applications is one of the most urgent for now: according to Acunetix survey [9] 60% of found vulnerabilities affect web applications.

According to OWASP [10], the most efficient way of finding security vulnerabilities in web applications is manual code review. This technique is very time-consuming, requires expert skills, and is prone to overlooked errors. Therefore, security society actively develops automated approaches to finding security vulnerabilities.

We will be happy to check your Web application for bugs and known CVEs using our specialzed toolset of enterprise and custom-made software, utilizing manual techniques and provide you a detailed report.

Social Engineering

Social engineering is the art of getting users to compromise information systems. Instead of technical attacks on systems, social engineers target humans with access to information, manipulating them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion. [11]

Andersson and Reimers (2014) found that employees often do not see  themselves as part of the organization Information Security “effort” and often take actions that ignore organizational information security best interests. [12]

Research shows information security culture needs to be improved  continuously. It is suggested that to manage information security culture, five steps should be taken [13]:

  1. Pre-Evaluation
  2. Strategic planning
  3. Operative planning
  4. Implementation
  5. Post-evaluation

Cyberhelix provides Social engineering testing using various techniques such as Vishing, Phising, Impersonation and others, to test your employees security posture.

References

To see the references click on the link above.

 

Related Services Of Cyberhelix

Compliance

GDPR, ISO 27001, Cyber-security at Sea

Read More

Monitoring Devices

Design and Implementation of SOCs, Security Information and Event Management (SIEM)

Read More

OSINT Solutions

OSINT investigations using the latest tools and technologies

Read More

Systems & Application Hardening

Prepare your enterprise, and prevent malicious attacks

Read More

Security Awareness Training

Educate your employees into cyber-security

Read More