© 2019 by BitSecure

  • Facebook Social Icon
  • Twitter Social Icon
  • Instagram Social Icon

The What, Why, Who and Types of Pen Testing

A penetration test is used to evaluate the security of an information technology environment whether that be on-premise, cloud or hybrid, or testing applications, systems, networks or human controls.

The goals of penetration testing are to:

  1. Proactively identify vulnerabilities that leave the organisation exposed to malicious actions;

  2. Actively exploit vulnerable systems to prove that the identified vulnerability actually poses a risk to the organisation; and

  3. Prove access gained to systems via exploitation leads to the exposure of sensitive or personal data

Outcomes of a successful penetration testing program include identification of vulnerabilities, crosschecking of the effectiveness of existing security controls to protect against identified exposure, compliance regulation and the ability to prioritise risks and manage mitigation and remediation of those risks.

  • BitSecure shall provide Vulnerability Assessment Services including but not limited to the following:

  • Client Information Technology (“IT”) assets and resources (e.g., applications, database, endpoint devices, network and servers), as requested;

  • Assess current network security measures to identify any vulnerability exists in the Client’s network architecture;

  • Conduct external and/or internal vulnerability scans to identify any security vulnerability exists in the Client’s asset and resources;

  • Conduct web application security assessment;

  • Conduct wireless security assessment;

  • Conduct personal security awareness assessment; and

  • Report security issues that pose an imminent threat are to be reported to the Client as they are being identified.

Vulnerability Assessment

  • Manual probing of application interfaces;

  • Authentication process testing;

  • Automated fuzzing;

  • Development of test datasets and harnesses;

  • Encryption usage testing (e.g., applications’ use of encryption)

  • Forming manual or automatic code review for sensitive information of vulnerabilities in the code (if applicable);

  • Testing of the application functionality including but not limited to:

    • Input validation (e.g., bad or over-long characters, URLs);

    • Transaction testing (e.g., ensuring desired application performance);

  • Testing systems for user session management to see if unauthorised access can be permitted including but not limited to:

    • Input validation of login fields;

    • Cookie security;

    • Lockout testing; and

    • User session integrity testing.

Application Penetration Testing Services

  • Provide penetration testing from both inside and outside of Client’s network;

  • Identify targets and map attack vectors (i.e., threat modelling);

  • Internet Protocol (“IP”) address mapping of network devices;

  • Logical location mapping of network devices;

  • Transmission Control Protocol (“TCP”) scanning, connect scan, SYN scan, RST scan, User Datagram

  • Protocol (“UDP”) scan, Internet Control Message Protocol (“ICMP”) scan, and Remote Procedure Call (“RPC”) port scan;

  • Operating System (“OS”) fingerprinting (OS fingerprinting is the combination of passive research and

  • active scanning tools to generate an accurate network map);

  • Banner grabbing;

  • Brute force attacks;

  • Denial of Service (“DDoS”) testing; (Not Required)

  • Network sniffing;

  • Spoofing;

  • Trojan attacks; and

  • War dialing.

Network Penetration Testing Services

  • Injection;

  • Broken Authentication and Session Management;

  • Cross-Site Scripting (“XSS”);

  • Insecure direct object references;

  • Security misconfiguration;

  • Sensitive data exposure;

  • Missing function level access control;

  • Cross-Site Request Forgery (“CSRF”);

  • Using components with known vulnerabilities; and

  • Unvalidated redirects and forwards.

Web Application Penetration Testing Services

  • Pretexting;

  • Phishing campaigns (e.g., email, phone); and

  • Vulnerability Assessment and Penetration Testing Services 

  • Social Engineering testing determines how easy it is for a malicious hacker to gain access to your critical information, by targeting the human element of your security.

  • Breaches of information security often comprise more than technical IT security failures, with research showing that almost half of all security breaches have a social engineering element alongside technical means.

  • We can combine Social Engineering with other forms of testing, for example, alongside a Penetration Test, to gain a comprehensive overview of both the human and the technical weaknesses within your organisation

Social Engineering Testing Services

  • BitSecure shall provide Client with a report for each Service completed, the report shall include the following information at a minimum:

  • Executive Summary;

  • Scope of Service;

  • Identification of critical components and explanation of why these components were tested;

  • Methodologies and tools used to conduct the testing;

  • Any constraints that impacted the testing (e.g., specific testing hours, bandwidth, special requirements);

  • Description of the progression of the test and issues encountered during the testing with timelines; 

  • Vulnerability Assessment and Penetration Testing Services 

  • Findings from the tests (e.g., exploitation, severity) with details;

  • Affected targets in Client’s environments; and

  • Recommendation on remediation.

Penetration Testing Services Reporting and Presentation