What is it?

Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.

The main objective of it is to identify security weaknesses. Penetration testing can also be used to test an organization's security policy, its adherence to compliance requirements, its employees' security awareness and the organization's ability to identify and respond to security incidents.

Why do Companies need Penetration Testing?

Organisations need to conduct regular testing of their systems for the following key reasons:

  • To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls.
  • To ensure controls have been implemented and are effective – this provides assurance to information security and senior management.
  • To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development).
  • To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities).

Vulnerability scanning and penetration testing can also test an organisations ability to detect intrusions and breaches. Organisations need to scan the external available infrastructure and applications to protect against external threats. They also need to scan internally to protect against insider threat and compromised individuals.

Penetration Testing when done in a manner like a real-life hacker would do from any remote corner of the Internet without any knowledge of the target network is known as Blackbox Penetration Testing. Penetration Testing when done with the complete knowledge of the topology and vulnerabilites from inside or outside the network, like an insider would do, is known as Whitebox Penetration Testing. Any company, enterprise or organisation will need to get both the tests done in order to check the effectiveness of the security controls for handling both the types of threats. It also gives an estimate of the Limit of Pentration. This is a measure of the exploitation that a hacker could do in the event of failure of various defensive controls and is an important indicator of the security robustness of each individual systems.

How can we help?

BinSec Technologies enables IT security teams to focus on mitigating critical vulnerabilities and also continue to discover and classify vulnerabilities.

  • Network Service Test: These tests aim to discover vulnerabilities and gaps in the network infrastructure of the clients and is the most common requirement of the pen testers. A network can be both internal and external access point it is essential to run tests locally at the client side and remotely from the outer world. The following network areas are targeted by us:-
    • Firewall configuration testing
    • Stateful analysis testing
    • Firewall Bypass Testing
    • IPS deception
    • DNS level attacks which includes
      • Zone transfer testing
      • Switching or routing based testing
      • Any miscellaneous network parameter testing

  • Web Application Tests: This tests aims at examining the end points of each web apps that a user might have to interact on a regular basis. It is more intense, targeted and detailed test so it needs thorough planning and time investment. Areas like web application, browsers, and their components fall in the scope of this type of pen testing.
  • Operating System Tests:
  • Wireless Network Tests: This test aims to analyse the wireless devices deployed on the client-site. Usually this test should take place at customer end in which the hardware used for pen testing is connected with the wireless system for exposing vulnerability. Along with the gadgets like tablets, laptops, notebooks, iPods, smartphones we also consider the preparing tests for the following :-
    • Protocols used for configuring wireless that helps to find out weak areas.
    • Access points for Wireless setup that enables in identifying the ones violating the access rights.
  • Social Engineering Tests: This pen test imitates attack which the employee of a company could attempt to initiate a breach. It paves ways for verifying the "Human Network" of an organisation. It can be further split into two categories:-
    • Remote Tests - It intends to trick the attacker to compromise confidential data using electronic means via a phishing email campaign.
    • Physical Tests - This type of test requires direct contact with the subject to retrieve the sensitive information. It might involve human handling or convince the subject via phone calls.
  • Client Side Tests: This tests aims at pinpointing security threats that emerge locally like a flaw in the software application running on the user's side which a hacker can easily exploit. Using uncertified OSS (Open Source Software) to create or extend self made applications could also cause severe threats that one can't even anticipate and therefore they also needs to pass through the penetration testing cycle.