Penetration testing

What is penetration testing?

Penetration testing is also known as a Pentest, and is a simulated cyber attack against a computer system, web application or network, performed to evaluate the exploitable vulnerabilities in the system.

What is the purpose of penetration testing?

The purpose of a Pentest is to:

  • Find any weak spots that attackers could exploit to gain unauthorized access to the system.
  • Discover if there’s a weakness in the company’s security policies.

Why choose for Penetration testing services?

Pentests will identify security gaps in the infrastructure and will provide advice to eliminate the identified threats. We will share with you a detailed report providing you the risk mitigation advice and proposed solutions. Organizations should perform a pen test at least once per year to ensure the security of their computer system and data.

What are the steps in Penetration testing?

Pentests will identify security gaps in the infrastructure and will provide advice to eliminate the identified threats. We will share with you a detailed report providing you the risk mitigation advice and proposed solutions. Organizations should perform a pen test at least once per year to ensure the security of their computer system and data.

Reconnaissance:

Defining the scope and goals of a pentest, including the systems to be addressed and the testing methods to be used. Pentesters will gather preliminary information and understand the environment, system or application being assessed. The data is gathered as much as possible about the target. The information can be domain details, IP addresses, mail servers, network details, etc. The pentester would spend most of the time in this phase to gather the data, this will help further phases of the attack.

Scanning:


In this phase, the tester will interact with the target will use technical tools to gather further intelligence about the target. Pen tester will scan the website or system for vulnerabilities and weaknesses using the automated scanner that they can later exploit for the targeted attack.

Exploitation:

Once the vulnerabilities and entry points have been identified, the pen tester begins to exploit the vulnerabilities typically by escalating privileges, stealing data, intercepting traffic, etc., to gain access. The ethical hacker will identify the ones that are exploitable enough to provide access to the target system.

Maintaining Access:


The pen tester should ensure the gained access to the target is persistent. This kind of persistence is used by the attacker not to get caught while using the host environment for months in order to steal an organization’s sensitive data.

Report & Analysis:

Reporting is often the most critical aspect of the pentest. It will start with the overall testing procedures, followed by an analysis of vulnerabilities, risks and recommendations to mitigate. The findings and detailed description in the report helps you insights and opportunities to improve the security posture.

Types of Penetration testing

There is a wide variety of penetration testing and it can be categorized on the basis of either, the knowledge of the target or the position of the pentester. Each of the test option providing information that can dramatically improve the security posture of the organization.

Internal & External penetration testing:

If the test is conducted inside the network it is known as internal penetration testing and if it happens outside the network which is exposed to the internet then it is known as external penetration testing. It aims to find the vulnerabilities in the network infrastructure of the organization. The tester will be conducting firewall config test, firewall bypass test, DNS level attacks, IPS deception etc,.

Web Application penetration testing:

It comprehensively assess web applications for security vulnerabilities that can lead to unauthorized access. The pentester will leverage the OWASP security verification standard and testing methodologies. This test examines the endpoints of each web apps that a user might have to interact on a regular basis, so it needs to be well planned and time investment.

Mobile Application testing:


Mobile and mobile apps can be vulnerable and there might be a chance of data leakage. This test comprehensively assess the mobile and installed mobile applications in any platform (iOS, Android, windows, etc,) for security vulnerabilities. The tester will go beyond the looking at just API and web vulnerabilities to examine the risk.

Social Engineering:

It is designed to test employees adherence to security policies and security practices defined by the organization. It will uncover the vulnerabilities among employees in both remote test and physical tests.

Wireless Technology Assessment:

This test intends to assess the security of your deployed wireless devices in the client site. Usually, the test happens in the customer end. The hardware used to run pen tests need to be connected with the wireless systems for exposing vulnerability.

Embedded & IoT penetration testing:

It is to assess the security of your IoT and embedded devices by attempting to exploit the firmware, controlling the device or modifying the data sent from the device. In traditional pen testing the tester uses the windows or linux known as TCP/UDP protocols and applications. But when you switch to IoT, you have new architectures like ARM, MIPS, SuperH, PowerPC, etc,

Why us?

Indesco’s Penetration Testing help Small and Medium Sized businesses quickly assess the security posture of their networks by safely identifying network and Application level vulnerabilities before they are actually exploited by attackers. Indesco’s security consultants use real-world scenarios to demonstrate the exploitation and how attackers can crack in to gain access to confidential data, networks, systems etc., that impact the business functioning of the organization.