Penetration Testing

Penetration testing, also referred to as pen testing, is a simulated real world attack on a network, application, or system that identifies vulnerabilities and weaknesses. Penetration tests (pen tests) are part of an industry recognised approach to identifying and quantifying risk.

They actively attempt to ‘exploit’ vulnerabilities and exposures in a company’s infrastructure, applications, people and processes. Through exploitation, Condition Zebra is able to provide context around the vulnerability, impact, threat and the likelihood of a breach in an information asset.

Condition Zebra’s Penetration Testing

With hackers constantly finding new exploits, cybersecurity threats constantly evolve. It’s recommended that every organization perform penetration testing at least once a year, but more frequently when:

  1. Launching new products and services
  2. Undergoing a business merger or acquisition
  3. Preparing for compliance with data security standards
  4. Making significant changes to company infrastructure
  5. Utilizing and/or developing custom applications
Penetration Testing

NETWORK PENETRATION TESTING (INTERNAL AND EXTERNAL)

Internal Penetration Testing is an authorised internal hacking attempt aimed at identifying and exploiting vulnerabilities within an organisation’s perimeter defences.

Testers are typically given onsite access through an Ethernet cable (similar to the way employees or contractors could connect to an internal environment). They then attempt to escalate privileges and gain access to critical information. 

For certain environments, such as data centres, we can supply specific jump posts that we use to test remotely via your organisation’s VPN access.

Benefits of Internal Penetration Testing:

  • Reduce risk to business continuity and the cost of being non-compliant
  • Ensure compliance with PCI DSS and other security standards
  • Harden your network against information leakage through current or terminated employees, or through data that may be available online
  • Detect installations which are non-compliant with your organisation’s internal policy, and which may serve as a pivot for external attackers
  • Provide management with a proof of exploit, which outlines the assets that an attack can compromise.
  • Avoid adding unnecessary security layers before receiving an independent attestation on the effectiveness of current systems
  • Detect known vulnerabilities and discover unknown vulnerabilities, which may be exploited to access privileged information
  • Audit security monitoring procedures and test your incident response tactics.

External Penetration Test is an authorised hacking attempt against an organisation’s internet facing servers such as web and email servers and ecommerce sites.

This test is aimed at hardening the external facing network against attackers attempting to compromise vulnerable hosts from outside an organisation’s perimeter.

Benefits of External Penetration Testing:

  • Reduce risk to business continuity and the cost of being non-compliant
  • Provide management with a proof of exploit, which outlines the assets that an attack can compromise
  • Avoid the costs of adding unnecessary security layers before receiving an independent attestation on the effectiveness of current systems 
  • Detect known vulnerabilities and discover unknown vulnerabilities which may be exploited to access privileged information
  • Audit external security monitoring procedures and test your incident response tactics
  • Detect installations which are non-compliant with your internal policy and which may serve as a pivot for external attackers
  • Harden systems and network against host compromise
  • Get independent security verification of your organisation’s internet facing presence 

WEB APPLICATION PENETRATION TESTING

A web application penetration test aims to identify security issues resulting from insecure development practices in the design, coding and publishing of software or a website.

A web applications test will generally include:

  • Testing user authentication to verify that accounts cannot compromise data;
  • Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting);
  • Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities; and
  • Safeguarding web server security and database server security.

The vulnerabilities are presented in a format that allows an organisation to assess their relative business risk and the cost of remediation. These can then be resolved in line with the application owner’s budget and risk appetite, inducing a proportionate response to cyber risks.

    THICK CLIENT PENETRATION TESTING

    A thick client, also known as Fat Client is a client in client–server architecture or network and typically provides rich functionality, independent of the server. In these types of applications, the major processing is done at the client side and involves only aperiodic connection to the server.

    The most common thick clients are the three tiers where the applications talks to the application server via communication protocol such as HTTP/HTTPS.

     Application security assessments of web applications are comparatively easier than thick client application, as these are web based applications which can be intercepted easily and major processing takes place at the server side.

    Since the thick client applications include both local and server side processing, it requires a different approach for security assessment. The type of web based vulnerabilities such as Cross Side Scripting and Clickjacking Attacks which are browser based vulnerabilities are no more applicable.

    The critical vulnerabilities faced by thick client application such as sensitive data storage on files and registries, DLL, Process and File injection, Memory & Network Analysis are sample techniques utilized by Condition Zebra’s consultants in assessing thick client’s vulnerabilities.

    WIRELESS PENETRATION TESTING

    A Wireless Penetration test is an authorised hacking attempt, which is designed to detect and exploit vulnerabilities in security controls employed by a number of wireless technologies and standards, misconfigured access points, and weak security protocols. 

    Benefits of Internal Penetration Testing:

    • Ensure Compliance with PCI DSS and other security standards
    • Audit security monitoring procedures and incident response tactics
    • Detect vulnerabilities, misconfigured wireless devices, and rogue access points
    • Reduce the risk and legal ramifications of a business breach 
    • Harden the wireless access path to your internal network
    • Get independent security verification – of encryption and authentication policies – for devices interacting with your wireless network
    • Prevent unauthorised use of your wireless network as a pivot for cyber attacks, which may be traced back to your organisation
    • Provide management with a proof of exploit, which outlines the assets that an attack can compromise; such as, compromising critical data or gaining administrative level rights over routers and switches

      DATABASE PENETRATION TESTING

      Database Vulnerability Assessments are integral to a systematic and proactive approach to database security. This form of penetration testing reduces the risk associated with both web- and database-specific attacks, and is often required for compliance with relevant standards, laws & regulations.

      Benefits of Database Penetration Testing:

          • Quickly identify configuration errors, default settings, coding errors, and patch management issues in an automated manner in an economical fashion;
          • Capable of being run on automated, regular basis to provide baseline and ongoing vulnerability management metrics; and,
          • Can be used to focus other database assessment activities on those areas of greatest concern.

      HOST ASSESSMENT

      A host assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.

      Benefits of Host Assessment:

          • Identify known security exposures before attackers find them.
          • Create an inventory of all the devices on the network, including purpose and system information. This also includes vulnerabilities associated with a specific device.
          • Create an inventory of all devices in the enterprise to help with the planning of upgrades and future assessments.
          • Define the level of risk that exists on the network.
          • Establish a business risk/benefit curve and optimize security investments

      MOBILE APPS PENETRATION TESTING

      A Mobile Application Penetration Test is an authorised and simulated hacking attempt against a native mobile application such as Android, Windows, and iOS. The purpose of this test is to identify and exploit vulnerabilities in an application, and the way it interacts and transfers data with the backend systems.

        Why choose us?

        When it comes to security, we at Condition Zebra take it seriously. Our technical team of highly qualified ethical hackers are led by one of the best in the industry. To stay ahead, we apply a real hacker’s mindset and techniques but don’t worry, this is done with safety measures taken in place to ensure your company data and assets are protected at all times.

        Methodologies

        We provide a unique penetration testing with a combination of vulnerability assessment technologies, standard penetration testing methodologies, and advanced manual testing by our penetration testers.

        Expert Team

        With more than 10 years of experience in information security, our team has involved in various projects such as penetration testing, vulnerability assessment, digital forensic, security advisory and consultation. Furthermore, our security engineers and penetration testers eat, sleep, play and love security.

        Comprehensive Report and Support

        Unlike normal penetration testing report, we provide all necessary information and support that you need to understand and fix the vulnerability. Even after submitting the report to you, our penetration testing team will assist you in your vulnerability fixing and retest.

        Affordable Pricing

        Yes, penetration testing is an expensive service. In the meantime, we also understand the importance of penetration testing to our customer, and their limited annual information security budget. In order to achieve a win-win situation, we are offering our high-end penetration testing at a low and affordable price.

        Proven Records

        Over the years, we have been offering penetration testing services to various corporate & government agencies. Condition Zebra accredited by CREST for Penetration Testing services in September 2020. Therefore, we want to continue delivering the best service that demonstrates the highest levels of knowledge, skill, and competence.

        Benefits of Penetration Testing

          Penetration Testing Benefits

          Avoid vulnerabilities

          Fixing vulnerabilities before they are exploited by cybercriminals

          Security controls

          Providing independent assurance of security controls

          Understand cybersecurity risks

          Improving awareness and understanding of cybersecurity risks

          Improved compliance

          Supporting PCI DSS, ISO 27001, and GDPR compliance

          Commitment to security

          Demonstrating a continuous commitment to security

          Prioritize future investments

          Supplying the insight needed to prioritize future investments

          Contact Us

          +603-7665 2021

          Level 3-10, Block F, Phileo Damansara 1, 46350 Petaling Jaya, Selangor, MALAYSIA.

          Monday-Friday: 9am – 6pm

          Schedule a FREE CONSULTATION to learn more about Condition Zebra’s Penetration Testing – Schedule Appointment or Whatsapp