Penetration Testing

Penetration testing, or pen-testing, is one of ITSEC’s most demanded services and we take pride in having delivered over 650 successful projects. Pen-testing is a critical method of evaluating the security of information systems or networks by simulating an attack on them by a malicious hacker. The process involves an active analysis of the system for any weaknesses, security flaws, or vulnerabilities, and is carried out from the perspective of a potential attacker. Pen- testing involves active exploitation of security vulnerabilities. The goals of a penetration test vary depending on the type of approved activity for any given engagement. The primary goal focuses on finding vulnerabilities that could be exploited by a nefarious actor and advising the clients of those vulnerabilities along with recommended mitigation strategies. A well-planned penetration test on a system may include all of the following steps: finding an exploitable vulnerability, designing an attack around it, entering the system, and exploiting the entry for information recovery.

One of the key challenges for organisations today is how to safeguard their information systems and digital infrastructure from attacks by malicious hackers and cybercriminals. Another difficulty is how to prevent an increasing number of ransomware attacks that unleash viruses latching onto their systems, how to exploit robots and artificial intelligence to assist them in fighting malware with worm capabilities.

No matter how certain organisations are about their defences, there are always risks to their security because of frequent changes and updates made to their digital infrastructure. Cybercriminals adopt savvier methods to target them, and that makes them wonder how to continue to be on top of security of their organisation.

Our Solutions and Methods

The CREST approved method of penetration testing used at ITSEC combines black box (no knowledge of the target system), and white box (partial understanding of the system) approaches.

We focus on knowledge exchange with our clients during all penetration test projects and consulting services.

In addition to a project’s final report, we deliver several presentations to the executive management and technical teams of the client organisations. These presentations are accompanied by comprehensive training that guarantees a thorough understanding of methods used during the penetration testing and full comprehension of the prepared recommendations.

Our method ensures a rapid implementation of recommended changes and provides immediate security improvements.

Penetration tests also boost security interest among client’s personnel, which in the long term has an exceptionally beneficial effect on the overall security of their information systems. During penetration tests, we use a combination of industry standard security tools as well as self-developed proprietary tools and techniques.

We present all identified security vulnerabilities to the clients with a risk assessment and recommendations for risk mitigation. For each finding, we also explain and rate the risks involved, the complexity of our recommendations, and the effort estimation for implementation of the proposals to help the clients in decision making.

Our Pen-testers

Our pen-testers have a solid and extensive background in information security consulting services, including architecture and design, development, integration, deployment, quality control, and comprehensive program management.

They are best known for their strong skills in solving complex problems in large heterogeneous enterprises, vulnerability assessment, and red team assessment. They are particularly adept at penetration testing and hold industry-leading credentials, including professional certifications in penetration testing.

Our Specialities

  • Web Application Penetration Testing.
  • Mobile Application Penetration Testing (on iOS, Android, Windows Mobile).
  • Infrastructure Penetration Testing.
  • Specialised Penetration Testing (RFID, ATM, EDC, Telecommunication Networks).

Web Application Penetration Testing

Malicious hackers often attack web applications. Hence, web application security testing is of paramount importance.

Our method for web application penetration testing involves an end to end testing of web applications including dynamic (or external) security testing and static (or internal) security testing which seeks to address the following principal sources of security issues:

SQL Injection (SQLi)

Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data gets sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.

Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens. Other implementation flaws can also get exploited to assume other users' identities temporarily or permanently.

Sensitive Data Exposure

Many web applications and APIs do not adequately protect sensitive data, such as financial, healthcare, and Personally Identifiable Information (PII). Attackers may steal or modify such weakly defended data to conduct credit card fraud, identity theft or other crimes. Sensitive data can get compromised without extra protection, such as encryption at rest or in transit. And special precautions are required when data gets exchanged with the browser.

XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file Unified Resource Identifier (URI) handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Broken Access Control

Restrictions on what authenticated users can do are often not adequately enforced. Attackers can exploit these flaws to access unauthorised functionality and data. They can access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Security Misconfiguration

Security misconfiguration is the most commonly seen issue and is usually a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but patched and upgraded in a timely fashion.

Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Insecure Deserialisation

Insecure deserialisation often leads to remote code execution. Even if deserialisation flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Using Components with Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. On exploiting a vulnerable part, an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.

Insufficient Logging and Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows adversaries to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show that the time to detect a breach is on average over 200 days. And breaches are typically identified by external parties rather than internal processes or monitoring.

Mobile Application Penetration Testing

Our method involves an end to end testing of mobile applications on iOS, Android, and Windows Mobile platforms and seeks to address the following critical causes of vulnerabilities:

Improper Platform Usage

Inappropriate usage of mobile software platforms covers misuse of specific platform features or failure to use platform security controls. It might include Android intents, platform permissions, abuse of TouchID, the Keychain, or some other security controls that are part of the mobile operating system. There are several ways that mobile apps can experience this risk.

Insecure Data Storage

Insecure data storage covers aspects of storage of sensitive data without encryption and unintended data leakage.

Insecure Communication

Insecure communication often involves poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

Insecure Authentication

Insecure authentication captures notions of authenticating the end user or bad session management and can include failure to identify the user at all when that should be required. A failure to maintain the user's identity when it is necessary as well as weaknesses in session management can occur.

Insufficient Cryptography

Many vulnerabilities occur in mobile applications because of insufficient cryptography. Software code applies cryptography to a sensitive information asset. However, the cryptography can be inadequate in many ways. Note that anything and everything related to TLS or SSL relates to insecure communication (mentioned above). A failure of the application to use cryptography at all when it should refer to insecure data storage (discussed above).

Insecure Authorisation

Authorisation is the process of allowing authenticated users to access the resources by checking whether they have access rights to a system. Authorisation helps to control access rights by granting or denying specific permissions to authenticated users. An insecure authorisation can lead to failures in authorisation (e.g., authorisation decisions on the client’s side, forced browsing, etc.).

Client Code Quality

Client code quality is synonymous with "Security Decisions Via Untrusted Inputs". This category is one of our lesser-used and serves as a catch-all for code-level implementation problems in the mobile client. This class would capture problems such as buffer overflows, format string vulnerabilities, and various other code-level issues for which the solution is to rewrite some code that is running on a mobile device.

Code Tampering

Code tampering covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application gets delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker with a direct method of subverting the intended use of the software for personal or monetary gain.

Reverse Engineering

Reverse engineering involves the analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. Such an approach may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back-end servers, cryptographic constants and ciphers (or cyphers), and intellectual property.

Extraneous Functionality

Developers often include hidden backdoor functionality or other internal development security controls that are not intended to get released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid application. Another example comprises the disabling of a two-stage authentication during testing.

Infrastructure Penetration Testing

Malicious hackers can penetrate organisations’ infrastructure through vulnerabilities in their network, systems and applications to steal or manipulate data. Every company—small or large—is vulnerable to attacks.

Our experts can help organisations understand the weaknesses in their systems that hackers can exploit by performing internal and external penetration tests before recommending appropriate measures and assist them in their implementation.

If performed correctly, a vulnerability assessment can suggest organisations in what cybersecurity resources to invest. If performed incorrectly, a vulnerability assessment will leave their infrastructure open to attacks.

Specialised Penetration Testing (RFID, ATM, EDC, Telecommunication Networks)

Radio Frequency Identification (RFID)

RFID technology makes use of electromagnetic fields to identify and track tags (containing data in electronic form) attached to objects—active or passive.

RFID tags are used in various industries, for example, to monitor the progress of goods through assembly lines.

RFID tags are susceptible to abuse by anyone with specific tools and knowledge. Attackers could analyse the working frequency of such labels, and then decrypt or copy the data stored in them. Such tracking of RFID tags is illegal and can compromise personal, corporate and national security.

We can help organisations discover specific vulnerabilities associated with RFID tags and recommend bespoke solutions to meet their specific requirements.

Automated Teller Machine (ATM)

Some major banks have commissioned card-less ATMs in their branches lately, but that may not be sufficient to protect them from fraudsters. Regardless of any system used to conduct the transactions, fraudsters will always look for weaknesses to exploit. Banks’ mobile applications send codes to customer’s phones. On entering the codes in the ATM, customers can access their accounts, which transfers the risk from magnetic stripes of ATM cards to the mobile devices themselves.

Whether banks use a conventional ATM or a cash-less one, it is imperative that they get their systems examined for vulnerabilities which may be exploited by malicious hackers. And they have to have their systems adequately penetration tested.

Electronic Data Capture (EDC)

An EDC works to make use of Point of Sale (POS) terminals for credit card processing in addition to its submission with the e-commerce providers of merchant accounts or other types of credit card processors.

Security audits often get done for EDC solutions as part of Managed Services or standalone models. Such inspections tend to focus on the security posture of an EDC machine itself, its surrounding infrastructure, and the security traffic of the EDC machine.

ITSEC’s experts are adept at guiding organisations through performing specialised security audits and penetrating testing the EDC systems.

Telecom Networks

ITSEC provides bespoke and comprehensive solutions for telecom network security.

Telecom network security gets compromised by a multitude of new threats.

Our projects are based on thorough evaluation and report preparation with a detailed analysis of vulnerabilities and ratings assigned to them, as well as recommendations made according to the industry standards.

Our security experts are conversant with various types of networks, web applications, mobile applications, and associated tools. Our penetration testing and red team testing methods conform to industry best practices.