Organisations need to conduct periodic Ethical Hacks to continuously assess weaknesses and vulnerabilities to prevent cyber attackers from potentially breaching defences. These Ethical Hacks include the following assessments:
Infrastructure security test
Perform a network-based security test that simulates a hacker attacking your IT infrastructure. This assessment includes vulnerability scanning associated with the risks of the systems in the internal or external network, followed up with manual verification and exploitation of identified issues.
Application security test
Perform an in-depth security assessment to discover vulnerabilities caused by programming errors, configuration weaknesses, or faulty assumptions about user behaviour of the web or mobile application. These tests can be performed with 3 different levels of transparency:
- Black Box: The testing team does not receive any application documentation except for a very light overview of the application purpose and does not get any credentials. This level of transparency emulates a threat actor that does not have any prior knowledge or access to the application;
- Grey Box: The testing team receives minimal information about the application but is provided with accounts with different access levels. This level of transparency emulates a threat actor that has gained access to the web application;
- White Box: The testing team receives access to the source code of the application and accounts with different access levels. The source code can be used to hunt for vulnerabilities in the source code and validate them on the web application when possible. This level of transparency emulates a threat actor that has gained access to the code of the application.
Wi-Fi security test
Simulation of an attack on the wireless network infrastructure of the organisation. In doing so, we will attempt to gain access to the internal network by exploiting potential vulnerabilities in the configuration and software of the access points.
Configuration review
In a System Configuration Review, the relevant security settings are analysed on an agreed upon IT infrastructure component, for example a web, application or database server or a firewall. The configuration is compared to best practices and industry standards.
Phishing simulation
A social engineering based test that simulates a hacker attacking the human element of your organisation. This involves testing how the employees respond to phishing e-mails that try to coax them into providing direct or indirect access to information or systems.
Red Team simulation
A red team engagement to mimic a real-world threat using tactics, techniques and procedures (TTPs) of a chosen threat actor. It can also be used to test the detect and alert capability of the blue team defending the organisation.
Physical security test
A physical security test that simulates a hacker gaining unauthorised access to your premises. This involves testing measures in place to prevent unauthorised access to the office buildings and or critical data centres.
Threat Hunting
During a Threat Hunting exercise we will proactively search for ongoing attacks and other suspicious activities in the organisation’s environment that have evaded detection by existing security solutions.