Thanks to the team at Wizard Cyber we were able to find vulnerabilities in our network we would not of recognised before and now have a security plan in place to protect our network
CEO – Financial Sector
An Internal Infrastructure penetration test reviews an organisation’s internal network, using a variety of vulnerability assessment and attack methods.
The output of the test activity is granular knowledge of the Internal Infrastructure threat surface, and intelligence enabling the mitigation of potential threats before harm is done. Internal infrastructure testing is usually conducted at a client premises and is often scenario and risk based. An assessment, for example, may explore the consequences of a rogue employee or contractor carrying out malicious activities, as an example of a scenario.
Internal Infrastructure security testing should be part of all organisation’s risk assessment methodology prior to, and following internal configuration changes, but also on an ongoing and regular basis to suit the customers threat appetite. Wizard Cyber can provide scheduled regular Internal Infrastructure penetration testing services to our clients to ensure they are secure on an ongoing basis
An External Infrastructure penetration test checks the entire, or nominated, exterior assets of a client infrastructure (i.e. anything that connects to the internet), using a variety of discovery and attack methods.
The purpose of the test is to learn more about the External Infrastructure security status, and gain intelligence into mitigating potential threats before harm is done. External Infrastructure assessments help provide assurance that a network is safe from external threats as breaches of external networks can result in significant loss of data as well as reputational damage and instability of key business functions.
External Infrastructure security testing should be part of all organizations risk assessment phase prior to changing or launching any new live services. Merimetso can provide scheduled monthly, or at hoc, External Infrastructure penetration testing services to a client to ensure their entire exterior is secure on an ongoing basis.
Penetration testing or ethical hacking is a key technical audit tool for the risk assessment of a software application. A web application penetration test is designed to identify security weaknesses which have been unknowingly added by software developers as they design, code and publish their software
Performed with the permission of the software owner, our web application penetration testing service uses a series of automated and manual processes to identify vulnerabilities and demonstrate how they can be used to facilitate a cyber attack. Measures and controls to prevent or mitigate the impact of an attack are recommended for each major vulnerability.
This information is delivered in a Penetration Test Report which is used as a practical guide to improve the security of the software application. It is also used to meet the organisational requirements for compliance to standards such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.
A mobile application penetration test aims to review an entire application. An assessed application will be subjected to a review for vulnerabilities (including those detailed within the OWASP Mobile Top Ten located at https://owasp.org/www-project-mobile-top-10/ and the SANS Top 25 list in order to identify any weaknesses that could allow an attacker to compromise the application, the data it interacts with, its users or the hosting environment.
Mobile application security testing should be part of all organisation’s risk assessment phases. We take mobile application security testing to the highest level, ensuring that a Customer can release their mobile application, knowing it has been extensively scrutinised by industry leaders.
Black box testing
Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything, about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real-life situations, they will not pick up any vulnerabilities, or misconfigurations present internally. Therefore, they cannot predict what damage an internal threat may cause.
White box testing
White box testing offers the most thorough security test. The tester has a full understanding of the application or infrastructure, how it works, and access from various levels. Likely, they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to gain access from an external position and look to see what damage can be done from an internal perspective.
Grey box testing
Grey box testing is a blend of black and white box testing and is often the most popular test type. The tester will have limited knowledge of the target, potentially including some documentation. They will often have basic user-level access, allowing for partial testing of the target’s internals.
A vulnerability scan may well be used in the initial stages of a penetration test to see any easily exploited flaws to work with. The tester will then go a step further, using brute-forcing, code injections, social engineering and other methods to exploit the vulnerability to gain access.
The testers will then attempt to exploit any weakness found to gain unauthorised access. This can often have a trial and error-based approach. If successful, the tester will find out the extent of a hacker’s potential reach, compile some evidence and then provide a detailed report along with remediation advice.
Tests will often follow these steps:
- Active Scanning and Vulnerability Analysis
- Mapping and Service Identification
- Application Analysis
- Service Exploitation
- Privilege Escalation
- Reporting & Debrief
We would also recommend conducting a penetration test any time you make significant changes to your infrastructure or network, such as when you make an upgrade to software or move to a new office. Our team can advise the best solution for your organisation.