Penetration tests

Penetration tests will reveal the existence of vulnerabilities and other weaknesses in your systems. Our specialists will use real hacker practices to legally test the security of IT infrastructure or web and mobile applications.

We always select the type of test, its scope and method of testing after mutual consultation based on your needs and business goals.

Penetration testing of applications

Online applications are the basis of business today. Time and resources are spent primarily on their functionality, but security is often underestimated or delayed. Most applications are insufficiently secure and vulnerabilities can be found in their design. Our main test scenarios for both web and mobile applications therefore follow the OWASP methodology, which covers more than 90 security areas.

[Sensitive data leaks most often through web applications.]

Main test scenarios

  • Checking for data leaks
  • Options for introducing malicious code
  • Abuse / theft of user identity
  • Unauthorized access to the system and data

The most common findings

  • Injection – smuggling malicious code, stealing databases
  • Insufficient security for user accounts
  • Cross-Site Scripting (XSS) – obtaining login data
  • Insufficient user rights verification for important actions
  • Non-updated SW, exploitation of known vulnerabilities
  • Transmission of sensitive data over an insecure channel, storage in open form

Black box

  • The submitter provides only the URL of the web application
  • The tester maps the environment using the same methods as a hacker without the organization’s know-how
  • More time consuming than white box testing

White box

  • The client provides source codes, accounts with administrator rights and documentation
  • This testing specializes in deeper application issues such as dangerous sub-vulnerability strings and application logic errors.

Infrastructure penetration testing

Even modern secure networks contain vulnerabilities that were not known at the time of implementation. It is the mistaken feeling of perfect security that ultimately causes considerable financial losses and usually damage to the good name of the organization.

[Keep up with hackers and protect your business]

Main test scenarios

  • Our tests verify the security of all network infrastructure components
  • We identify protocols and network services
  • We will verify the possibilities of misuse of services, intrusion into the system, data theft
  • We perform exploitation – we simulate the abuse of the found vulnerability for system control, or gaining admin / root access

The most common findings

  • For non-updated network services for which there is an exploit, see www.exploit-db.com
  • Use of old protocols that do not guarantee a sufficient level of security and integrity of transmitted data
  • Publicly available administration interfaces
  • Network segmentation errors.

Penetration testing of mobile applications

Mobile applications are generally a weakness of information systems, many developers hardly address security issues.

Through mobile application penetration testing, companies can gain insight into source code vulnerabilities, bottlenecks, and attack vectors. Pentesty serves as an audit of developers before deploying such an application in production. After our recommendation to eliminate vulnerabilities, we usually perform re-tests that confirm the correctness.

Main test scenarios

  • Focus on the possibility of data leakage and misuse in the phone / tablet
  • Checking the security of communication between applications and servers
  • Attacks carried out from the public environment and the Internet
  • Focus on Android and iOS platforms.
  • Methodology and recommendations according to OWASP

The most common findings

  • Insufficient authorization against API.
  • Weak security against MITM (Man In The Middle) attacks
  • Access data stored in the application code
  • Insufficient security of sensitive data stored on mobile devices

Social engineering

Your IT security is as strong as your least prepared employee.

The term “social engineering” has been used by hackers for years to describe the technique of using persuasion to gain access to information systems. Our social engineering service will help you shed light on and document potential weaknesses among your employees. We identify areas for improvement and apply targeted training and retesting.

Main test scenarios

Email – We use email messages to persuade your users to send sensitive information, such as usernames and passwords, or to click on a potentially dangerous link.

 

Telephone We contact the user by telephone and use pre-prepared scenarios to test whether the user succumbs to pressure and reveals some sensitive information.

The most common findings

  • Up to 60% of users click on a potentially dangerous link during the first test
  • In larger companies, for example, we act on behalf of the IT Helpdesk and require a domain password under the pretext. (15-30% success rate)
  • Successful attacks on specific users – Accountants / Receptionists, etc.
  • The ignorance / carelessness of the users is very high

Process of cooperation

The result is a detailed analysis, which is not the end point of our cooperation. We will be happy to suggest specific security methods based on further consultations and help with their implementation.

Penetration tests should be performed repeatedly, thus maximally protecting your data, investments and the company’s reputation.

Upon request, we issue a certificate on the safety of the environment. (Of course, after fixing the vulnerabilities found.)

Contact us

David Picha

Cyber Security Business Development Manager
+420 604 200 062
ITsecurity@integra.cz