SERVICE DETAILS

Penetration testing, also called pen testing, is a cyberattack simulation launched on your computer system. The simulation helps discover points of exploitation and test IT breach security. Unlike vulnerability assessment, ethical hacking at NSC not just seeks for vulnerabilities. We aim to find out security breaches in your network before true enemies attempt to exploit sensitive data. To stay ahead of adversaries, we apply hacker’s mindset and techniques.


OUR PROCESS


1

Client meeting

Before the test, we meet with all our clients explaining them the necessity of this test and also how it will be beneficial for them. We also discuss our Pen test perimeter.

2

Quotation

An affordable price is proposed to our customers.

3

Initialization

Once we have confirmation from our client, we start with preliminary test.

4

Preliminary Report

A preliminary report is provided to the customer outlining all the vulnerabilities discovered along with suggested solutions.

5

Re-test

Once our customers have correct all the vulnerabilities, another test is carried out to ensure the vulnerabilities have been corrected.

6

Reports

A final report is provided to customer outlining all vulnerabilities discovered and how they have been corrected.


SECURITY THREATS


Virus, Worms


Exploits

Trojan


Malicious Tools


WHAT YOU RECEIVE?


Security Issues

The list of revealed security cracks

Sensitive Data

The sensitive data under threat of stealing

Duration

Time spent on attempts of system intrusion

Detailed Report

Screenshots and detailed descriptions alongside the process

Business Risk

The business risk assessment of each discovered vulnerability

Solution

Potential solutions and proactive measures in future

Recommendation

Security recommendations based on business specifications


Why go for security assessment?


  • Your clients claims partnership only with reliable and secure solutions, and you keep your promises, guaranteeing your business transparency

  • You work under security regulations stated by the law to take certain security measures (i.e. SOC2, ISO 27001 (27002), HIPAA, PCI DSS, etc.)

  • You assess your risks, value of stored data and your system defensive abilities


Types of penetration testing


Network infrastructure


An attack on a business’s network infrastructure is the most common type of pen test. It can focus on internal infrastructure, like evading a next-generation intrusion prevention system (NGIPS), or the test can focus on the network’s external infrastructure, like bypassing poorly configured external firewalls.
In an internal test, businesses may be focused on testing their segmentation policies, so an attacker focuses on lateral movement in the system. In an external test, the attacker focuses on perimeter protection, like bypassing a next-generation firewall (NGFW).
Network attacks may include circumventing endpoint protection systems, intercepting network traffic, testing routers, stealing credentials, exploiting network services, discovering legacy devices and third-party appliances, and more.


Web application

True to its name, this test focuses on all web applications. While web applications may have some overlap with network services, a web application test is much more detailed, intense, and time consuming.
Businesses use more web applications than ever, and many of them are complex and publicly available. As a result, most of the external attack surface is composed of web applications. Some web applications are vulnerable on the server side, and some are vulnerable on the client side. Either way, web applications increase the attack surface for IT departments.
Despite their cost and length, web application tests are crucial to a business. Web application issues may include SQL injection, cross-site scripting, insecure authentication, and weak cryptography.


Social engineering

Social engineering tests simulate common social engineering attacks such as phishing, baiting, and pretexting. These attacks aim to manipulate employees into clicking a link or taking an action that compromises the business network. Often, clicking the link authorizes access, downloads malware, or reveals credentials.
A social engineering test can reveal how susceptible a business’s employees are to these attacks. Small employee mistakes can grant adversaries their initial access to the business’s internal network. Physical
Finally, businesses can do a physical pen test that focuses on the physical security of their organization. During these tests, an attacker attempts to gain building access or find discarded papers or credentials that can be used to compromise security. Once inside the building, an attacker may attempt to gather information by eavesdropping or hiding rogue devices in offices to give remote access to the business’s internal network.
While IT typically focuses on digital security, tools for network protection can be useless if the business allows building access or reveals information to outsiders. For example, an employee may let someone into the building or offer a Wi-Fi password without checking to see if the person requesting access is an employee.


What methods do we use?


  • Open Web Application Security Project (OWASP) Testing Guide

  • Double-blind testing

  • Penetration Testing Execution Standard (PTES)

  • Blind testing

  • Common Vulnerability Scoring System (CVSS)

  • Web Application Security Consortium (WASC) Threat Classification

  • Internal testing

  • Targeted testing

  • Information Systems Security Assessment Framework (ISSAF)

  • External testing

  • Open Source Security Testing Methodology Manual (OSSTMM)


Penetration testing and vulnerability analysis

We aim to be trustworthy by our clients. That’s why our team holds certifications such as CCNP, CEH, ECSA, CISA and CISSP and conducts more than 100 test-scripts, covering the most typical OWASP vulnerabilities such as:

  • Cross Site Scripting (XSS)

  • Injection

  • Broken authentication

  • XML External Entities (XXE)

  • Broken access control

  • Security misconfigurations

  • Insecure deserialization

  • Sensitive data exposure

  • Using components with known vulnerabilities

  • Insufficient logging and monitoring


Why NSC?

  • We are experts in network penetration testing.

  • We have experience in all areas of cybersecurity affecting business and industry.

  • We specialize in cutting edge pentest methods and tools.

  • We have over 10 years of experience in penetration testing.

Copyright © Network & Security Consulting Ltd | All Rights Reserved | Powered by NSC