Astronaut

Penetration Testing

What is penetration testing?

A penetration testing, also called pentest, is an authorized simulated attack exercise conducted by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system. The testing involves manual process supplemented with automated tools to identify vulnerabilities from outside or within the network. Bearing independence, our expert performs the ethical hacking with little or no-prior knowledge about the system or the application in order to have a close-to-real-life situation. The purpose of the pentest is to assess the security posture of your environment and come up with recommendations to mitigate any potential cybersecurity risks.

When do you need a penetration testing?

 

Besides meeting compliance needs (such as HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019, PCI DSS /GDPR Compliance, SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018, Insurance Authority Guideline on Cybersecurity, eff. Jan 2020), a company may want to use pentest to check the effectiveness of its existing security controls against an active, human and skilled attacker. We recommend a pentest to be performed once a year or as and when needed in situations, including but not limited to:

  • Adding new network infrastructure or applications

  • Making significant upgrades to infrastructure or applications

  • Establishing an office in a new location

  • Validating new controls post security incident

Our Methodology

During the planning phase, we define the scope, the objectives and the success criteria of the pentest together with our clients. Moving to the reconnaissance phase, we spend time gathering data and information to prepare for the testing.  We use a variety of commercial and open source tools and technical skill sets to identify any potential vulnerabilities and attempt to exploit them. A risk analysis will then be performed by considering both the probability of a threat event given a vulnerability and its adverse impact on its business operations or the confidentiality, integrity and availability of the data resulting from a successful exploitation.

The testing methodology is based on the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, and open-source testing frameworks accepted by the industry.

Phases of penetration testing activities include the following:

  • Planning – Gather customer goals and obtain rules of engagement.

  • Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas.

  • Attack – Exploit vulnerabilities and perform additional discovery upon new access.

  • Reporting – Document all found vulnerabilities and exploits, failed attempts, and recommend safeguards to mitigate the risk.

Our Deliverables

  • A presentation (either remote or physical) of findings.

  • A final report includes executive summary, scope, findings, evidence and recommendations. 

  • A retest can be offered after remediation (optional).