Penetration Testing
An authorized simulated attack exercise conducted manually by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system
What is Penetration Testing?
Exploiting Vulnerabilities within a time constraint
Ethical Hacking
Find out vulnerabilities which cannot be discovered by an automatic scanner
Pentest using manual effort requires skilled and experienced experts
Assess the effectiveness of their existing suite of security controls more proactively
Client consent to a carefully designed project scope and rules of engagement
Recommends appropriate defences to strengthen the security posture
Why
Pentest?
To ensure compliance and regulatory requirements
ISO27001
HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019
HKMA Cyber Resilience Assessment Framework
PCI DSS /GDPR Compliance
SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018
Insurance Authority Guideline on Cybersecurity, eff. Jan 2020
HKSARG Security Risk Assessment and Audit
To test a new system or an application before production
To measure the effectiveness of the controls and prove to the management
Scope of Penetration Testing
Web/Mobile
Application
Wi-Fi
Network
External/Internal
Network
Active
Directory
API
Cloud
Security
US NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment
Open Web Application Security Project
OWASP Top 10
OWASP Mobile Top 10
OWASP MASVS-L1 or L2 or +R requirements
OWASP API Security Top 10
Standards we reference to
Consultant Certifications
Our Penetration Testing
Methodology
Our Four–stage Penetration Testing is based on
NIST SP 800-115 guidance
Additional Discovery
Discovery
Black box or Grey box Approach.
Information gathering and Automatic Scanning to identify known vulnerability
Attack
Exploit vulnerabilities and perform additional discovery upon new access
Planning
Testing goals and rules of engagement are set
Reporting
Document all found vulnerabilities and exploits, failed attempts, and recommend safeguards to mitigate the risk. Verification of remediations performed by clients
A report includes executive summary, scope, findings, evidence and recommendations
A presentation to summarize the key findings
A sample can be available upon request
Our Penetration Testing
Deliverables
Frequently Asked Questions
What’s the key difference between Pentest and Vulnerability Scanning?
Pentest applies manual effort to exploit the identified vulnerabilities and discover any unknown vulnerabilities.
Vulnerability scanning uses automatic tools to discover known vulnerabilities
What is the key factor to influence the number of findings for a Pentest?
Besides the pentester’s skill set, time is also a key factor.
Time-limited engagements do not allow for a full evaluation of all security controls. Prioritizing the assessment would be required to identify the potential weakest security controls an attacker would exploit within a time constraint
What are the risks of a Pentest?
The potential risks may include data disclosure, system outage, traffic slowdown etc.
However, with the rules of engagement, the pentest could be conducted in a more controllable manner to keep the risk at a minimal