Penetration Testing
An authorized simulated attack exercise conducted manually by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system

What is Penetration Testing?
Exploiting Vulnerabilities within a time constraint

Ethical Hacking

Find out vulnerabilities which cannot be discovered by an automatic scanner

Pentest using manual effort requires skilled and experienced experts

Assess the effectiveness of their existing suite of security controls more proactively

Client consent to a carefully designed project scope and rules of engagement

Recommends appropriate defences to strengthen the security posture

Why
Pentest?

To ensure compliance and regulatory requirements
ISO27001
HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019
HKMA Cyber Resilience Assessment Framework
PCI DSS /GDPR Compliance
SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018
Insurance Authority Guideline on Cybersecurity, eff. Jan 2020
HKSARG Security Risk Assessment and Audit

To test a new system or an application before production

To measure the effectiveness of the controls and prove to the management
Scope of Penetration Testing

Web/Mobile
Application

Wi-Fi
Network

External/Internal
Network

Active
Directory

API

Cloud
Security


US NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment

Open Web Application Security Project
OWASP Top 10
OWASP Mobile Top 10
OWASP MASVS-L1 or L2 or +R requirements
OWASP API Security Top 10
Standards we reference to

Consultant Certifications













Our Penetration Testing
Methodology
Our Four–stage Penetration Testing is based on
NIST SP 800-115 guidance




Additional Discovery

Discovery
Black box or Grey box Approach.
Information gathering and Automatic Scanning to identify known vulnerability

Attack
Exploit vulnerabilities and perform additional discovery upon new access


Planning
Testing goals and rules of engagement are set
Reporting
Document all found vulnerabilities and exploits, failed attempts, and recommend safeguards to mitigate the risk. Verification of remediations performed by clients

A report includes executive summary, scope, findings, evidence and recommendations

A presentation to summarize the key findings
A sample can be available upon request
Our Penetration Testing
Deliverables


Frequently Asked Questions

What’s the key difference between Pentest and Vulnerability Scanning?
Pentest applies manual effort to exploit the identified vulnerabilities and discover any unknown vulnerabilities.
Vulnerability scanning uses automatic tools to discover known vulnerabilities

What is the key factor to influence the number of findings for a Pentest?
Besides the pentester’s skill set, time is also a key factor.
Time-limited engagements do not allow for a full evaluation of all security controls. Prioritizing the assessment would be required to identify the potential weakest security controls an attacker would exploit within a time constraint

What are the risks of a Pentest?
The potential risks may include data disclosure, system outage, traffic slowdown etc.
However, with the rules of engagement, the pentest could be conducted in a more controllable manner to keep the risk at a minimal