Penetration Testing Services
Let us help you before the bad guys sneak in.
Protect yourself against criminal attacks and close potential security gaps
Did you know that 90% of all IT systems have weak points? Proactive protection against cyber attacks and the knowledge how to detect and close potential cyber security gaps in your systems is crucial for any company.
Our penetration tests are based on the comprehensive know-how of experienced penetration testers. In close cooperation with you we analyze the security of your systems from the perspective of highly specialized attackers and look for security gaps and vulnerabilities. When conducting such tests, we use best practices and methods, and consider industry standards such as OWASP Top 10 or PCI-DSS.
Learn more about our Penetration Testing Services - Download PDF (915 kb)
Penetration Tests Brochure
Why should you get regular Penetration Tests?
- What would happen if a hacker would steal your digital assets?
- What legal consequences would a security breach have for you?
- What financial implications would you face if your IT systems are taken down?
- What reputational damage would a successful hack pose to your business?
- Did you know that 90% of all IT systems have vulnerabilities?
Benefits of Security Testing
- Discovery & Mitigation of vulnerabilities
- Reducing risk to your business
- Protecting your IT security investment
- Protecting clients, partners and third parties
- Maintaining a good reputation
- One-time off or recurring options
Penetration Testing Services
Full Black Box Asssault Testing
The purpose of a Black Box Penetration Test is to fully analyze the security of information systems by using multiples techniques, custom attacks, finding new attack vectors and use social engineering techniques to discover any weaknesses that affect the organization. All company assets could be potential targets since the main idea here is to simulate an attack like real hackers would attack a target. We will perform tests on IT systems, humans (social engineering) and physical security (building security, data center security etc.).
Test Scope:
The Black Box Testing Scope may include all or most of the following techniques/services:
- Vulnerability Assessments
- Penetration Tests
- Web Application Penetration Tests
- Use of online (computer based) social engineering
- Creation of phishing sites
- Client side attacks
- Use of controlled Malware / Backdoor Testing
- War Dialing / PABX Attacks
- Any other required in order to accomplish defined objectives
Test Methodology:
The Assault Testing is a complete Black Box test, so the client does not provide any information about their infrastructure. The customer may provide no more than a URL or even just the company name. This service is adaptive in nature and always delivered through a tiger team, a group of professionals, having different skillsets across all Security domains.
Test Procedure:
1. Objective requirements and definitions
2. Test executions
3. Reporting
Network Penetration Testing
We offer various types of network and infrastructure penetration tests that together cover a full range of vulnerabilities. The penetration tests are carried out by experienced security experts, accredited by the world leading standards and certifications.
External Network Penetration Tests:
An external penetration test covers the assessment of security of systems exposed to the Internet. Considering that anybody who is connected to the Internet can access such services remotely, the risks of attacks are very high.
The most common external security assessment attacks include front-side attacks. A front-side attack simulation allows the assessment of the security level of systems in the DMZ. Web servers, database servers, mail servers, VPN servers and web domains are the most popular systems accessible by anybody from the Internet and their exposure to it is the cause of frequent attacks. Our security experts carry out numerous simulations of front attacks and identify the risks involved.
Network Penetration Testing Methodology:
Our penetration testing methodology encompasses a multitude of tools and skills to assess the overall health of a company’s security infrastructure. As such, all security assessments must adapt to an organization’s infrastructure, host services, and security policies so as to provide a holistic security review of their networked environment.
Our testing ensures that common best practice guidance and methodologies are covered including all components listed in the OWASP Top 10. Our approach is based around six key phases:
1. Scoping
2. Reconnaissance and Enumeration
3. Mapping and Service Identification
4. Vulnerability and Exposure Analysis
5. Service Exploitation
6. Pivoting
Reporting and Debrief:
Finally, we document all vulnerabilities and exposures within the environment. Reports aim to quantify the exposures and identify how and why they may pose risks to the business. Remediation advice and guidance is provided in our report on how the environment should be improved. Our report consists of two parts, a management summary and a technical report.
Debriefs can either take place via conference call, through WebEx, or through face-to-face meetings. During these debrief sessions, we will walk the client through their security exposures and offer advice and guidance on how the environment should be improved.
Web Application Penetration Testing
70% of all technical attacks occur in your web applications. We offer various types of web application penetration tests that together cover a full range of vulnerabilities. The penetration tests are carried out by experienced security experts, accredited by the world leading standards and certifications.
External Web Application Penetration Tests
An external penetration test covers the assessment of security of systems exposed to the Internet. Considering that anybody who is connected to the Internet can access such services remotely, the risks of attacks are very high.
Our external security assessment attacks include web application attacks. This test module verifies the resistance of a web site or web application to common attacks, which recently have become more and more popular and very easy to execute. An external web application penetration test is an attack simulation that makes possible to discover different kinds of flaws: authentication, authorization, encryption and any other logic weakness which might result in an unauthorized access, password theft, credentials, identity theft or privilege escalation within HTTPS/HTTPS portals, such as an e-banking system.
Web Application Penetration Testing Methodology:
Our Web Application Testing methodology is a separate service designed for an in-depth probe and analysis of a client’s web application. Our security experts use a blended approach of open source, custom scripts and commercial tools to conduct our Web Application Tests. As part of a Web Application Test, we will assess the following elements:
- The Web Application Server/ Web Application Service
- The client/server protocol and communications path
- The client application
We conduct the following discrete tests for Web Application Assessments:
- Application Re-Engineering
- Authentication Assessment
- Session Management
- Input Manipulation
- Information Leakage
Our testing ensures that common best practice guidance and methodologies are covered including all components listed in the OWASP Top 10.
Reporting and Debrief:
Finally, we document all vulnerabilities and exposures within the environment. Reports aim to quantify the exposures and identify how and why they may pose risks to the business. Remediation advice and guidance is provided in our report on how the environment should be improved. Our report consists of two parts, a management summary and a technical report.
Debriefs can either take place via conference call, through WebEx, or through face-to-face meetings. During these debrief sessions, we will walk the client through their security exposures and offer advice and guidance on how the environment should be improved.
Wireless Security Audits
A Wireless Security Audit is a method of evaluating all Wifi or Bluetooth Security aspects of networks by simulating attacks against authentication, encryption or becoming a „man-in-the-middle“ attacker. The same tools, know-how and methodologies are being used as malicious hackers would employ. The difference to a real attack is the fact, that testing is done with the explicit written consent of the client and the purpose is to produce a comprehensive report and to close down security holes, before a real attacker can exploit them.
We have managed to break into 90% of our customer systems through Wireless. Wifi is used in almost any business and can open all doors to attackers, because Wireless Networks expose the company network beyond its premises and an attacker may be hundreds of yards away!
Why Wireless Security Audits?
- What would happen, if sensitive and critical data would be stolen by a competitor
- What would be the legal consequences if your customer data would be stolen
- What would be the financial impact of an hour network downtime due to an attack
- Have you already fallen victim to an attack (knowingly or unknowingly)?
Who should get a Wireless Security Audit?:
- Business who use IT systems of any kind, hold confidential data or customer information
- Businesses who don’t want lawsuits from clients, when data has been stolen
- Businesses who have fallen victim to an attack and don’t want to wait for the next attack
- Businesses who must comply to Industrial and/or Government Compliance regulations
- Businesses who have heard that competitors already had to face a Cyber attack
- Businesses who understand that pro-active security is a lot cheaper than re-active security.
Wireless Security Audit Offerings
We offer different Wireless Security Audit Services:
- Wireless Authentication & Enryption Attack Testing: We will try to break into Wireless Access Points by performing Ethical Hacking against common security methods such as MAC authentication, WEP, WPA and WPA-2. The goal of this audit is to break into a wireless network in order to gain access to the network.
- Wireless Man-in-the Middle Attack Testing: In this audit we will set up rogue and fake Access Points, waiting for users to connect in order to capture all activities they perform. Social Engineering techniques will also be employed, such as redirecting users to a fake webpage forcing them to re-enter the pre-shared key. Additionally we perform tests around redirecting users in order to capture online activities such as phone calls.
- Wireless DDoS Attack Testing: In this audit, we are attempting to bring the wireless network to a complete hold by either jamming the wireless spectrum or overloading the Access Points, so legitimate users can’t be served any longer.
- Bluetooth Attack Testing: We evaluate every security aspect of Bluetooth Networking in order to gain control over bluetooth devices, intercept calls (i.e. BT handset to BT earpiece) or render Bluetooth services temporarily unavailable.
How often should you get a Wireless Security Audit?
Security is a never ending process, as IT technologies and attack methods constantly evolve. Dependent on the nature of your business and threat level towards your vertical market, we advice on a 2 – 4 times a year recurrence cycle.
How is the Service charged?
We charge based on the number of Wireless Access Points / Wireless Networks. Please contact us and we will provide you with a free consultation call.
IoT Penetration Testing
The Internet of Things (IoT) is the internetworking of physical devices, vehicles, buildings and other items — embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. We perform a thorough security assessment that considers all the layers of IoT including embedded devices, wireless communication, IoT specific architectures, operating systems, applications and communication protocols.
Why IoT Security is important:
- What would happen if medical equipment were hacked and incorrect medicine injected?
- Could your IoT devices be used to gain unauthorized access to your internal networks?
- Could alarm systems be rendered offline?
- Could production processes be disrupted or even be stopped by a malicious hacker?
- Did you know IoT hacking is the latest preferred attack vector discussed by hacking groups?
Our IoT Penetration Testing Services:
- Penetration Testing against any IoT device / platform
- Comprehensive reporting with executive summary and in-depth technical reports
- Compliance reporting (PCI, HIPAA, NHTSA etc.)
- Comprehensive mitigation advice included in reports
- Mitigation fix service of encountered vulnerabilities (optional)
Cloud Penetration Testing
This service helps to validate whether your cloud deployment is secure and will provide you actionable remediation information if it is not. The service conducts pro-active, real-world security tests using the same techniques employed by attackers seeking to breach your cloud-based systems and applications.
Social Engineering Audit Services
Social engineering, in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. The difference to a real attack is the fact, that testing is done with the explicit written consent of the client and the purpose is to produce a comprehensive report and to close down security holes, before a real attacker can exploit them.
In 90% of all tests, we managed to obtain sensitive information employing social engineering techniques.
Why Social Engineering?
- Does the best IT Security really help, if employees happily give out sensitive information?
- Do employees click on links if they seem to get an email from a co-worker / manager?
- Can employees be tricked over the phone when an attacker impersonates law enforcement?
- Is the physical security weak? Can attackers dumpster dive? Is tailgating possible?
- Are non-technical users not even aware or educated around Social Engineering threats?
Who should be Social Engineering tested?
- Businesses who use IT systems of any kind, hold confidential data or customer information
- Businesses who don’t want lawsuits from clients, when data has been stolen
- Businesses who have fallen victim to an attack and don’t want to wait for the next attack
- Businesses who must comply to Industrial and/or Government Compliance regulations
- Businesses who have heard that competitors already had to face a Cyber attack
- Businesses who understand that pro-active security is a lot cheaper than re-active security
Social Engineering Audit Services
During a Social Engineering Audit, we can perform tests electronically (computer based) and phone based. We gather a lot of open source information prior to any engagement through online information gathering. We also impersonate sources of authority and use a variety of techniques such as:
- Spear Phishing Email campaigns which contain sending crafted emails which seem to come from a superior and get the user to click a link and/or provide confidential information. We also get employees to visit fake websites, which simulate infecting their machines or are used to "phish" credentials.
- Spear Phishing in conjunction with the simulated exploitation of the endpoint (optional)
- Phone based social engineering incl. Caller ID and SMS spoofing along with Vishing exercises (Voice Phishing)
- We can perform social engineering tasks whereby special USB devices with simulated malware are being distributed to track who plugs them in.
- Our services also contain continuous e-learning user education.
- All services come with most comprehensive reporting, user tracking and classification.
How often should a Social Engineer Test be done?
A full audit should at least be done 2 – 4 times per year and the results should flow into a company Security Policy. We recommend regular user education, which we also provide.
How is the Service charged?
We charge based on the number employees to be tested. Please contact us and we will provide you with a free consultation call.
Mobile Application Penetration Testing
We will test your Android and iPhone mobile applications to make sure they cannot be compromised. When assessing a mobile application several areas will be taken into account: client software, the communication channel and the server side infrastructure. All our penetration tests are aligned to the OWASP framework. We perform the service either as black box (no knowledge of the App), grey box (partial knowledge of the App) or white box (full knowledge of the App) test.
Our security experts are experienced professionals, accredited by the world leading standards and certifications, and follow a strict process in all assessments:
- Encryption and communications with the main web app (web service, etc)
- Application runtime analysis
- Code signing and memory protections
- Fuzzing the application
- Exploiting the application
Cyber Security Training Services
New security products with smarter and more agile technologies are being released at a faster and faster pace. So why are we still playing catch-up? Because security is more than just a product, it is a skill! The growing security skills gap makes recruiting and retaining qualified employees increasingly difficult.
Cyber Security Training
Fast Lane offers a wide range of multi-vendor security training that gives IT professionals the knowledge and skills needed to secure and protect critical infrastructure and data systems.
Contact us
Do you have any questions about our training offerings? Simply let us know your requirements using our contact form or call us at +386 1 320 78 80 and we will be happy to advise you!