Our customer guide I - Nethemba

BLOG

Our customer guide I

Everything you wanted to know about our IT security services

The goal of the following document is to explain how to choose a suitable penetration test or security audit according to your expectations, following professional standards and at the best price. It is based on our 14 years of experience in the field of ethical hacking (hundreds of penetration tests and security audits performed for many of our customers).

We divided this document into three parts, which will be continually published on our blog.

First part: What penetration test or security audit do I need (RFI)

Second part:

I want an offer. What do you need from me? (RFP)

I decided to order your services, let’s start!

How do I set up a test environment and test accounts?

Testing is ongoing, what should I expect?

The final report

Part Three:

Repeated Tests and a Bug Bounty Program

What security certificates should ethical hackers have?

Why should I choose tests from a voluntaryist company?

What penetration test or security audit do I need? (RFI)

Web application tests

If you are a small company without an internal infrastructure, you will probably be interested in a penetration test of your website or your web application. If you have a small or medium-sized website without complex dynamic functionality, then our most popular standard penetration test can be suitable for you. Its goal is to detect as many critical or other serious vulnerabilities as possible during a fixed time (3 days). This is a “black box” simulation of a real hacker attack, where a potential attacker has a fixed time of three days to hack your application. This test answers the question – what can a professional hacker discover and exploit during this specific time period?

Unfortunately, three days is usually not enough to detect most vulnerabilities, especially in more complex and large applications. A comprehensive web security audit, which we perform according to the OWASP security test manual (currently in version 4.2), is suitable for this case. This is the most detailed web test we perform strictly adhering to this open methodology.

If the customer is interested, we can also audit the source code of the application. Because the source code is usually extensive, we focus specifically on the security-critical pieces of code – authentication, authorization, and session management.

During a comprehensive web security audit, we go through and test all forms of the web application for all types of known web vulnerabilities. Therefore, this audit is also significantly more laborious (we need about 2-4 weeks for detailed testing of one application). Part of this test also involves the creation (programming) of exploits, which are specialized programs that practically demonstrate the misuse of detected critical vulnerabilities. We recommend a comprehensive web security audit for all security-critical applications that manage sensitive personal or financial data or allow financial transfers. This test is therefore suitable for the financial sector, medium, or large companies. We recommend to perform this test for every newly developed and deployed application to the production environment.

Mobile application tests

Having a nice and functional mobile application is now a necessity and a standard for a large number of companies. Mobile apps for Android or iPhone may contain new types of vulnerabilities which are not available in web apps. Therefore, we recommend a thorough test of each new mobile application before it is officially launched.

As part of the mobile application security audit service, we perform both test of the server part of web services (REST / SOAP) and the client part (frontend) of the application itself (Android applications written in Java are decompiled, iOS applications written in Objective C are reversed and disassembled). Part of the testing also covers analysis and active intervention in the communication between the mobile application itself and its server-side (in this communication we modify both application requests and server responses in order to identify vulnerabilities). We use various  “fault injection” tools. We can bypass various security protections (for example, SSL pinning, root/jailbreak detection, code obfuscation, etc.). The testing of one mobile application on one platform takes 1-3 weeks.

External penetration tests

If you are already a larger company, then you have your own network infrastructure (external and internal corporate network) that has to be maintained and secured. Our external penetration test will help you to achieve this goal. It can be performed in a complete “black box” form, where you as a customer do not provide any information about your network infrastructure. In the initial phase called “information gathering”, we try to obtain all necessary information from publicly available registers or databases. Our goal is to identify your potential network IP ranges or IP addresses. This phase is passive, which means that we do not touch your servers or network elements – we only collect publicly available information about your infrastructure. Subsequently, when we obtain a list of your potential IP addresses or IP ranges, we will explicitly ask you to confirm these IP addresses really belong to you. It is illegal to continue actively testing IP addresses that do not belong to you.

The second (about one day faster) alternative is to send us your IP ranges or IP addresses that you want to test. Subsequently, we can start active penetration testing. The external penetration test takes from a few days up to a few weeks (depending on the size of the tested infrastructure).

Internal penetration tests

As many as 60% of all security incidents allegedly come from internal employees. Therefore, it is important to pay attention to the security of the internal network infrastructure. For this purpose we offer an intranet penetration test. This can be done either from the point of view of a random anonymous attacker (a person who comes to the company for a job interview and connects his laptop e.g. in a meeting room) or from the point of view of a regular employee (for example, a secretary who has access to the company domain server). Usually, anonymous access to the internal network is enough for us to bypass protections such as MAC security, 802.1x, or other protections at the link layer. With attacks such as ARP poisoning, pretending to be an “official” network router, we can relatively quickly gain the privileges of other internal network users (so often we don’t even need an official “secretary” account ). Unless otherwise specified, the main goal of the internal penetration test is to compromise the master domain server (AD) and the main network router, which routes all network traffic from your company to the Internet. This de facto means that we have been able to gain full control over your internal network. In the past, we performed most of the internal penetration tests onsite, i.e. physically at the customer. In the current pandemic period, we have practically completely switched to remote testing via a customer provided VPN connection. In the case of corporations with many branches around the world with separate internal networks, we need VPN access to every single location to test them properly.

Local system security audit

When “wandering” over the internal network, we often reveal a critical or crucial server from the customer’s point of view, which requires detailed local system security testing. In this case, we start a local system security audit, which aims to detect all possible vulnerabilities in the locally installed system and applications and to help to harden them. For example, in this local system security audit, we try to find all possible ways of unauthorized escalation of non-privileged users to privileged ones (administrator/root).

Social engineering

All of the tests mentioned above are about finding vulnerabilities in technology. Unfortunately, despite using highly secure technologies (systems, applications), you may still become a victim of a hacker attack. In this case we are talking about the social engineering attacks, where the target of the attack is not technology but people themselves. In social engineering, the attacker exploits typical human characteristics such as altruism, trust, the need to help, but also selfishness or fear of authority.

The social engineering we perform consists of three parts.

The first part is a targeted phishing attack (so-called spear-phishing), where we usually try to manipulate your employees by e-mail or instant communication. The goal of this attack is to obtain selected sensitive information or to perform otherwise unauthorized operations.

The second part takes place by phone or SMS messages, where we use impersonation or caller ID spoofing (we call from spoofed numbers which look trustworthy to the victim). 

The third phase represents the actual physical infiltration into the customer’s building. For this purpose we usually need the “Get Out Of Jail Letter”, a document signed by the company’s management, stating that this is just a test to avoid any physical confrontation.

Every customer is different and requires different social engineering scenarios. Some customer employees have a higher security awareness and are therefore immune to trivial social engineering attacks (such as phishing emails or random USB keys with malware). To cope with that we develop more sophisticated scenarios.

Well-implemented social engineering is often very successful. Even today, we can see how fraudsters posing as Microsoft employees are successful and how easily they can gain access to computers of thousands of people obtaining their personal information.

Specialized tests

If you are a customer who is interested in specific tests of a particular technology or platform, let us know. We have experts and experience with the security of the following technologies:

Security audit of smart contracts – if you need to test decentralized applications in Solidity over Ethereum (or another) blockchain that enables smart contracts. We have addressed the topic of vulnerabilities in smart contracts in our article. 

SAP Systems Security Audit – to test the security of your SAP systems and applications. Since SAP is a very complex robust system, we have a very high success rate of revealing critical vulnerabilities.

Security audit of smart cards – in the past we demonstrated the practical breaking of the most widespread smart cards in the world (Mifare Classic) and we were also the first to publish an open-source tool for breaking them (mfoc, available for example in the hacker distribution Kali). We have repeatedly used this experience to audit various wireless smart card technologies (meeting ISO 15693 and ISO / IEC 14443 standards ). 

Security audit of wireless (WiFi) networks – spoofed wifi hotspots (so-called “Rogue APs”) can be an unwanted way of leaking sensitive information from your internal network. Similarly, an insufficiently secured internal wifi network means that an attacker can easily compromise you, your employees, or your customers. All this can be revealed by a security audit of wireless (WiFi) networks.

IoT and SCADA security audit – if you manufacture your own hardware or you are a company with critical industrial infrastructure, you will appreciate our specialized SCADA and IoT security audits, which can detect vulnerabilities in your hardware or industrial infrastructure. These vulnerabilities can often have fatal consequences – for example, failure of a production line, generator, cardiac pacemaker malfunction, etc.

In our company, we have experience in testing the security of proprietary VoIP phones, WiFi routers, on-board units for cars, mobile BTS stations, or industrial infrastructure.

In the second part of the article, we will explain exactly what information we need from you to create a suitable offer, sign contracts, create a test environment and test accounts, and perform the testing.