25 pages to know the existing and exploitable vulnerabilities on these technologies, as well as the means to counter or reduce the risks.
In order to
assess the security of an information system, a very pragmatic approach
consists of conducting a cyberattack in the most realistic possible way. Can a
security auditor really put itself in the shoes of the “bad guy”? Is it
possible not to bias the tests by not providing information beforehand?
Yes, it is
actually possible with a “100% Black Box” security audit. In this situation,
the pentester starts the audit having only the name of the company as
information. Up to him to discover the scope exposed to attacks and then to
carry out attacks trying to maximise the impact of the tests within the time
that was given.
benefits for the company that order this type of black box audit are:
service attacks (or DoS attacks) are regularly making headlines, as
consequences can be important. These attacks aim to make a server, a network
infrastructure or an application… unavailable.
How to protect yourself? You can choose to test your robustness to denial of service attacks as part of a penetration testing.
When we talk about computer attacks, we often think of an activist or a criminal sitting in front of his screen on the other side of the world… while half of the attacks involve internal actors, according to the Insider Threat Report 2018. In fact, 58% of respondents confirmed that they had suffered a cyberattack related to the internal threat. Protecting yourself from the inside against these attacks is therefore just as important as defending yourself from the outside.
During an internal security audit, penetration tests are conducting from inside the company or sometimes through a VPN. Most of the time, pentesters go to the company’s buildings, bring their equipment and put themselves in the shoes of an internal attacker.
We have been conducting social engineering attacks for around 3 years (legal attacks for clients, it is our job, no worry 😉 ). During these three years, our pentesters (security experts) tried various techniques, scenarios and pretexts. We have learned lessons from our experience, and our clients shared with us what they learned too. We are sharing them now with you.
1/ Social engineering in a nutshell
starting, let’s remember what social engineering is:
The first one and the second are said to be the best allies of CISO (and in general people in charge of IT security). There are though two different tools in a security strategy. What are the different characteristics of each?
Let’s start with the vulnerability scanner.
It is a software that is programmed to run tests on your platform, on your information system – … to detect vulnerabilities. A scanner identifies vulnerabilities thanks to its database containing the known vulnerabilities and common security issues. They go through networks, services, applications, etc.
First characteristic, the tests are automated. This means they are fast and a whole system can be easily tested in some hours / days, depending on its size.
As mobile apps are more and more used by every field of activity, they become also more and more interesting for malicious attackers. Apps need therefore to have a strong security, just as websites. That’s why we do mobile apps penetration testing that takes into consideration their specificities.
Objective of a Mobile Application Penetration Testing?
Your colleagues or your boss are talking about penetration testing (or pen testing or penetration test or pen test or pentest). You’re asked to explain them what it is, how it’s done, or what is tested? (cause you’re the tech one, so you surely know that stuff, right? Especially if it’s not your field.)
So here are some key elements to answer them, clear and simple. For more details, feel free to contact us.
Objective of a Web Application Penetration Testing?
Summer time is upon us, and we are more relaxed as holidays approach… But it’s not a reason to forget good habits regarding digital security at work, as hackers don’t go on holiday!
- Choose a complex password with at least 10 characters.
It should ideally have four different types of characters: lowercase, uppercase, numbers and special characters (included punctuation marks). The longer and more complex the password is, the better, as the combination possibilities increase.
Forget “easy” passwords like the name of your partner, of your beloved kids or of your pet.
Administration interface, back-office, dashboard, admin panel… several names for the same thing: the place where organizations manage their data, supervise the activity of a web platform, handle customer requests, activate user accounts, configure articles within an e-commerce platform…
When thinking about the security of web platform, the back-office is not necessarily the priority, for several reasons:
The access to that kind of application is usually restricted, to internal services of the organization, and sometimes to third parties, supposed to be trustworthy.