The overall pentest of an information system detects a company’s main cybersecurity weaknesses and prioritizes actions to be taken to improve the level of security.
An overall approach to cybersecurity includes analysing the risks, defining a security policy and putting procedures in place, as well as pentests to evaluate the effectiveness of protective measures taken.
For a more concrete approach, the pentest phase itself can identify the main risks for the company and propose a plan of action. In this case, pentests encompass a wide range of techniques, in order to reproduce attacks that are commonly directed against companies.
By definition, this type of pentest does not have a scope defined at the beginning: the security auditors (pentesters) will themselves determine the targets of the tests, according to the reconnaissance phase carried out during the security audit.
The objectives of the audit are adapted to the context of the company, based on the classic risks for any information system concerning data confidentiality, data integrity and continuity of services. Other types of risks that are not specific to information systems also need to be taken into account, such as financial transactions and the company’s brand image.
The first step is to validate the purpose and conditions of the security audit.
It is possible to perform an external pentest and an internal pentest, or only one of them.
The security audit can encompass all risks, with technical tests and social engineering tests, or it may be limited to technical tests only.
The company that commissions the audit may possibly specify restrictions on certain types of tests. Apart from any restrictions, the company allows the pentesters to legally reproduce a realistic cyberattack. An emergency communication plan is put in place, as well as back-up procedures.
The feedback of the results shows the strengths and weaknesses of the company in cases of cyberattack, and is used to adapt security measures accordingly.
The external pentest consists in targeting all the elements that are visible by a remote attacker: IP addresses, mail servers, VPN, web servers, staff members who can be contacted by email or telephone, etc.
The reconnaissance phase identifies the attack surface, not to produce a complete list of all the exposed elements, but to decide pragmatically the attacks that have the most probability of succeeding.
The offensive phase is the major part of the audit. By identifying and exploiting the vulnerabilities present, the client who commissions the audit can be provided with very concrete feedback concerning the types of faults identified, the impact of faults, the level of criticality, and solutions for corrective measures.
The internal pentest targets the elements exposed in an internal network, while trying to bypass the levels of control of access rights, to corrupt the IS, and to trap users, etc
The reconnaissance phase identifies the elements exposed in the network before continuing to the offensive phase.
Apart from the IT network, the pentest can target physical access to the company’s premises, by picking conventional locks or searching for vulnerabilities in electronic locks (RFID, biometric or connected locks).
The pentest can target company employees through various social engineering techniques: internal phishing, malicious USB keys, fraud and face-to-face manipulation, etc.
Office 365 is a solution used by many companies. It is a sensitive element because of the type of information obtained by an attacker who gains access to a user account, or even administrator rights.
The purpose of testing Office 365 is to detect weaknesses in its configuration that would allow an external or internal attacker to perform malicious actions. This includes black box tests (without a user account) and grey box tests (from a standard user account).
56% of organizations were victimized by ransomware attack in 2018
2019 Cyberthreat Defense Report. CyberEdge Group. (p. 14).
17% of all sensitive files of a company are accessible to every employee.
2019 Global Data Risk Report: Data Gets Personal. Varonis. (p. 4).
85% of attacks were financially motivated
2019 Incident Response Insights Report. SecureWorks. (p. 6).
There are various ways for criminals to make money by a cyberatattack, such as: “using systems to mine cryptocurrency they can sell, encrypting files and demanding ransom, gaining access to bank accounts to steal money, or stealing personal or credit card data that they can sell.”
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.