logo_SVG-01
✕
  • Platform
    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    • Managed Security Services
    • Managed Penetration Testing
  • Services
    • Assess
      • Compromise Assessment
      • Advanced Persistent Threats Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      • SOC Maturity Assessment
      • SOC Model Evaluation
      • SOC Gap Analysis
      • SIEM Gap Analysis
      • SIEM Optimization
      • SOC Content Pack
    • Train
      • Simulated Cyber Attack Exercise
      • Tabletop Exercise
      • Security Awareness and Training
    • Respond
      • Incident Analysis
      • Incident Response
  • Solutions
  • Resources
    • Blogs
    • Press Releases
    • Threat Insights
      • Threat Intelligence Reports
      • Threat Advisories
      • Monthly Threat Insights
  • Why Rewterz?
    • About Us
    • Careers
    • Contact
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Acid test your Security with Penetration Testing

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 25, 2023
    March 25, 2023
    Rewterz Threat Alert – GandCrab or .CRAB Ransomware – Active IOCs
    Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]
    March 25, 2023
    March 25, 2023
    Rewterz Threat Alert – NJRAT – Active IOCs
    Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]
    March 24, 2023
    March 24, 2023
    Rewterz Threat Advisory – CVE-2023-20113 – Cisco SD-WAN vManage Software Vulnerability
    Severity Medium Analysis Summary CVE-2023-20113  Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
logo_SVG-01
  • Platform
    xdrLogo
    center_new
    Read More about XDR

    Platform

    • Rewterz XDR
    • Rewterz Defense
    • Rewterz Threat Intelligence
    Acid test your Security with Penetration Testing

    Managed Security Services

    • Managed Security Monitoring
    • Remote SOC
    • Onsite SOC
    • Hybrid SOC

    Managed Penetration Testing

    Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.

  • Services

    Assess

    • Compromise Assessment
    • APT Assessment
    • Penetration Testing
    • Architecture Design & Review
    • Red Team Assessment
    • Purple Team Assessment
    • Social Engineering
    • Source Code Review

    Transform

    • SOC Consultancy
    • SOC Maturity Assessment
    • SOC Model Evaluation
    • SOC Gap Analysis
    • SIEM Gap Analysis
    • SIEM Optimization
    • SOC Content Pack

    Train

    • Simulated Cyber Attack Exercise
    • Tabletop Exercise
    • Security Awareness and Training

    Respond

    • Incident Analysis
    • Incident Response
  • Solutions
  • Resources

    Resources

    • Blog
    • Press Releases
    March 25, 2023
    March 25, 2023
    Rewterz Threat Alert – GandCrab or .CRAB Ransomware – Active IOCs
    Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]
    March 25, 2023
    March 25, 2023
    Rewterz Threat Alert – NJRAT – Active IOCs
    Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]
    March 24, 2023
    March 24, 2023
    Rewterz Threat Advisory – CVE-2023-20113 – Cisco SD-WAN vManage Software Vulnerability
    Severity Medium Analysis Summary CVE-2023-20113  Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]

    Threat Insights

    16
    pdf-file (1)
    Annual Threat Intelligence Report 2022
    • Threat Advisories
    • Monthly Threat Insights
    • Threat Intelligence Reports
  • Why Rewterz?

    About Us

    Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.

    Read More

    play_btn_Smallplay_btn_hover_Small
    leadership

    Our Leadership

    Our leadership team brings together years of knowledge and experience in cybersecurity to drive our company's mission and vision. Our team is passionate about delivering high-quality products and services, leading by example and assisting our clients in securing their organization’s environment.
    help

    CSR

    At Rewterz, we believe that businesses have a responsibility to impact positively and contribute to the well-being of our communities as well as the planet. That's why we are committed to operating in a socially responsible and sustainable way.

    Connect with Us

    • Contact
    • Careers
Get in Touch
Rewterz
Myths and Facts about PCI DSS
April 7, 2009
Rewterz
Guidelines for Setting Up a DLP
April 14, 2009

Acid test your Security with Penetration Testing

April 10, 2009

By Faiz Ahmad Shuja

This article was featured in the April 2009 issue of CIO Pakistan’s CSO magazine.    

 

In a cruel world, where even slow portals are not forgiven, the uproar in the event of a security breach is not too difficult to imagine.

Today, with the evolution of electronic commerce, online business presence signifies much more than your proactive business approach. The well being of your IT infrastructure relates to the trust of your customers and your corporate identity.

The advent of sophisticated threats and attacks over the Internet have added to the concerns of organizations globally. Blended malwares, sophisticated attacks, identity thefts, DDoS attacks and financial scams are just some of the predicaments associated with any system connected to the Internet.

Information security personnel in an organization can either learn their weaknesses the hard way by waiting for an attacker from the dark to exploit one of their vulnerabilities or could save their grace with their own trusted team of ‘Penetration Testers’.

Penetration Testing (Pen-Testing) is a practice of testing security measures by emulating real-world attacks on the IT infrastructure in question, pretty much like testing a supposedly bullet proof armor by showering bullets on it.

Penetration testing is considered one of the most rigorous tests of an infrastructure’s security and stability. Testing involves analysis of each access layer, network, system and application, such as from reviewing the application code of a front-end web application to analyzing the possibility of session hijacking attack on the network.

For most of the security audited organizations that we encountered, we found that previous security assessments generally lacked in-depth examination of the infrastructure, especially on the application layer – a high risk zone.

In fact most of the attacks witnessed in last few years heavily rely on the vulnerabilities existing in various web based applications. A compromised web application can grant mind boggling access to a determined attacker. A common scenario is when an organization has implemented a custom application developed by a third party. Such applications can host an array of high risk vulnerabilities.

Considering the very intricate nature of these tests, a common debate amongst management and information security personnel is whether to carry out these testing by in house personnel or hire a third party specialists. In house testing whilst being easy to rely on tends to be  biased in favor of existing management policies (after all they are the ones who built it in the first place). Whereas a third party usually provides harsh, ruthless analysis of your service and sometimes may go to extents that may be more of an overkill.

With penetration testing being declared mandatory by PCI DSS, other security standards are likely to follow suit. Now is a good time to start looking into your penetration testing requirements. In house penetration testing requires dedicated staff and resources along with some vulnerability research expertise. If however you are not thinking of further investments just yet, then a viable option would be to hire an external consultant.

When looking for a penetration testing service always look for a provider with a comprehensive testing procedures comprising of composite testing methodologies covering all layers of your infrastructure. Ask for their vulnerability research portfolios, such as discovery of any vulnerability in a popular application and issuing of vulnerability advisories. This will help you identify if they employ manual or automatic testing techniques during the tests.

An automatic test involves running specialized software that run through your network for common flaws. A manual test whereas involves in depth examination by seasoned veterans. Due to the complexities of application architecture and business logic, sometime it is almost impossible to detect vulnerabilities through automated tools and that is where expert penetration testing consultants come in. Manual examination reveals the presence of backdoors, obfuscated parameters and manipulation of programming logic to compromise platform integrity.

Another aspect to consider prior to finalizing your agreement is to consider the nature of testing to be carried out by the consultant. Generally there are two main types of testing approaches, Black box and White box.

In black box testing, penetration testers act as external hackers with no inside knowledge of the target network. Whereas, a white box test is carried out with extensive knowledge of the target network provided to the penetration testers. This information generally includes details of network topology, IP addresses, operating system versions, application source codes, etc.

The crux of all your tests, the penetration test report, will be an essential part of your future security roadmap. Report is made to provide an abstract account for key security personnel summarizing the weaknesses discovered and followed by a comprehensive description of the testing methodology adopted, phases of implementation and analytical review of the vulnerabilities detected. The penetration test report is the ultimate yardstick of your organization’s current security state. The penetration test report helps you prioritize remedial action for high risk vulnerabilities. Maintaining confidentiality of the report is a must.

Fortunately with the growth of local information security professionals, offering services akin to renowned international consultants, organizations no longer have to bring in foreign specialists at notorious rates. But before you finalize anything make sure you have carried out some background checks on the consultant’s professionalism. Look for customer testimonials and formal certifications such as CISSP, CPTS, CEH, GSEC, GCIA, GCIH and OSCP. Lastly, formulate legal agreements to ensure any vulnerability detected is kept confidential until remedial action has been taken.

Happy testing!

Platform

  • Rewterz XDR
  • Rewterz Defense
  • Rewterz Threat Intelligence

Managed Security Services

  • Managed Security Monitoring
  • Remote SOC
  • Onsite SOC
  • Hybrid SOC

Assess

  • Compromise Assessment
  • APT Assessment
  • Penetration Testing
  • Architecture Design & Review
  • Red Team Assessment
  • Purple Team Assessment
  • Social Engineering
  • Source Code Review

Transform

  • SOC Consultancy
  • SOC Maturity Assessment
  • SOC Model Evaluation
  • SOC Gap Analysis
  • SIEM Gap Analysis
  • SIEM Optimization
  • SOC Content Pack

Train

  • Simulated Cyber Attack Exercise
  • Tabletop Exercise
  • Security Awareness and Training

Respond

  • Incident Analysis
  • Incident Response

Threat Insights

  • Threat Advisories
  • Monthly Threat Insights
  • Threat Intelligence Reports

Resources

  • Blog
  • Press Releases

Connect With Us

  • Contact
  • Careers
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.
Get a Demo