WEB APPLICATION
Penetration Test
Websites | Web Services | APIs
MOBILE APPLICATION
Penetration Test
Mobile Apps (iOS, Android)
EXTERNAL NETWORK
Penetration Test
Internet Perimeter | Internet-facing Infrastructure
INTERNAL NETWORK
Penetration Test
Servers | Workstations | Business Systems | Wireless
Identify your technical risk
The most effective way to identify security gaps is to let an ethical hacker try to get in! This highlights areas which need improvement.
Increase your security posture
Results from penetration tests are valuable in plugging the right security holes to maximise your security.
Protect your customers
If you offer services to customers, their safety should be a top priority. Penetration tests on any customer-facing service is essential.
Satisfy compliance
Penetration testing is a requirement for many industry compliance standards, such as PCI DSS.
Increase your ROI
Obtain insight into the most cost effective areas to prioritise your security budget.
Obtain expert remediation plans
Penetration testing reports are detailed in nature, identifying the in-scope business risks in a prioritised manner, giving the business valuable insights.
Pentesting
You have questions. wE have answers.
Cybra’s vast penetration testing portfolio covers all corporate and enterprise grade systems, networks and applications. Our consultants are not only certified with globally recognised certifications, but have decades of experience consulting in all business verticals and industries, allowing us to use our experience to provide you unrivalled customer service and tailored services to meet your specific security requirements.
We perform web application penetration testing against all types of websites. The goal of a web application pentest is to assess the security controls deployed to protect your application, and if those controls are sufficient in meeting your risk appetite.
Web application penetration testing can be performed as unauthenticated (anonymous) and authenticated users. Coverage can simulate external threat actors, malicious insiders and any specific user roles present within the application.
Testing follows industry testing standards such as OWASP Testing Guidelines and Penetration Testing Execution Standard (PTES). Our tester’s are also CREST certified.
Some examples of why you might need a web application pentest:
1) You run an eCommerce site and accept customer credit card information, meaning you require annual penetration testing under the Payment Card Industry Data Security Standard (PCI DSS);
2) You are developing a new application that will be released into production, and want to identify any security risks before go-live so that your team can remediate any vulnerabilities;
3) You are concerned that your site may be vulnerable to being hacked, and want visibility into your current level risk so you can apply appropriate security controls;
4) You are concerned that your site or customer data may have been breached, and required ethical hacking services to help identify if a breach has, or will occur;
5) You practice good security hygiene and like your systems to be as secure as practical.
An organisation’s Internet-perimeter is defined by an organisation’s external network, residing outside of your primary gateway/firewall. The Internet-perimeter consists of your publicly allocated and routable IP addresses and typically made up of firewall interfaces, VPN interfaces, DMZ websites, E-Mail, NAT’d services.
Internet-perimeter penetration testing can also be known as External Network Penetration Testing or Attack Surface Penetration Testing. We follow industry testing standards such as the Penetration Testing Execution Standard (PTES) and NIST. Our penetration testers are OSCP and CREST certified.
There are several benefits to undertaking an Internet-perimeter (or external) pentest, including:
1) Identifying which network services are being exposed to the Internet. E.g., have assurance that the firewall is not misconfigured and unnecessary or vulnerable services are being exposed to attack;
2) Get visibility on what your network is exposing to the Internet, and analysis of how secure those services are and if you are at risk of being compromised by a remote threat actor.
3) To meet compliance obligations. Many international standards, such as PCI DSS require annual external penetration testing in order for you to remain compliant;
4) You practice good security hygiene and like your systems to be as secure as practical.
An internal network is typically the nerve centre for an organisation’s information systems. An internal network consists of staff workstations, servers, corporate systems and applications, network devices, voice systems and more. Many organisations invest heavily in securing their Internet-perimeter but often overlook securing their internal network and systems. Internal networks are becoming easier to compromise by attackers due to social engineering attacks such as phishing. If a staff member clicks on a malicious email, your perimeter firewall may be bypassed completely and now an attacker has a foothold inside your network.
We follow industry testing standards such as the Penetration Testing Execution Standard (PTES) and NIST. Our penetration testers are OSCP and CREST certified.
Some benefits to conduct an Internal Network Penetration Test include:
1) Get visibility to your organisation’s risks and vulnerabilities;
2) Validate if your security controls are working, such as effective vulnerability and patch management;
3) Get a clear understanding of where your security gaps in your network are so they can be patched before they are breached.
The huge surge in mobile applications and smart phone usage has introduced a new breed of threats to an organisation. Like web applications, mobile applications often hold private and sensitive information, and have backend access to application and database servers.
We follow industry testing standards such as the OWASP Mobile Security Framework Testing Guide and Penetration Testing Execution Standard (PTES). Our penetration testers are OSCP and CREST certified.
You may like to conduct a Mobile Application Penetration Test if:
1) You are developing a new mobile application and require security testing to ensure no vulnerabilities exist before being released to the public;
2) You are an organisation that is looking to purchase a software product that includes a mobile application that can be used by staff, and you want to assess if it’s introduction into your environment will pose any risks.
Many organisation’s are moving applications, systems and infrastructures to the cloud. With this mass adoption comes a new breed of security risk. A cloud penetration test in general terms is the same as traditional penetration tests, just moved from your on-prem environment to your cloud infrastructure.
Cloud penetration testing can be external (internet-facing) and internal (within your tenant). We follow industry testing standards such as the Penetration Testing Execution Standard (PTES) and NIST. Our penetration testers are OSCP and CREST certified.
Cloud penetration testing can include:
1) Assessing the security controls deployed on SaaS solutions, such as E-Mail and Directory services, MFA, Access and authorisation controls.
2) Infrastructure level testing to ensure firewall rules, services, access controls have been configured securely.
3) Internal penetration testing of hosts/containers residing within your cloud environment through remote access or virtual machines.
Wireless networks have often been the weak point in many organisation’s security, as convenience has often been the selling point over security. Due to wireless network signals often extended outside of your building walls, an attacker has the luxury and time to attack your network without fear of being caught.
There are numerous ways an attacker can compromise your organisation through your Wi-Fi network, including encryption attacks, hijacking, spoofing and impersonation. Cybra will perform thorough security assessment of your wireless networks to ensure your network is not at risk of compromise.
We follow industry testing standards such as the Penetration Testing Execution Standard (PTES) and NIST. Our penetration testers are OSCP and CREST certified.
Physical Penetration Tests are customisable engagements aimed at assessing the security controls of your physical office, building or facilities. Cybra will perform checks that include physical access point security (doors, windows, censors, man-traps, locks, alarms), security protocols are being followed (receptionist requires signing in with ID, guest badges are enforced, staff don’t open the door for strangers or allow tail-gating), staff challenging suspicious behaviour, sensitive areas being inaccessible, workstations and laptops being locked, network access is not exposed in unsecured areas, and more.
We can also perform scenario tests that specifically target areas of your organisation offering you a thorough and detailed report documenting all risks including remediation advice.
Frequently Asked Questions
All of our testing is aimed to be non-destructive. That is we will never purposefully disrupt any of your services. In extremely rare cases this may occur, but we find these issues occur when a proper consultation does not occur
and the testers are not properly briefed on the systems they are testing. Quality service to you is our number one priority and we will do everything in our power to make the penetration testing engagement smooth and hassle
free.
Provided you have permission from the network and system owners you can engage us to perform penetration testing on: Websites, Web Applications, Mobile Applications, Thick Clients, External Network, Internal Network, Wireless
Network, Email, Cloud, People, Physical Premises – Anything that holds your information really!
This is completely up to you! It is dependent on what you want to achieve out of the security assessment. You might be wanting to check the security of specific systems, such as email or your website, or you may have an obligation
to meet specific standards or compliance. Have a chat to us and we can talk through your situation and come up with a plan together.
Unfortunately no single security service will ever make you completely secure. However, penetration testing is one of the most effective ways to identify the risks you have and how to remediate them. Penetration Testing should
be used in conjunction with complimentary security controls for a maximised security posture.
Depending on your current situation and what compliance you need to adhere to, penetration testing is often a requirement. For example, the PCI DSS standard which is required if you handle customer credit card information and
it mandates regular penetration testing of your internal and external systems. Another example is ISO 27001, where specific control objectives can be met with penetration testing. Speak with us if you are unsure and we will
be able to assist.
Absolutely. All of our consultants have vast experience in the Information Security domains and have current industry certificates to demonstrate their competencies such as CISSP, CREST, OSCP, CEH, and more.
We offer pentests to Sydney, Melbourne and Brisbane. Depending on the type of pentest you need, we are likely able to perform it remotely, in which case it doesn’t matter where you are located!
We would love to hear from you and discuss how penetration testing will benefit your business. Contact us at [email protected]
Verizon Data Breach Investigations Report 2021
Don’t become the latest statistic
Why not perform a pre-emptive, safe and controlled attack on your business, and use the outcomes of the assessment to plug your security holes before a real attacker finds and exploits them.
Experience
We Have experience working with all industries.
Cybra’s vast service portfolio covers all corporate and enterprise grade systems, networks and applications. Our consultants are not only certified with globally recognised certifications, but have decades of experience consulting in all business verticals and industries, allowing us to use our experience to provide you unrivalled customer service and tailored services to meet your specific security requirements.
Education remains a prime target to cybercriminals due to the private data that many schools and learning centres are custodians of. Education is often under-resourced and faces uphill battles when trying to maintain a strong cyber security posture against new and emerging threats.
We have vast experience in working with Education providers and understanding their specific needs and requirements when it comes to protecting their student and staff information.
Government, particularly local governments and councils, face a multitude of challenges when protecting their assets from cybercriminals. This tends to stem from diverse architectures and systems, legacy applications, changing regulations and compliance and lack of budget.
We have worked extensively with local governments over the years and have a solid understanding of how they work, what they are trying to protect and what outcomes are desirable.
The most popular service we offer with government clients is penetration testing of external internet-connected infrastructure and websites.
Attackers can be opportunistic shoppers — and in the retail industry, they see a potentially vulnerable target. Countless big-name retailers have been hit by data breaches, including Macy’s, Home Depot, CVS, Kay Jewelers, Best Buy, Target and more. The retail sector is a top target for cybercriminals, especially as growing pressure from eCommerce giants forces more and more retail transactions online.
We have performed penetration testing over retail shopping websites, mobile applications and cloud deployments. We have also performed penetration testing designed to satisfy PCI DSS compliance.
The finance industry is always at the coal-face of cybersecurity, providing the most alluring target to would-be attackers. Due to the importance of protecting customer’s data and money, the finance industry is required to abide by some of the strictest regulations and compliance obligations.
We have performed penetration testing of banking infrastructure (internal and external) and of banking mobile applications.
Critical infrastructure, such as power and electricity, is becoming a hot-button cybersecurity topic due to the interconnected nature of new ICS and SCADA infrastructures worldwide.
Attacks on critical infrastructure, industrial espionage, phishing emails and drive-by downloads are just a few of the tactics employed by cybercriminals that can lead to defective products, production downtime, physical damage, injuries and death, the loss of sensitive information and more.
The manufacturing industry is an especially attractive target for cybercriminals for several reasons, including:
* Legacy equipment or industrial IoT devices that were not necessarily put in place with security in mind
• Gaps between IT and operations technology
• Lack of documented training, processes and procedures a
• Failure to conduct adequate risk assessments
The Internet of Things (IoT) is one of the greatest potential weak spots for manufacturers when it comes to cybersecurity. While they gain efficiencies and improve production processes with connected devices and intelligent machinery, the IoT exposes manufacturers to a network easily infiltrated by those looking to do harm.
We have performed penetration testing of critical infrastructure networks, including secure network segmentation testing.
Like the government, health care organisations are privy to a plethora of sensitive information. And like the government, many organizations are not adequately protecting that data. Millions of patients have had access to private records compromised in an ongoing series of costly and high-profile data breaches. The health care industry also has suffered considerably more than other industries when faced with ransomware attacks.
Health care organisations have been a frequent target of cyber-attacks for two primary reasons, the high value of data that these organisations possess and the ease with which hackers are able to access this data. Data gleaned from insecure systems is then sold on the black market, where cybercriminals purchase and sell personal data for a multitude of purposes including espionage and identity fraud.
More Penetration Testing Resources
Latest penetration testing articles written by Cybra