Advanced Penetration Testing by CREST Certified Experts
Penetration testing, also referred to as pen testing, pentesting, and ethical hacking, is a simulated real-world attack on a network, application, or system that identifies vulnerabilities and weaknesses. Often paired with vulnerability assessments, penetration tests are part of an industry-recognised approach to identifying and quantifying risks. They actively attempt to ‘exploit’ vulnerabilities and exposures in a company’s infrastructure, applications, people, and processes. Through Vulnerability Assessment and Penetration Testing (VAPT), Nettitude is able to provide context around the vulnerability, impact, threat and likelihood of a breach in an information asset.
It’s possible for a pen tester to gain remote access to operating systems, application logic, and database records. Through active exploitation of direct and interconnected systems, Nettitude can provide strategic tools and guidance on risk and tailored advice on countermeasures.
Benefits of Penetration Testing
Manage your risk – A penetration test identifies and assess vulnerabilities in your environment and allows you to remediate them before an adversary takes advantage of them.
Protects clients, partners, and third parties – The employment of pen testing services provides your clients with the assurance that you are taking cybersecurity seriously and are doing everything you can to mitigate the risks of a cyber breach, solidifying both their trust in your company and your business’s reputation as well.
Allows you to understand the environment – Since the cybersecurity ecosystem in Singapore is constantly evolving, it’s imperative that you not only keep up to date with the ever-evolving landscape but also dive deep to discover how it will affect your business. A penetration test allows you to understand the happenings within your environment and the types of cyberattacks that your organisation may face.
Identifies weaknesses you didn’t know were there – Penetration testing looks for the potential backdoors into your network that may exist without your knowledge.
Basics of Pen Testing
If you’re new to the world of penetration testing and wish to gain a simple understanding of what it is, be sure to check out our learning resources to help get you started.
Nettitude: The Award-Winning Penetration Testing Provider
As a leading penetration testing company, Nettitude holds the most coveted accreditations not only in Singapore, but across the world.
- Nettitude is an active member of the Council of Registered Ethical Security Testers (CREST).
- Nettitude is a proud member of the UK government’s National Cyber Security Centre (NCSC) scheme. Our team of testers includes CHECK Team Leaders within infrastructure and web applications, as well CHECK Team Members.
- Nettitude is an ISO27001 certified organisation and conducts all external testing engagements from a rigorously controlled environment. Nettitude’s security consultants hold CISSP qualifications, with several of them holding CISA and CISM accreditations. All our pen testers have had their backgrounds thoroughly checked.
- We are also an authorised supplier of CBEST and STAR testing services. Additionally, Nettitude’s 24/7 SOC is accredited to provide CREST SOC services.
- The Nettitude security testing team includes CREST Certified Infrastructure Testers (CCT Inf), CREST Certified Web Application Testers (CCT App), and CREST Registered Testers (CRT).
- In addition, our team comprises industry-recognised consultants and published authors that have been acknowledged by the media and the cybersecurity community in Singapore.
Frequently Asked Questions About Penetration Tests
What are the different types of penetration tests available?
There are both internal and external penetration tests. Their utilisation is largely dependent on whether the tester plans to access the physical environment of the internet-facing environment.
Penetration tests can either be traditionally operated within an organisation or externally from the internet. The appropriate vantage point for the testing should be determined by an organisation’s focus on risk. Do note that the two places for testing aren’t mutually exclusive. Organisations with a strong focus on risk management will most frequently conduct testing from both an internal and external perspective.
Internal Penetration Testing
Internal penetration tests are conducted from within an organisation, over its Local Area Network (LAN) or through WIFI networks. The tests will observe whether it’s possible to gain access to privileged company information from systems that are inside the corporate firewalls.
Testers with no credentials will assess the environment and determine whether a user with physical access to the environment can extract credentials and even escalate their privileges to that of an administrator or a superuser.
During an internal penetration test, the tester will attempt to gain access to sensitive data, including PII, PCI card data, R&D material, and financial information. They will also assess whether it’s possible to extract data from the corporate environment and bypass any DLP or logging devices to look into the countermeasures or controls that have been put in place.
External Penetration Testing
An external pen testing plan will assess the security controls configured on the access routers, firewalls, Intrusion Detection Systems (IDS) and Web Application Firewalls (WAF) that protect the perimeter.
External tests will also provide the ability to assess security controls for applications that are published through the internet. Nettitude recognises that there is increasing logic being built into website services to deliver extranet, e-commerce, and supply chain management functions to internet users. As a consequence, Nettitude pays particular attention to these resources. We also perform granular assessments on their build and configuration, as well as interaction with other data sources that sit in your protected network segments.
What are the different types of penetration testing strategies available?
Let Nettitude guide you through the differences between black, white, and grey box penetration testing services.
Black Box Testing
- In a black box test, the client doesn’t provide Nettitude with information about their infrastructure other than a URL or IP, or in some cases, just the company name.
- Nettitude is tasked with assessing the environment as if they’re an external attacker with no information about the infrastructure or the application logic tested.
- Black box penetration tests provide a simulation exercise that models how an attacker without any information, such as an internet hacker, organised crime organisation, or a nation-state sponsored attacker, could present a risk to the environment.
Grey Box Testing
- A grey box test is a blend of black box and white box testing techniques.
- In grey box testing, clients provide Nettitude with snippets of information to help with the testing procedures. This results in added breadth and depth, along with wider testing coverage than black box testing. Grey box penetration testing provides an ideal approach for customers who want to have a cost-effective assessment of their security posture.
White Box Testing
- In a white box test, Nettitude is provided with detailed information about the applications and infrastructure.
- It’s common to provide access to architecture documents and application source code.
- It’s also usual for Nettitude to be given access to a range of different credentials within the environment.
- This strategy will deliver stronger assurance of the application and infrastructure logic. It’ll provide a simulation of how an attacker with information (employee, etc.) could present a risk to the environment.
What does the penetration testing process entail?
- Phase 1: Scoping
- Phase 2: Reconnaissance and Enumeration
- Phase 3: Mapping and Service Identification
- Phase 4: Vulnerability Analysis
- Phase 5: Service Exploitation
- Phase 6: Pivoting
- Phase 7: Reporting and Debrief
Penetration Testing Reports & Deliverables
Testing Report & Documentation
- You will receive a high-level management report and an in-depth technical review document for every penetration testing engagement.
- These documents will highlight security vulnerabilities and identify areas for exploitation.
- In addition, they will provide guidance on remediation, with a focus on preventative countermeasures.
To gain access to a management and technical sample report related to your industry vertical in Singapore, please contact us.
Nettitude ensures that all tests have a full debrief at the end of the engagement.
If required, Nettitude can deliver this debrief in a face-to-face manner. During this process, we will provide a presentation of critical and high-level vulnerabilities, along with guidance on remediation and countermeasures.
When a face-to-face meeting isn’t required, Nettitude conducts debriefs through video conference and WebEX. Through this approach, we’re still able to share a comprehensive presentation of vulnerabilities and areas identified as being high-risk. We’re also able to give you live demonstrations of where exploitation is possible, together with guidance on how to secure the environment moving forward.
Post Test Guidance
- You will be provided with three months of complimentary access to our Security Support Desk.
- This provides a level of assurance through the remediation phase, ensuring that you can get all your vulnerabilities fixed in a time-sensitive manner.
Get a free quote