Penetration Testing

Penetration Testing Service

Digitpol provides Penetration Testing Services to protect your business from cyber threats, safeguard customer data, and maintain trust with clients and stakeholders in today’s interconnected digital world. Digitpol offers penetration testing, also referred to as ethical hacking, to assess the security of computer systems. This includes vulnerability assessments designed to identify, evaluate, and prioritize weaknesses within the system. Additionally, Digitpol performs application testing on both new and existing applications to uncover security flaws, malware, data leaks, security certification issues, and coding vulnerabilities. Penetration testing can be conducted on both local and remote infrastructures and software applications in a controlled environment, adhering to strict guidelines and agreements with the client such as pre-signing an NDA and a clear scope of work.

Penetration Testing Methods

As a standard there are three Pentest methods can be distinguished. These are well-known as black box testing, gray box testing and white box testing. None of these methods are considered the best but applied depending on your situation and after a consultation, the right approach can be applied. Each variant has its own pros and cons and will discover slightly different outcomes. The right choice therefore depends entirely on the stage of development, network circumstances and past testing.

Black Box Testing

In a black box Pentest, the ethical hacker has no prior knowledge of the target system and has to work with limited time and resources to discover vulnerabilities and potential attack vectors. This approach simulates a real-life scenario where an attacker has no insider knowledge or access to the system. As a result, this type of Pentest is often used to evaluate the overall security posture of a system or organization. However, due to the lack of prior knowledge, it may not uncover more complex vulnerabilities or weaknesses that a knowledgeable attacker could exploit.

Gray Box Testing

In a gray box Pentest, the tester has some level of information about the system or application being tested, but not full disclosure like in a white box Pentest. This approach is often used to simulate an insider attack, where the tester has some level of access or knowledge of the system or application. The goal of this approach is to identify vulnerabilities that could be exploited by an insider with malicious intent, while also testing the system's defense against an external attacker.

White Box Testing

In a white box penetration testing (or "full disclosure" testing), the penetration tester is given detailed information about the target system or application in advance, including network diagrams, system architecture, and even access to the source code. This information allows the tester to perform a very thorough analysis of the system and potentially discover more complex and well-hidden vulnerabilities that might not be discovered in a black box testing approach, where the tester has no prior knowledge of the target system. However, the downside of white box testing is that it may not accurately reflect a real-world attack scenario, where an attacker would not have access to such detailed information.

The process of a Penetration Test

At DIGITPOL, a Pentest always always starts with an interview, we often do this via a conference call or in person, during this interview the scope (framework) of the Pentest is defined along with the object of the investigation and which methods we will apply. The budget, time frame and schedule are important. After the interview, we will send you a contract that details what we will do, the cost and timeframe, we also can sign an NDA. Once this has been established, the Pentest can start.

This happens in three phases:

Reconnaissance

In the exploration phase, the ethical hackers will start mapping potential entrance doors. This involves mapping the infrastructures and systems used and looking for low-hanging fruit. This is one of the most vital parts of the process.

Launch The Attack

After the exploration, the actual attacking of your applications, networks or systems begins. The ethical hackers try to find entry doors and exploit vulnerabilities in order to penetrate your systems and steal sensitive data. The hacking starts, we detail every step and we record our sessions which is handed over in the final report.

Report the Findings

During the Pentest, the ethical hackers document all vulnerabilities and findings found that are classified according to a risk profile for your organization. This results in a clear and detailed report containing the most important conclusions and recommendations with which the security of your organization can be improved. This report is used to solve any issues found.

IP, Wi-Fi, LAN, Networks

A Pentest aimed at your companies internal network and provides detailed information on any and all vulnerabilities related to your LAN, IP or Wi-Fi networks. It's a deep dive into what networks exist, how powerful their security is, and what devices connect to them. In some cases the test can discovery whether ransomware or your employees can compromise data. In some cases we have detected remote access was found.

(WEB) APPLICATIONS

Testing of Web applications and services such as websites, payment apps, payment or financial systems (POS) and portals are the gateway to your data and even your internal infrastructure. A Pentest reveals vulnerabilities in these applications, this test can be extended to all forms of apps, payment systems, POS machines, apps that contain wallets.

MOBILE APPS & APIS

Mobile Apps often process personal or sensitive data and are linked in various ways to other (web) services and APIs. Modern apps often contain a method to accept a payment or collect personal data. A Mobile App Pentest examines all possible attack vectors and links of the Mobile Apps, hosted environment and open back doors.

IACS & OT

Testing of devices is highly important as most IACS are not secured by default, we assess the security of your Industrial Automation and Control Systems (IACS) and Operational Technology (OT) environments with ICS/SCADA, HVAC, SIS, communication systems for vulnerabilities. In some cases, after the test, we can apply a firewall for industrial devices.

Mobile APP CODE Assessment

Mobile App (iOS or android) Code Assessment and Penetration Testing, we provide mobile app penetration testing services to review code and discover security flaws, our services are conducted by senior coders and assessment testers, we use both automated and manual examination of code. Our code review is deployed at the final stage of your app development, just before it goes live, we will test the code for security risks, vulnerabilities and for compliance.

APP API - Cloud Pen Testing

APP API Testing, As many apps send data to a cloud known as a backend end via an API, we also conduct testing of cloud environment to APP for discovery of vulnerabilities and security risks. An API between an APP and cloud can contain hidden flaws in security, this is a critical factor we look into

LAN Network Penetration Testing

Digitpol specalises in security audits of a local network can be performed locally, onsite or at clients premises or via VPN. Testing of LAN networks will discover malware, bots, rogue devices, traffic to rouge sources, data leakage, unauthorised PC or devices and vulnerabilities.

Auditing & Assesment

A Pentest is often a mandatory part of audits for a range of standards including ISAE or ISO27001. A Pentest in the context of an IT assessment is aimed at meeting standards frameworks. The report is immediately usable for an auditor to detect the flaws, identify gaps and apply immediate fixes.