Penetration testing

Introduktion

Penetration testing requirements?
We will solve it!

All systems have vulnerabilities. Vulnerabilities that could increase the risk of data breaches if left untouched. A penetration test, or pentest, discovers vulnerabilities and identifies which ones are most critical. Having a picture of the system’s vulnerabilities makes it easier to prioritize resources to address them.

Contact Us

Do you want to know more about our service and solutions? Contact us and we will assist you.

Contact Us

This is what you get

The best support in pentesting

In addition to the fact that all systems have vulnerabilities that you want to identify and remove, the background to the need for a pentest can come from external requirements from investors, customers, suppliers or as a requirement for, for example, certifications. No matter where the need comes from, we understand the requirement and can deliver the best support for your penetration test.

We have a solid experience of different types of tests for companies and organizations where the assignments range from tests in simple environments to very complex. We carry out our assignments with highly experienced specialists according to a well-proven methodology and various industry practices. Conducting pentests is a craft and our testers take great personal responsibility to always deliver with the highest quality.

Our standard package includes retesting as part of our offer. We do this to ensure that the identified vulnerabilities are actually addressed. After the test is completed, we will provide you with a report of the results and recommendations, which we will review with you.

This is what we can test

Our penetration tests

No two companies’ IT environments are the same. It is therefore important that we go through the conditions and methods together with you to come up with a good solution. Common to all our penetration tests is that we follow industry standards and methods from OSSTMM, OWISAM, OWASP, OASAM, ISSAF, NIST, ISACA, SANS, Mitre Attack. We perform penetration tests on web applications, mobile applications, infrastructure and APIs but also have the possibility to customize a test based on your needs.

Pentest web application

A web application such as an e-commerce site, a booking system or a customer and supplier portal often stores and handles sensitive information.

By penetration testing the application, we can find vulnerabilities that in many cases can be exploited to either access sensitive information or to gain administrator access to underlying systems.

Benefits of penetration testing web applications

Identifying ways to manipulate the system
Finding security issues related to cookies
Identifies misconfigured security settings
Tests protection against injection attacks

Pentest mobile application

Vulnerabilities in mobile apps can potentially harm both businesses and mobile users.

Cybercriminals exploit vulnerabilities in mobile applications to either gain access to a company’s information assets or use it as a tool to spread malware to users. Our mobile application testing provides valuable insights into the vulnerabilities and issues of applications. These insights are primarily used to close security gaps, thereby protecting the client’s and the company’s information.

Benefits of penetration testing mobile applications

Identifies improper storage of sensitive information
Identifies misconfigured security settings
Identifies improper or unencrypted communication
Identifies authentication issues
Tests protection against injection attacks

Pentest infrastructure (network)

A pentest performed on the infrastructure can reveal which parts of the network are vulnerable and can be used as a gateway to access an underlying system.

We can test SQL servers, VPN servers and connections, mail servers, firewalls, FTP and file servers, interconnected third-party systems, and other inputs to the organization’s internal network and systems. In addition, we can also test the IT system’s operating system and examine and advise on how to configure it safely (hardening).

Benefits of penetration testing infrastructure

Finds and tests CVE vulnerabilities
Identifies flaws in firewall configurations
Identifies what an attacker can do if it is on the internal network or enters the network via a VPN connection

Pentest API

An API (application programming interface) is used to allow applications to communicate with each other.

Examples of such links are between the company’s website and CRM systems, analytical tools, payment systems or external forms. Our API pen test checks whether the API has vulnerabilities that can be exploited by an attacker. For example, strengthening the API endpoints can prevent customer information from being exposed to the attacker.

Benefits of penetration testing API connections

Identifies if the API connection exposes sensitive data
Identifies incorrect security settings and authorization structures
Tests protection against injection attacks

Några av våra kunder

Approach to our pen tests

Different ways to test

Once you have decided which target to penetration test, the next step is to decide how to perform the test. Our service is based on black, gray and white box pentests.

White Box

We get full access to the software source code and documentation and also have access to the environment.

This allows the penetration tester to focus on analyzing the system’s architecture, code structure and design. You could say that a whitebox penetration test tests from the inside out unlike a blackbox which tests from the outside in.

White Box penetration testing identifies potential weaknesses in software and is primarily used as a final step in the development of apps and systems to find and prevent potential vulnerabilities that could lead to data leaks and breaches.

Example: The penetration tester has full access to all information and identifies threats and risks by analyzing source code and documentation.

Grey Box

This is a middle ground between the Black Box and the White Box where we have some information about how the system works.

Grey Box simulates an attacker who has already penetrated the external protection and has some form of internal access to the network. This penetration test is more time-efficient as it skips the initial intrusion attempt and instead focuses on detecting errors in a single application or finding vulnerabilities in internal information-sensitive systems to which it is given possible access.

Example: The attacker has obtained a user account and tries to use it to escalate his/her permissions in the system.

Black Box

We know nothing about the system or the environment to be attacked and are completely unqualified.

The conditions are the same as for an outside attacker. The focus is mainly on attacking the external protection, but also further into the systems behind it. The black box is time-consuming but also provides a clear overall picture of how well the system is protected in the event of an intrusion attempt.

Example: The attacker attacks a web, or IP address to obtain information or cause damage.

Here’s how it works

Implementation and process of pentests

The methodology used to conduct pentests varies slightly depending on the scope and external conditions. It often involves four to six steps that can be repeated like a cycle. An example scenario for a Black Box pentest is described below.

Collection of information on the target
In addition to the main objective, are there secondary objectives with lower security? What underlying systems can the target be expected to have. Is there open information about the target, which IP addresses could be targeted and which can be obtained?
Scanning of targets
What open ports does the target have and what do the vulnerabilities look like in a vulnerability scan?
Attack:
Exploit the vulnerabilities and try to gain access to systems through, for example, open ports, login fields, system vulnerabilities, and so on.
Conclusion:
Closing the attack, gathering evidence, preparing vulnerability report and recommendations

As described above, pentesters often use a vulnerability scanning tool to scan the target for potential vulnerabilities in the system. Each vulnerability discovered is then tested to see if it can be used to penetrate the system. Validating that the potential vulnerability can be exploited in practice is the major difference between a vulnerability scan and a penetration test.

Questions and answers

Here are answers to the most frequently asked questions about penetration testing. Do you have a question that is not listed? Use the contact form further down the page.

Get in touch!

If you want to know more about our Penetration Tests, please contact us. Send a message using the contact function, or pick up the phone and call 020-66 99 00.

If you need further testing, we can also carry out Phishing tests, among other things. We can also carry out deeper threat assessments and OSINT projects.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement		Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics		Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary		Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance		Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent		Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID		The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.

Cookie	Duration	Description
1e5a17c8ab		This cookie is set in relation to Zoho Campaigns
AnalyticsSyncHistory		No description
bscookie		LinkedIn sets this cookie to store performed actions on the website.
lang		LinkedIn sets this cookie to remember a user's language setting.
li_gc		Used to store consent of guests regarding the use of cookies for non-essential purposes

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_X8W3VDVR14		This cookie is installed by Google Analytics.
_gat_UA-112487526-1		A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
utm_source		This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.

Cookie	Duration	Description
_fbp		This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
d18efd344f		Collects information on user preferences and international with erb content. Used to promote relevant events or products. Session.
fr		Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE		Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie		The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
utm_medium		This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
ZCAMPAIGN_CSRF_TOKEN		No description available.
ZMEET_CSRF_TOKEN		No description available.

Penetration testing