The range and complexity of penetration tests reflect the challenges to cyber security as a whole.
The overall goal of pentesting is to identify vulnerabilities in your environment that a hacker may exploit. But each pentest is designed with more specific goals that can measure a given product during a set period of time - giving you actionable results.
Alacrinet's team of expert pentesters stay on top of the latest cyber security trends and risks through hands-on experience, training, and involvement with the cyber security community.
We've highlighted the top 5 types of penetration tests that large enterprises use to minimize risk and meet compliance requirements.
Web Application Penetration Test
Web App pentests attempt to exploit your environment and associated systems to highlight any underlying vulnerabilities. Web application assessments at Alacrinet employ the Penetration Testing Execution Standard (PTES) penetration testing methodology for a defined, repeatable, and high-quality assessment as a baseline for our testing. This process utilizes both commercial and proprietary tools to analyze and test the security of web applications.
Leveraging our in-house threat models, Alacrinet expands its testing scope, beyond traditional penetration testing methods, to expose as many potential attack vectors as possible.
Mobile Application Penetration Test
With the increased sophistication and usage of mobile applications, organizations are now facing yet another attack vector in their digital infrastructure. With industry-leading experts in mobile app security, Alacrinet provides in-depth security analysis and testing for applications on iOS and Android. This rigorous security audit aims to attack the application and its server (if applicable) in multiple ways, highlighting any vulnerabilities within its code.
Network Penetration Test
External network penetration testing is necessary to identify vulnerabilities identified on external-facing networks, systems and services. The benefits of external network penetration testing include identifying software patches that must be installed, uncovering misconfigured software, firewalls or operating systems, identifying needed encryption or secure protocols, and finding vulnerable network attack vectors. Internal network penetration testing is necessary to identify threats ranging from potential malicious insiders exfiltrating data and compromising access credentials to corporate network vulnerabilities such as unpatched systems and misconfigurations to ensure all potential attack vectors are identified.
Alacrinet’s network penetration testing employ the Penetration Testing Execution Standard (PTES) for a defined, repeatable, and high-quality assessment. Beginning with automated scanning and enumeration tools, a list of potential vulnerabilities is then accompanied by manual analysis, testing, and verification. Using a range of techniques and a vast internal knowledge base, Alacrinet’s security assessors then attempt to safely exploit these identified flaws, highlighting and demonstrating the associated level of risk.
Cloud (AWS/Azure) Penetration Test
Alacrinet applies a proprietary methodology to assess the security of an AWS environment by replicating real-world scenarios where AWS credentials or API keys have been compromised and the environment is breached. Playing the role of a malicious actor, the goal is to identify points of weakness in the AWS configurations, escalating privileges, remotely accessing EC2 instances, accessing database, S3 data, establishing persistent access, and staying under the radar. Alacrinet’s proprietary AWS penetration testing methods demonstrate the security risks of this additional technology layer, and how a sophisticated cloud attacker could exploit them. During this verification and exploitation phase, there are several vulnerability types we can identify.
Firewall configuration assessments and testing takes a deeper dive into today's modern firewalls. The sophistication and construction of modern-day firewalls is such that security professionals must think beyond the capabilities of an automated scanner. Taking the perspective of a malicious actor and someone who understands the complexity of the modern-day firewall, we have created proprietary methodologies for testing the overall configuration and strength of your firewalls.
Our goal is to investigate the firewall itself instead of solely focusing on devices that are published through the firewall. During testing, not only do we attempt to penetrate the firewall, but we try to bypass it as well. This method allows us to discover vulnerabilities and exploit poorly implemented security policies. Our firewall configuration testing methodology helps us guide your organization through the proper implementation of security controls.
Alacrinet’s security assessors will attempt to leverage discovered vulnerabilities and test for key security flaws.
Recommending What's Right For You
As outlined in our approach, the first step we take with every client is understanding their goals and purpose of the test on the Introduction & Scoping call. Based on that, we can recommend the penetration test that best meets their needs and current security landscape.
Additional Types of Pentests
Our team has experience with a full range of penetration tests that can be done to evaluate the strength of different areas of your IT environment.
Vishing Pretext Calling
Pretext calls, also referred to as vishing, utilize voice phone calls to coax a user into performing an unauthorized task, such as providing sensitive information or downloading an untrusted file.
A phishing assessment attempts to gain sensitive information or access from a target user through coercive emails.
Red Team Engagement
Flag based attack with multiple engineers on the engagement both onsite and remote.
Wireless Network Pentesting
A wireless penetration test emulates an attacker trying to break into your network through your exposed wireless networks.
Testing the functions and methods to verify how authorization and authentication could be bypassed.
Source Code Review
Exploiting the LoC (lines of code) in order to find vulnerabilities found in the software.