SlideShare a Scribd company logo
PENETRATION TESTING SERVICES
BTPRO Bilgi Teknolojileri A.S
Office: +90 216 3840986 / Fax: +90 216 3840986
19 Mayis Mah. Sumer Sok. A4/11 Kozyatagi ISTANBUL
Mobil Çözümler | Siber Güvenlik | E-Devlet Çözümleri
BTPRO Bilgi Teknolojileri A.Ş.
8 Haziran 2015
Pentest Services
Presenter: Mesut TÜRK
mesut.turk@btpro.net
Agenda
• What is a Pentest?
• Why should you perform pentesting?
• What are the benefits of Pentesting?
• How are Pentests performed?
• What are the targets of a pentest?
• Attacker profiles in a pentest
• When to perform a pentest?
• Reporting
• Evaluation
• Verification tests
Pentest Service
3
• A pentest is a set of authorized cyber attacks, in order to discover and
verify the vulnerabilities of an information system.
• In a typical pentest session, vulnerabilities are carefully exploited.
– Customer will be informed of all steps.
– Tests will be performed against all systems of the customer.
What is a Pentest?
4
• Depicting the current security level of a company
• Identifying the gaps, and security consciousness of both systems and
human resources against possible breaches.
• Pentests find out; How big and what sensitive information will be lost in
case of a cyber attack.
Why to perform a Pen-test?
5
• Independent IT-Security Institute reports around 150,000 malwares
were produced , in 2014.
• AV-TEST Institute reports 390,000 new malwares every day.
• Kaspersky LAB reports that;
– 6,167,233,068 malwares were found in year 2014.
– 1,432,660,467 mobile attacks were discovered in 2014.
– Among the surveyed companies involved in E-Business; half of them have
suffered losses because of cyber attacks.
• Different attack types and methods are discovered each day.
Why to perform a Pen-test
6
• Carbanak: A cyber gang with financial
motives
Have stolen 1 billion US Dollars (using
malware and remotely) in 30 different
countries.
• Sony: A no pity cyber attack, causing a
big reputation loss by company.
• HSBC Turkey: November, 2014: 2.7
million card info was stolen
International Cyber Security Incidents-2014
7
• Vulnerabilites of an information system are exposed.
• Facilitates the analysis of genuine risks.
• Helps sustain Business Continuity
• Decreases the possibility of real attacks
• Protects staff, customers and business partners
• Helps to be compliant with
– ISO27001
– PCI DSS
• Increases know-how and facilitates analysis for real attacks.
• Preserves company reputation
What are the benefits of a Pen-test?
8
• Determining the Scope
– Web App pentest
– End user and social engineering attacks
– Ddos and performance tests
– Network infrastructure tests
– External and Internal network tests
– Mobile App pentest
– Virtualization system pentest
– Database pentest
How is Pentest performed?
9
Pentest Scope
10
• Performing the Test
– Information gathering
– Analysis and plan
– Discovering vulnerabilities
– Exploitation
– Gaining access
– Privilege Escalation
– Analysis and Reporting
– Post-Fix Verification
How is Pentest performed?
11
★ Our Pentest reports cover each and only
relevant (that is potentially causing a risk) risk
information.
★ We never deliver auto-scan results to the
customer, and we employ and encourage our
staff in specific fields of pentesting.
★ We are a team composed of web pentesters,
scada tester, ddos expert, network pentesters,
social engineer and wireless pentester.
• Following domains are tested against possibility for information leakage and
system malfunction;
• Mistakes/Shortcomings in application development
• Configuration errors
• Security awareness of staff
• System protection level
• Infrastructure security level
• Insecure certificate usage
• Patch level of Applications
• Patch level of Operating Systems
are tested and observed in order to identify the security level of the determined scope.
Target systems in a pentest
12
• External Network test profiles
– Normal user with no insider information
– Unauthorized user with insider information
– Authorized user with insider information
– Admin user with insider information
• Internal network test profiles
– Unauthorized user
– Employee profile
• Unhappy employee profile
• Disgruntled employee profile
– Manager profile
Attacker profiles in a pentest
13
• Critical terms for the industry and the company
• Before and After corporate milestones.
• Hiring/Firing critical personnel
• The weak system
• The strong system
When to perform a pentest
14
• At least once a year
• After system change & new system deployments
• After new system integrations.
How often are Pentests performed?
15
• All findings during the pentest are analyed, verified and reported.
• A detailed explanation of findings, with solution recommendation and
steps to resolve are submitted in the report.
• Findings are categorized. Findings by category, findings by severity are
statistically graphed in the reports.
Reporting
16
• A sample finding.
Reporting
17
Security re-evaluation of the company
18
• An executive summary report is delivered to the executives, which
shows the general security evaluation of the company.
• A project closure meeting will be organized to discuss the report.
• After a detailed explanation of findings and delivery of final report, the
company is expected to close the gaps.
• After the gap-closure, a time frame is determined by both parties for
verification tests.
• Findings in the report are reevaluated in the verification tests.
Verification Tests
19
QUESTIONS ?
20
THANKS...
21

More Related Content

What's hot

Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
EnclaveSecurity
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
Raghav S
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
Napier University
 
Lesson 4
Lesson 4Lesson 4
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Select idps
Select idpsSelect idps
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 

What's hot (20)

Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Select idps
Select idpsSelect idps
Select idps
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 

Viewers also liked

Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Sızma testi nedir - Sızma testi metodolojisi
Sızma testi nedir - Sızma testi metodolojisiSızma testi nedir - Sızma testi metodolojisi
Sızma testi nedir - Sızma testi metodolojisi
btpsec
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Sızma Testi ve Güvenlik Denetlemeleri - Giriş
Sızma Testi ve Güvenlik Denetlemeleri - GirişSızma Testi ve Güvenlik Denetlemeleri - Giriş
Sızma Testi ve Güvenlik Denetlemeleri - Giriş
Ferhat Ozgur Catak
 
Sızma Testleri Sonuç Raporu
Sızma Testleri Sonuç RaporuSızma Testleri Sonuç Raporu
Sızma Testleri Sonuç Raporu
BGA Cyber Security
 

Viewers also liked (6)

Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Sızma testi nedir - Sızma testi metodolojisi
Sızma testi nedir - Sızma testi metodolojisiSızma testi nedir - Sızma testi metodolojisi
Sızma testi nedir - Sızma testi metodolojisi
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Sızma Testi ve Güvenlik Denetlemeleri - Giriş
Sızma Testi ve Güvenlik Denetlemeleri - GirişSızma Testi ve Güvenlik Denetlemeleri - Giriş
Sızma Testi ve Güvenlik Denetlemeleri - Giriş
 
Sızma Testleri Sonuç Raporu
Sızma Testleri Sonuç RaporuSızma Testleri Sonuç Raporu
Sızma Testleri Sonuç Raporu
 

Similar to Btpro-Penetration Testing Service

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
Meletis Belsis MPhil/MRes/BSc
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
Ben Rothke
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCP
Splunk
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
Cognic Systems Pvt Ltd
 
Newsletter Connect - Sep 2015
Newsletter Connect  - Sep 2015Newsletter Connect  - Sep 2015
Newsletter Connect - Sep 2015
Arish Roy
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
John Gilligan
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
Saazan Shrestha
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
Jeremy Li
 
Chapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptxChapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptx
ToxicHawk
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
Precisely
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 

Similar to Btpro-Penetration Testing Service (20)

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
SplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCPSplunkLive! Customer Presentation – UMCP
SplunkLive! Customer Presentation – UMCP
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Newsletter Connect - Sep 2015
Newsletter Connect  - Sep 2015Newsletter Connect  - Sep 2015
Newsletter Connect - Sep 2015
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
 
Chapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptxChapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptx
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 

Recently uploaded

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 

Recently uploaded (20)

inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 

Btpro-Penetration Testing Service

  • 1. PENETRATION TESTING SERVICES BTPRO Bilgi Teknolojileri A.S Office: +90 216 3840986 / Fax: +90 216 3840986 19 Mayis Mah. Sumer Sok. A4/11 Kozyatagi ISTANBUL Mobil Çözümler | Siber Güvenlik | E-Devlet Çözümleri
  • 2. BTPRO Bilgi Teknolojileri A.Ş. 8 Haziran 2015 Pentest Services Presenter: Mesut TÜRK mesut.turk@btpro.net
  • 3. Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 3
  • 4. • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 4
  • 5. • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 5
  • 6. • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 6
  • 7. • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen International Cyber Security Incidents-2014 7
  • 8. • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 8
  • 9. • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 9
  • 11. • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 11 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.
  • 12. • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 12
  • 13. • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 13
  • 14. • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 14
  • 15. • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 15
  • 16. • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 16
  • 17. • A sample finding. Reporting 17
  • 18. Security re-evaluation of the company 18 • An executive summary report is delivered to the executives, which shows the general security evaluation of the company. • A project closure meeting will be organized to discuss the report.
  • 19. • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 19