Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Btpro-Penetration Testing Service
Similar to Btpro-Penetration Testing Service (20)
Recently uploaded
Recently uploaded (20)
Btpro-Penetration Testing Service
- 1. PENETRATION TESTING SERVICES BTPRO Bilgi Teknolojileri A.S Office: +90 216 3840986 / Fax: +90 216 3840986 19 Mayis Mah. Sumer Sok. A4/11 Kozyatagi ISTANBUL Mobil Çözümler | Siber Güvenlik | E-Devlet Çözümleri
- 2. BTPRO Bilgi Teknolojileri A.Ş. 8 Haziran 2015 Pentest Services Presenter: Mesut TÜRK mesut.turk@btpro.net
- 3. Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 3
- 4. • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 4
- 5. • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 5
- 6. • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 6
- 7. • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen International Cyber Security Incidents-2014 7
- 8. • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 8
- 9. • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 9
- 10. Pentest Scope 10
- 11. • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 11 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.
- 12. • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 12
- 13. • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 13
- 14. • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 14
- 15. • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 15
- 16. • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 16
- 17. • A sample finding. Reporting 17
- 18. Security re-evaluation of the company 18 • An executive summary report is delivered to the executives, which shows the general security evaluation of the company. • A project closure meeting will be organized to discuss the report.
- 19. • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 19
- 20. QUESTIONS ? 20
- 21. THANKS... 21