The document outlines the services and methodology of penetration testing provided by BTPSec, emphasizing the importance of this approach for identifying vulnerabilities in information systems. It describes the purpose, benefits, and processes involved in penetration testing, as well as the target systems and the various profiles of attackers. Additionally, it mentions the need for regular testing and thorough reporting to ensure the security of organizations.

1. BTPSec Ⓒ 2015
What is Penetration
Testing and how we
do it!

2. BTPSec Ⓒ 2015
WE ARE BTPSEC
And we are here to talk about the way we perform
penetration testing
We can be reached at:
@btp_Sec
info@btpsec.com

3. BTPSec Ⓒ 2015
PENETRATION TESTING SERVICES
BTPSec
info@btpsec.com
Office: +1 323 7398539
Address: 10650 Kinnard Ave #113, Los Angeles, CA 90024

4. BTPSec Ⓒ 2015
AIM TO HIT
Penetration Testing needs a clearly defined
approach towards your job otherwise you will fail.

5. BTPSec Ⓒ 2015
…. WE TAKE OUR JOB
SERIOUSLY

6. BTPSec Ⓒ 2015
Agenda
• What is a Pentest?
• Why should you perform pentesting?
• What are the benefits of Pentesting?
• How are Pentests performed?
• What are the targets of a pentest?
• Attacker profiles in a pentest
• When to perform a pentest?
• Reporting
• Evaluation
• Verification tests
Pentest Service
6

7. BTPSec Ⓒ 2015
• A pentest is a set of authorized cyber attacks, in
order to discover and verify the vulnerabilities of an
information system.
• In a typical pentest session, vulnerabilities are
carefully exploited.
– Customer will be informed of all steps.
– Tests will be performed against all systems of the
customer.
What is a Pentest?
7

8. BTPSec Ⓒ 2015
• Depicting the current security level of a company
• Identifying the gaps, and security consciousness of
both systems and human resources against possible
breaches.
• Pentests find out; How big and what sensitive
information will be lost in case of a cyber attack.
Why to perform a Pen-test?
8

9. BTPSec Ⓒ 2015
• Independent IT-Security Institute reports around
150,000 malwares were produced , in 2014.
• AV-TEST Institute reports 390,000 new malwares
every day.
• Kaspersky LAB reports that;
– 6,167,233,068 malwares were found in year 2014.
– 1,432,660,467 mobile attacks were discovered in 2014.
– Among the surveyed companies involved in E-Business;
half of them have suffered losses because of cyber
attacks.
• Different attack types and methods are discovered
each day.
Why to perform a Pen-test
9

10. BTPSec Ⓒ 2015
• Carbanak: A cyber gang with financial motives
Have stolen 1 billion US Dollars (using malware and
remotely) in 30 different countries.
• Sony: A no pity cyber attack, causing a big reputation
loss by company.
• HSBC Turkey: November, 2014: 2.7 million card info
was stolen
Cyber Security Incidents-2014
10

11. BTPSec Ⓒ 2015
• Vulnerabilites of an information system are exposed.
• Facilitates the analysis of genuine risks.
• Helps sustain Business Continuity
• Decreases the possibility of real attacks
• Protects staff, customers and business partners
• Helps to be compliant with
– ISO27001
– PCI DSS
• Increases know-how and facilitates
analysis for real attacks.
• Preserves company reputation
What are the benefits of a Pen-test?
11

12. BTPSec Ⓒ 2015
• Determining the Scope
– Web App pentest
– End user and social engineering attacks
– Ddos and performance tests
– Network infrastructure tests
– External and Internal network tests
– Mobile App pentest
– Virtualization system pentest
– Database pentest
How is Pentest performed?
12

13. BTPSec Ⓒ 2015
• Performing the Test
– Information gathering
– Analysis and plan
– Discovering vulnerabilities
– Exploitation
– Gaining access
– Privilege Escalation
– Analysis and Reporting
– Post-Fix Verification
How is Pentest performed?
13
★ Our Pentest reports cover each
and only relevant (that is
potentially causing a risk) risk
information.
★ We never deliver auto-scan
results to the customer, and we
employ and encourage our staff
in specific fields of pentesting.
★ We are a team composed of
web pentesters, scada tester,
ddos expert, network pentesters,
social engineer and wireless
pentester.

14. BTPSec Ⓒ 2015
• Following domains are tested against possibility for
information leakage and system malfunction;
• Mistakes/Shortcomings in application development
• Configuration errors
• Security awareness of staff
• System protection level
• Infrastructure security level
• Insecure certificate usage
• Patch level of Applications
• Patch level of Operating Systems
are tested and observed in order to identify the security level of the
determined scope.
Target systems in a pentest
14

15. BTPSec Ⓒ 2015
• External Network test profiles
– Normal user with no insider information
– Unauthorized user with insider information
– Authorized user with insider information
– Admin user with insider information
• Internal network test profiles
– Unauthorized user
– Employee profile
• Unhappy employee profile
• Disgruntled employee profile
– Manager profile
Attacker profiles in a pentest
15

16. BTPSec Ⓒ 2015
• Critical terms for the industry and the company
• Before and After corporate milestones.
• Hiring/Firing critical personnel
• The weak system
• The strong system
When to perform a pentest
16

17. BTPSec Ⓒ 2015
• At least once a year
• After system change & new system deployments
• After new system integrations.
How often are Pentests performed?
17

18. BTPSec Ⓒ 2015
• All findings during the pentest are analyed, verified
and reported.
• A detailed explanation of findings, with solution
recommendation and steps to resolve are submitted
in the report.
• Findings are categorized. Findings by category,
findings by severity are statistically graphed in the
reports.
Reporting
18

19. BTPSec Ⓒ 2015
• A sample finding.
Reporting
19

20. BTPSec Ⓒ 2015
Security re-evaluation of the company
20
• An executive summary report is delivered to the
executives, which shows the general security status
of the company.
• A project closure meeting will be organized to
discuss the report.

21. BTPSec Ⓒ 2015
• After a detailed explanation of findings and delivery
of final report, the company is expected to close the
gaps.
• After the gap-closure, a time frame is determined by
both parties for verification tests.
• Findings in the report are reevaluated in the
verification tests.
Verification Tests
21

22. BTPSec Ⓒ 2015
BTPSEC OFFICES
our office
our office

23. BTPSec Ⓒ 2015
ANY QUESTIONS?
You can find us at
@btp_sec
info@btpsec.com