Vulnerability Assessment and Penetration Testing (VAPT) is a term used to describe security testing that is designed to identify and help address cyber security vulnerabilities of your business.
What is it
Services we provide
The methodology used, during the Vulnerability Assessment process, aims to evaluate the ease of carrying out a typical attack, based on the existing weaknesses of the structural elements (internet router, firewall, web servers, mail, etc) for accessing the internet.
The Vulnerability Assessment process is of particular importance for the actual assessment of the existing risk. The assessment is carried out by a specialized team in information security issues that uses commercial and open source tools as well as a series of specialized programs, many of which have been developed internally (attack scripts, application specific code), for the final verification of the possibility exploitation of possible weaknesses (vulnerabilities).
At this stage checks are carried out in order to collect additional data regarding the applications and services detected during the Vulnerability Assessment.
Some of the steps that might be used are the following:
1. Carrying out a targeted Vulnerability Assessment in Web applications.
2. Carrying out a targeted Vulnerability Assessment on Databases.
3. Perform manual Reconnaissance on applications and infrastructures, in order to identify additional modules that may contain vulnerabilities.
4. Scanning the internet for possible information or applications outside the network where they may be used as vulnerabilities.
In the Penetration Test, a series of attacks are carried out, from outside and inside the network, similar to those that an attacker would do, in order to check to what extent any weaknesses in the network can be exploited.
The Penetration Test is divided into four stages.
The first stage is port scanning during which inputs to information systems are checked.
The second stage is the vulnerability assessment during which the ways of exploiting the inputs detected in the first stage are detected.
The third stage is the Penetration Test itself during which the damage that can be done by exploiting the weaknesses of the systems is investigated.
Finally, in the fourth stage, a full report is drawn up of the findings of the controls and the risks arising from them, as well as ways to restore them
In summary, the steps followed are as follows:
1. Carrying out reconnaissance checks to create a complete picture of the network and specifically its topology, systems, nodes and services available in it.
2. Wide range checks to identify potential areas or services that may be entry points for potential attackers.
3. Checks for known vulnerabilities or for vulnerabilities that may arise from default settings, accounts with gaps, default or unsafe passwords, etc.
4. Targeted vulnerability checks.
5. Checking existing credentials for network access.
6. Categorization of identified vulnerabilities based on ease of exploitation, remediation effort, and impact if an attack were to occur.
7. Suggestions for addressing security issues that need immediate remediation.
8. Documenting recommendations for improving security and setting priorities for addressing risk based on the importance of vulnerabilities identified and the effort required to fix them.
9. Transfer of corresponding knowledge to the staff.
The methodology followed, during the Breach Test process, aims to evaluate the ease of carrying out a typical attack, based on the existing weaknesses of the structural elements (internet router, firewall, web servers, mail, etc) for accessing the internet. In order for this test to achieve its objective, Penetration Tests are performed outside the firewall system. The purpose of the External Penetration Test is to assess the security of the “perimeter” including specific checks on the individual points:
The Network Penetration Test process is of particular importance for the actual assessment of the existing risk. The Breach Test is carried out by a now specialized team in information security issues that uses commercial and open source tools as well as a series of specialized programs, many of which have been developed internally (attack scripts, application specific code), for the final verification of possibility of exploiting possible weaknesses (vulnerabilities).
At the same time, various other tools and programs freely available from the Internet are used in order to realistically simulate the risks of a typical attacker (hacker) using widely available tools.