Cybertests

The ideal place to start to get a broad overview of your system’s vulnerabilities. Automated analysis with manual evaluation of tested systems for known vulnerabilities and configuration errors for up to 10 IP addresses. You will get a report with a list of detected vulnerabilities and their criticality rating. Presentation of the results in the form of a short video call. This test is also ideal for periodic testing of your systems.

Technical Specifications

• Port scanning
Various techniques for scanning open ports on target systems, including TCP SYN scanning, TCP connect scanning, and UDP scanning.
• Fingerprinting
Identify the types of operating systems, software versions and services running on scanned ports using methods such as banner grabbing and system response analysis.
• Authenticated scanning
Scanning using credentials, deeper analysis of systems and identification of vulnerabilities not visible in unauthenticated scans.
• Vulnerability scanning
It uses a database of plugins that contain information about known vulnerabilities and how to detect them.
• Compliance scanning
Performs scans against specific security standards and regulations (e.g. PCI DSS, HIPAA, CIS benchmarks) to determine if systems meet required standards.

IP addresses are entered into the automated tools, which then generate the results. These results are then carefully checked by testers. If the tester identifies any elements that require deeper analysis, another scan is run.

Scan content

Operating Systems: Windows, Linux, macOS, Unix, and others
Network Devices: Routers, switches, firewalls, and other network devices
Database Systems: MySQL, Oracle, Microsoft SQL Server, PostgreSQL, and others
Web Servers and Applications: Apache, Nginx, IIS, and web applications running on these servers
Virtual and Cloud Environments: AWS, Azure, Google Cloud, VMware, and others
Security Devices: IDS/IPS, VPN devices, and other security technologies
Applications and Software: Mail servers, FTP servers, SMB/CIFS shared folders, and various third-party applications

The result is a report that provides a detailed description of the testing methods and vectors, identified vulnerabilities, and recommendations for their remediation.

Beyond “Basic”, it is a full penetration test required by NIS 2, DORA, includes perimeter and web application testing for 3 static URLs including manual validation of results. In addition, it is extended with OSINT to identify vulnerabilities exploitable for attack. Manually executed web application tests exploiting these vulnerabilities. Also included is a test and validation of security process functionality, attack interception and response. You will receive a report including presentation of results and recommendations via video call.

Advanced tests are performed by certified ethical hackers, starting from the OSINT stage. So it is not just a set of automated tests, but a simulation of a real cyber attack using the same techniques used by attackers. In contrast, the tests are not aimed at destruction, but at exposing weaknesses and functionality of security mechanisms. The resulting report includes recommendations on how to fix the weaknesses identified.

Technical Specifications

• OSINT (Open Source Intelligence) from publicly available sources
• Vulnerability scan in the scope of the Basic test
• Methodical testing of scenarios based on OSINT outputs using reputable standardized methodologies:
  
  • OSSTMM (Open Source Security Testing Methodology Manual), more information about the methodology is here
  • OWASP (Open Web Application Security Project), more information about the methodology is here

The result is a report detailing the method and vectors of testing, the deficiencies identified and recommendations for addressing them.

In addition to the “Advanced” test, you get OSINT on published email addresses, preparation and execution of targeted customized phishing against up to 100 people. The test also includes basic OSINT on organizational structure, verification of leaked passwords associated with email addresses on the domain, prepared phishing call scenarios, and outreach to 10 random employees of the organization. The report and subsequent presentation in the form of a video call includes an evaluation of the conducted test, including a test of user resistance to the above attack techniques.

Technical Specifications

• OSINT (Open Source Intelligence) in the scope of the Advanced test, plus detection of published email addresses from the domain, including verification that they are not included in databases of leaked passwords
• Phishing testing of agreed email addresses
  Measurement of active response to spoofed email, user response
  End nodes not infected during the test
• Vishing testing of selected persons according to agreed scenarios designed on the basis of OSINT
• Vulnerability scan in the scope of Basic test
• Methodical testing of scenarios based on OSINT outputs using reputable standardized methodologies:
  
  • OSSTMM (Open Source Security Testing Methodology Manual), more information about the methodology is here
  • OWASP (Open Web Application Security Project), more information about the methodology is here

The result is a report detailing the method and vectors of testing, the deficiencies identified and recommendations for addressing them. A summary of the phishing tests includes:

• Number of users who opened the email
• Number of users who clicked on the link
• Number of users who entered the password
• Alternatively, number of users who enabled access to TeamViewer

The vishing test report includes analysis of the attack scenario, detection of weaknesses and failures, and suggestions for fixing them.