CREST Penetration Testing | UK Specialist Pen Testers

Penetration Testing

IntaForensics is a CREST certified penetration testing company. Our experienced team have helped hundreds of organisations from all sectors to secure their systems. Our services are customised to meet the needs and requirements of your business.

What is Penetration Testing?

Penetration testing, also known as pen testing and ethical hacking, is a cyber-attack which is employed by our technical specialists to evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited by cyber criminals. The cyber-attack process can be performed manually, or through the use of software applications and is designed to simulate an attack upon a system. It should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

IntaForensics offers penetration testing engagements to suit our client’s needs, enabling them to reinforce their cyber security policies and procedures to better protect them from future threats. Our team of experience penetration testers have all been independently qualified by industry-recognised bodies such as CREST (CPSA and CRT certified) and Offensive Security (OSCP certified).

Why does your Organisation need Penetration Testing?

The average cost of a data breach in 2021 is $4.24 million. We help to alleviate this risk by preventing breaches and keeping your company safe. Government agencies, FTSE 100 companies, educational, healthcare, and non-profits are among the organisations targeted every day. Most of these organisations are woefully unprepared to respond to security incidents. That is where IntaForensics can help. With thousands of hours of experience, practice, and passion for cyber security, we will use our skills to secure your environment.

In today’s technology-driven world, hacking has become commonplace, often as front-page news. These incidents can cost companies large sums of money by breaking customer trust, bad news coverage, and potential legal action by regulatory bodies. Penetration testing alleviates much of this risk by having an experienced cybersecurity professional simulate an attack. This involves the tester using the same techniques and tactics that real-world attackers would use. This includes (but is not limited to) taking advantage of vulnerabilities like SQL injection, remote code execution, social engineering, XSS, SSRF, and other less common vulnerabilities.

Types of Penetration Testing

Web Application Testing

Test websites or web applications to find potential bugs before making them live

Identify all security risks, including the OWASP Top 10 (SQL Injection, XSS, CRSF, SRRF, HTTP Request Smuggling, etc.) in your web applications.

External Penetration Testing

Assess the externally facing assets for an organization

Testing and evaluating your external network’s defences and identifying any vulnerabilities that attackers could be used to gain access.

Internal Penetration Testing

Identify the risks posed by an attacker with internal access to a network

Simulating an attack from inside your corporate network to test internal defences and identify any vulnerabilities inside the network that could allow attackers to gain access to sensitive information and assets.

Vulnerability Scanning

Scan a network or system to identify any existing security vulnerabilities

Assessing and evaluating vulnerabilities in your networks both internally and externally using automated tools.

Social Engineering

Technique that exploits human error to gain private information, access, or valuables.

‘Phishing’ and ‘Smishing’ employees to assess security awareness and the overall vulnerability of the company to social engineering.

Cloud Security Assessment

Evaluation to test and analyse an organization's cloud infrastructure

Evaluating the security of your organisation’s cloud infrastructure to secure cloud assets (AWS, Azure, GCP, etc.).

Our Penetration Testing Methodology

Our custom methodology follows industry standards such as OWASP Web Security Testing methodology (which encompasses OWASP top 10 and CWE 25), Open-Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES).

At IntaForensics, we conduct tests to identify and address both critical and non-critical security issues in software applications. This includes many types of vulnerabilities, such as injection flaws (SQL, XSS, SSRF, NoSQL, and OS command injection), authentication weaknesses, poor session management, broken access controls, security misconfigurations, database interaction errors, input validation problems, and flaws in application logic. Using our custom methodology, we test for common and uncommon vulnerabilities that other organisations often miss and which aren’t discovered by automated systems, such as HTTP Smuggling, CRLF, IIS Shortname Enumeration, and Web Cache Poisoning.

Scoping

This involves meeting with the client to understand their objectives and the systems that require testing. During this meeting, we will also identify the IPs and domains that are in scope for the testing.

Reconnaissance

To gather information, passive Open-Source Intelligence (OSINT) is used to identify any data that has been publicly exposed on the internet. This includes leaked passwords, documents, and employee information.

Intelligence Gathering

This involves active Open-Source Intelligence (OSINT) to discover what data the organisation is leaking, such as secret directories, forgotten subdomains that may be vulnerable to subdomain takeover, and public administration login pages.

Vulnerability Discovery

This forms the bulk of the testing process, performing manual and automated tests to discover potential vulnerabilities such as those found in the OWASP Top 10 and the CWE 25. Additionally, we utilise our custom methodology to identify vulnerabilities that aren’t addressed by these standards.

Exploitation

This next step involves executing specific attacks, such as exploiting out-of-date software or attempting to perform blind XSS. It helps to identify how severe an issue is and what an attacker could do.

Report and debrief

A detailed and actionable report will be produced and issued to the client. A debriefing meeting will also be arranged to review the report and discuss the findings in detail. This provides an opportunity for questions and further discussion.

What happens next?

Each vulnerability discovered during testing will be laid out in a simple-to-understand format within the report. This includes a detailed description of the vulnerability, the risk it poses to the organisation, instructions on how to reproduce it, and resources and advice on how to resolve the issue.

Our reports are composed in an easy-to-understand format so that developers and other staff can quickly address the identified issues. Following the report’s publication, we will arrange a meeting to discuss all the raised issues. Additionally, IntaForensics provides remediation advice by email or telephone. Once the recommended actions have been taken, retesting can be organised.

IntaForensics offers free retesting of any vulnerabilities discovered during a penetration test. The report will then be amended to show which vulnerabilities have been addressed. There is no time limit imposed for retesting.

As regular customers of IntaForensics, I highly recommend the company for the services delivered by the cyber security team. I couldn’t praise their Cyber Essentials services and support highly enough.

Ryan James, Managing Director - nFocus

Cyber Security