Pentesting – Intrusion Testing

Intrusion testing consists of controlled computer attack tests, within secure environments, with the aim of discovering possible vulnerabilities that cannot be detected by other means.

Ethical Hacking tests can be performed, at the customer's request, on web applications, networks, servers, computers, mobile devices, industrial equipment, Cloud (Azure, AWS, etc.) and other computer systems that the customer details to our experts.

All our penetration tests include an intense and in-depth audit, with the obtained results divided in two reports: one technical and one executive.

When to perform a penetration test

Many companies and organizations hire this service after suspecting or discovering that they have already suffered a cyber-attack. They do so in order to gain additional information about the threats to their systems so they are able to reduce the risk of further attacks. However, an organization may also be proactive and want to know about any threats their organization faces, as a whole or for a new system before it goes live. Common scenarios include application releases, major changes or upgrades, and compliance regulations.

Intrusion testing, or pentesting, simulates a real attack against your infrastructure in a controlled environment, allowing our consultants to assess your system’s capability and provide recommendations on how to improve your defense against technology vulnerabilities that can lead to intrusions, fraud and service disruption.

Penetration test reports

The delivery of a penetration test is a detailed report, which includes all the results of the test, as well as the countermeasures and recommendations necessary to secure your IT infrastructure. If requested, our team can also prepare a presentation of the results for your IT or executive team.
Executive Report
Describes the overall security status and pinpoints items requiring immediate attention.
Technical Report
Describes the activities performed to determine vulnerabilities and the results of the activities performed in attacking the target systems, including methodologies used.
Vulnerabilities and Threats
Detailed list of vulnerabilities and threats discovered, listed in order of importance.
Exploitation of vulnerabilities
Detailed list including the consequences of the exploitation of vulnerabilities found, thus ruling out any possible false positives.
Recommendations
In order to optimize the protection of the assets identified in the report, we will provide you with a series of practical recommendations to strengthen your security status.
Appendix
Evidence comprising screenshots or other data that helps provide further context or clarification on the vulnerabilities detected are shown.

Steps followed in pentesting

In these exercises we cover the following steps:
Interactions prior to hiring the service
Our project management team will contact the client via video call, web conference or in a face-to-face meeting to review the logistical and tactical details that will be required throughout the contracted service.
Intelligence gathering
Prior to performing the execution of the active assessment, our security analysts will gather all the information necessary to conduct a comprehensive assessment. Depending on the type of assessment, multiple intelligence gathering approaches can be adopted, e.g. open source intelligence gathering or internal data gathering.
Threat modelling
The goal of a threat modelling activity is to understand the impact of network-related technical threats on the business. This high-level exercise is not as comprehensive as a thorough threat risk assessment, but the resulting profile will help us ensure that technical tests are run for those threats that may have a high impact on business operations.
Vulnerability scanning
During vulnerability analysis, we will perform manual and/or automated vulnerability scans to identify weaknesses in the environment. We will then perform a scan validation exercise to identify false positives and items requiring manual validation. Network traffic captured through passive collection tools is reviewed for information leaks using clear text protocols. Once the environment has been mapped and individual device profiles have been created, security analysts begin the search for vulnerabilities that could compromise the system or that could allow disclosure of information that could subsequently aid in compromising another system.
Exploitation
During the exploitation phase, we will perform the actual penetration test and attack the systems if there is a potentially viable method of exploitation. Identifying an exact attack methodology prior to this phase is not viable, due to the fact that each deficiency is different.
Post Exploitation
The goal of the post-exploitation phase is to determine the value of the compromised assets and attempt to maintain control of the machine for later use. We will identify and document sensitive data, determine configuration settings, communication channels and relationships with other network devices that can be used to gain further access to the network, and configure one or more methods of accessing the device at a later time. Post-exploitation methods include infrastructure analysis, high-value/profile targeting and data exfiltration. The phase ends with a cleanup process to remove all traces of the penetration testing, such as backdoors or rootkits.
Reports
Our team of experts will prepare a detailed penetration testing report and deliver it to the client. If serious vulnerabilities are discovered during the course of the exercise, we will provide an interim report.
The success of a penetration test will depend on the correct management of the project. At Jaymon Security, we have marked project management processes and methodologies to ensure complete customer satisfaction. Our project management office is led by certified Project Management Professionals (PMP)® , who possess the necessary experience and expertise to manage penetration testing projects. Together with our clients, they will ensure the correct execution of the service in accordance with the objectives and within budget, manage your expectations and guarantee quality results at the end of the project.
Spain