This document discusses penetration testing (pentesting) services provided by BTPRO Bilgi Teknolojileri A.S. It defines a pentest as a set of authorized cyber attacks to discover and verify vulnerabilities. The benefits of pentesting include exposing vulnerabilities, facilitating risk analysis, protecting business continuity, and complying with security standards. Pentests are performed by targeting various systems and using different attacker profiles to simulate real-world threats. Reports detail all findings categorized by risk level and include recommendations for remediation. Verification tests are conducted after issues are resolved to confirm vulnerabilities were addressed.
Boost PC performance: How more available memory can improve productivity
Btpro-Penetration Testing Service
1. PENETRATION TESTING SERVICES
BTPRO Bilgi Teknolojileri A.S
Office: +90 216 3840986 / Fax: +90 216 3840986
19 Mayis Mah. Sumer Sok. A4/11 Kozyatagi ISTANBUL
Mobil Çözümler | Siber Güvenlik | E-Devlet Çözümleri
2. BTPRO Bilgi Teknolojileri A.Ş.
8 Haziran 2015
Pentest Services
Presenter: Mesut TÜRK
mesut.turk@btpro.net
3. Agenda
• What is a Pentest?
• Why should you perform pentesting?
• What are the benefits of Pentesting?
• How are Pentests performed?
• What are the targets of a pentest?
• Attacker profiles in a pentest
• When to perform a pentest?
• Reporting
• Evaluation
• Verification tests
Pentest Service
3
4. • A pentest is a set of authorized cyber attacks, in order to discover and
verify the vulnerabilities of an information system.
• In a typical pentest session, vulnerabilities are carefully exploited.
– Customer will be informed of all steps.
– Tests will be performed against all systems of the customer.
What is a Pentest?
4
5. • Depicting the current security level of a company
• Identifying the gaps, and security consciousness of both systems and
human resources against possible breaches.
• Pentests find out; How big and what sensitive information will be lost in
case of a cyber attack.
Why to perform a Pen-test?
5
6. • Independent IT-Security Institute reports around 150,000 malwares
were produced , in 2014.
• AV-TEST Institute reports 390,000 new malwares every day.
• Kaspersky LAB reports that;
– 6,167,233,068 malwares were found in year 2014.
– 1,432,660,467 mobile attacks were discovered in 2014.
– Among the surveyed companies involved in E-Business; half of them have
suffered losses because of cyber attacks.
• Different attack types and methods are discovered each day.
Why to perform a Pen-test
6
7. • Carbanak: A cyber gang with financial
motives
Have stolen 1 billion US Dollars (using
malware and remotely) in 30 different
countries.
• Sony: A no pity cyber attack, causing a
big reputation loss by company.
• HSBC Turkey: November, 2014: 2.7
million card info was stolen
International Cyber Security Incidents-2014
7
8. • Vulnerabilites of an information system are exposed.
• Facilitates the analysis of genuine risks.
• Helps sustain Business Continuity
• Decreases the possibility of real attacks
• Protects staff, customers and business partners
• Helps to be compliant with
– ISO27001
– PCI DSS
• Increases know-how and facilitates analysis for real attacks.
• Preserves company reputation
What are the benefits of a Pen-test?
8
9. • Determining the Scope
– Web App pentest
– End user and social engineering attacks
– Ddos and performance tests
– Network infrastructure tests
– External and Internal network tests
– Mobile App pentest
– Virtualization system pentest
– Database pentest
How is Pentest performed?
9
11. • Performing the Test
– Information gathering
– Analysis and plan
– Discovering vulnerabilities
– Exploitation
– Gaining access
– Privilege Escalation
– Analysis and Reporting
– Post-Fix Verification
How is Pentest performed?
11
★ Our Pentest reports cover each and only
relevant (that is potentially causing a risk) risk
information.
★ We never deliver auto-scan results to the
customer, and we employ and encourage our
staff in specific fields of pentesting.
★ We are a team composed of web pentesters,
scada tester, ddos expert, network pentesters,
social engineer and wireless pentester.
12. • Following domains are tested against possibility for information leakage and
system malfunction;
• Mistakes/Shortcomings in application development
• Configuration errors
• Security awareness of staff
• System protection level
• Infrastructure security level
• Insecure certificate usage
• Patch level of Applications
• Patch level of Operating Systems
are tested and observed in order to identify the security level of the determined scope.
Target systems in a pentest
12
13. • External Network test profiles
– Normal user with no insider information
– Unauthorized user with insider information
– Authorized user with insider information
– Admin user with insider information
• Internal network test profiles
– Unauthorized user
– Employee profile
• Unhappy employee profile
• Disgruntled employee profile
– Manager profile
Attacker profiles in a pentest
13
14. • Critical terms for the industry and the company
• Before and After corporate milestones.
• Hiring/Firing critical personnel
• The weak system
• The strong system
When to perform a pentest
14
15. • At least once a year
• After system change & new system deployments
• After new system integrations.
How often are Pentests performed?
15
16. • All findings during the pentest are analyed, verified and reported.
• A detailed explanation of findings, with solution recommendation and
steps to resolve are submitted in the report.
• Findings are categorized. Findings by category, findings by severity are
statistically graphed in the reports.
Reporting
16
18. Security re-evaluation of the company
18
• An executive summary report is delivered to the executives, which
shows the general security evaluation of the company.
• A project closure meeting will be organized to discuss the report.
19. • After a detailed explanation of findings and delivery of final report, the
company is expected to close the gaps.
• After the gap-closure, a time frame is determined by both parties for
verification tests.
• Findings in the report are reevaluated in the verification tests.
Verification Tests
19