Companies and organisations are increasingly dependent on their IT/OT environments for their daily operations. As such, the data in these important environments is often the lifeblood of an organisation. To establish the security, integrity and availability of your data , pen tests are necessary. A pen test shows the extent to which your security is effective and whether your organisation is resilient enough at the time of the pen test. NFIR offers customized pen tests that are expertly performed by our ethical hackers. NFIR also uses only standardized and uniform pen tests. This is the only way we can guarantee you quality and thorough pen tests.
What is the importance of performing pen testing for your organization?
Specific norms and legislation require you to take appropriate measures to organize your information security as effectively and efficiently as possible. Examples of those standards and legislations are the ENSIA, the BIO, the ISO and the GDPR (AVG). ENSIA is specifically used by municipalities, provinces, water authorities and some parts within the national government to account for the state of information security. The ISO and GDPR legislation is overarching and provides the basis for both the public and private sectors. In addition to the aforementioned standards and legislation, all parties involved in your organisation, from customer to shareholder, expect you to be reliable and to handle your information with care. A pen test is fundamental to giving them that assurance.
What can you have pen tested?
During the intake prior to the pen test we will determine together with you exactly which environments we will pen test. Broadly speaking, we can pen test your (web) applications, websites, IT/OT infrastructure, API links and mobile apps for vulnerabilities. During the intake, we determine the exact scope of the investigation and from which attack scenarios we will perform the pen test. The attack scenarios are explained in more detail in the following section.
What attack scenarios are possible (types of pen testing)?
A pen test can be conducted from different perspectives, with the result depending (in part) on the chosen attack perspective. During an intake meeting, we will jointly determine the scope of the pen test and advise on how we can perform the most valuable pen test for your organization.
Black Box pen test
A Black Box audit can be compared to a real attack, like hackers would do.
A Black Box pen test means that no information is provided in advance by the client. Our ethical hackers will use open source research (OSINT), among other methods, to map out your environment. This allows them to look for vulnerabilities.
Grey Box Pen Test
In this pen test type, ethical hackers detect vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps both without and with information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment. Grey box pentesting uses a user account and asks for a defined scope, a roles/rights matrix and a functionality list.
White Box Pen Test
In a White Box pen test (also known as a Crystal box), all information is provided in advance to conduct a targeted search for vulnerabilities. Consider the information that is also requested in Grey Box pentesting. Supplementary to this is the use of source code, log files and access to the server. In addition, the possibility of setting up your own test environment is also used.
From pen testing to reporting
After the pen tests have been conducted carefully and in accordance with all applicable standards (e.g. OWASP WSTG, MASTG, PTES, CVSS) have been performed, we will prepare a report for you in which you can find all the findings and how the vulnerability can be remedied for each finding. It is very important that you receive clear, complete and useful reports from us. After all, finding vulnerabilities is not our only goal. Our ethical hackers report the vulnerabilities found in a clear and especially useful way for your organisation. The pen test report describes exactly which standards have been tested, what has been tested, which tooling has been used, which vulnerabilities have been found and what the advice is for solving these vulnerabilities.
Request a sample pentest report here to gain insight into how we report and the data we include in it.
Pen testing by our certified staff
Our ethical hackers check among other things the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.
NFIR classifies pen testing vulnerabilities using the Common Vulnerability Scoring System (CVSS 3.1).
- A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A pen test provides a more detailed picture of current IT security.
- An IT vulnerability scan finds commonly known vulnerabilities. In a pen test, attention is paid to all potential weaknesses
- Vulnerability scanning uses automated scans to detect vulnerabilities. A pen test also makes use of automated scans and the researcher actively seeks out vulnerabilities through a dose of creativity.
Our pen testers have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pen testers have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.
How long a pen test takes depends greatly on the environment to be tested and the agreements made with the client about the attack scenarios to be deployed.
A Black Box pen test means that no information about the environment is shared with the pen testers beforehand. With a pen test based on the White Box principle, all information about the environment is shared in advance. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.
The important standards used by NFIR (depending on the environment being tested) are:
- OWASP WSTG (Open Web Application Security Project Web Security Testing Guide).
- OWASP MASTG (Open Web Application Security Project Mobile Application Testing Guide).
- PTES (Penetration Execution Standard (PTES))
- NOREA DigiD Assessment
- CVSS (Common Vulnerability Scoring System)
Using the Common Vulnerability Scoring System (version 3.1), the severity of a vulnerability is determined. Furthermore, NFIR uses input from the client to apply a CIA weighting to the vulnerabilities found.
- OWASP WSTG
The Web Security Testing Guide (WSTG) project is the premier cybersecurity testing resource for Web application developers and security professionals. The WSTG is a comprehensive guide to testing the security of Web applications and Web services. Created through the combined efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations around the world.
- OWASP MASTG
The OWASP Mobile Application Security Testing guide is a mobile app security standard and comprehensive testing guide that covers the processes, techniques and tools used during a mobile app security test, as well as a comprehensive set of test cases that allow testers to deliver consistent and complete results.
The Penetration Testing Execution Standard (PTES) consists of several main components. These cover everything about a penetration test, namely:
- The initial communication and reasoning behind a pen test;
- The information gathering and threat modelling phases, where testers work behind the scenes to gain a better understanding of the tested organisation;
- Vulnerability assessment, exploitation and post-exploitation, which addresses the technical security expertise of the testers and combines it with the business acumen of the assignment;
- Reporting, which captures the entire process in a way that makes sense to the customer and provides them with the most value.
The Common Vulnerability Scoring System (CVSS) standard provides an open framework for disclosing the characteristics and consequences of software and hardware security vulnerabilities. The quantitative model is designed to ensure consistent and accurate measurement while allowing users to see the underlying vulnerability characteristics used to generate the scores.