Penetration Testing

Identify Security Weaknesses

A penetration test emulates real-world threats your institution is likely to encounter. SIG Cyber identifies weaknesses, demonstrates impact, and helps you prioritize resources to protect your organization. SIG is a CREST-accredited penetration testing provider.

Why choose sig cyber for your pen testing

Features

SIG Cyber

Other Providers

All the expected Certifications

SOC 2 Type II Certified

CREST-Accredited

Not Software/Infrastructure Biased

Cloud Security Capable

Confidential Report & Feedback

Human-based testing

Education Industry Expert

Education App Expert

Free remediation Testing for 90 Days

SCHEDULE A CALL TO DISCUSS YOUR NEEDS

Identifying

The sophistication of attacks from recent data breaches show that identifying vulnerabilities requires more than simply running a vulnerability scan against your assets.

Exploiting

While identifying a vulnerability is useful, being able to demonstrate how vulnerabilities can be combined and exploited gives you a better understanding of the overall risk.

Quantifying

Being able to quantify the risks your organization faces helps you to better prioritize your resources and make data-driven decisions to protect your organization.

Benefits of Penetration Testing

Reduce Attack Surface

Understanding what ports and services are exposed and how an attacker may use the information available to attack is a critical first step in defending your network. SIG Cyber will evaluate your attack surface, and provide tailored recommendations to minimize the avenues an adversary can exploit.

Gain Visibility of Security Gaps

Gain a holistic view of the blind spots and gaps in your security posture. Having a third-party security expert assess your security uncovers things that your internal team may have overlooked by being too close.

Test Effectiveness of Security Controls

Test the investments your security team has implemented to ensure they are configured correctly to thwart attacks, and whether they can stop a dedicated attack against your organization.

Justify and Prioritize Security Budgets

A penetration test can assist you in justifying and prioritizing the budget your organization needs for critical security controls, saving money over the long run and preventing unnecessary expenditures on security products not a good fit for your organization.

Meet Compliance Objectives

Penetration testing is a necessary step in many compliance regulations. Having a third party expert assess your security posture is a necessary step to ensure you are meeting the due diligence requirements to secure the data you must protect.

What SIG Cyber Penetration Testing Delivers

External Penetration Test

An external penetration test emulates an attacker trying to break into your network from the outside. The goal of the engineer performing this assessment is to breach the perimeter and prove they have internal network access. This test includes:

Open source reconnaissance against the organization
Full port scan covering all TCP ports and the top 1,000 UDP ports of the targets in scope
Full vulnerability scan of the targets
Manual and automated exploit attempts
Password attacks

Internal Penetration Test

An internal penetration test emulates an attacker on the inside of your network. This could be either an attacker who is successful in breaching the perimeter through another method or a malicious insider. The goal of the engineer in this module is to gain root and/or domain administrator level access on the network, and gain access to sensitive files. Activities include:

Active and Passive network reconnaissance including traffic sniffing, port scanning, LDAP enumeration, SMB enumeration, etc.
Vulnerability scan on all in-scope targets
Spoofing attacks such as ARP cache poisoning, LLMNR/NBNS spoofing, etc.
Manual and automated exploit attempts
Shared resource enumeration
Password attacks
Pivoting attacks

Wireless Penetration Test

A wireless penetration test is a comprehensive evaluation of the wireless networks in your organization using automated and manual methods. Areas covered include:

Password attacks
WEP/WPA cracking
Guest wireless segmentation checks
Traffic sniffing attacks
SSID spoofing
Rogue access point discovery

Web Application Penetration Test

A web application penetration test is an in-depth penetration test on both the unauthenticated and authenticated portions of your website. The engineer will test for all of the OWASP Top-10 critical security flaws, as well as a variety of other potential vulnerabilities based on security best practice. Activities include:

Website mapping techniques such as spidering
Directory enumeration
Automated and manual tests for injection flaws on all input fields
Directory traversal testing
Malicious file upload and remote code execution
Password attacks and testing for vulnerabilities in the authentication mechanisms
Session attacks, including hijacking, fixation, and spoofing attempts
Other tests depending on specific site content and languages

Social Engineering Assessment

This assessment is designed to target and take advantage of the human-element to gain access to your network. This is done using a variety of methods to get an employee to click on something they shouldn’t, enter their credentials or otherwise provide them when they shouldn’t, or divulge information that may assist an attacker in breaching your network. The goal for the engineer performing this assessment is to gain information that may assist an attacker in future attacks, gather credentials, or gain a foothold on the internal network. This assessment will include:

Phone-based attacks
Spear phishing attacks
Bulk phishing attacks

Physical Penetration Testing

A physical penetration test is an assessment of the physical security of your premises. Our engineers will attempt to gain access to your facility by identifying weaknesses and/or using social engineering. Once inside, our engineers will attempt to gather sensitive information, gain access to sensitive areas such as the data center, and attempt to gain internal network access.

Vulnerability Scanning

Vulnerability scanning is a regular, automated process that identifies the potential points of compromise on a network. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. Our engineers will conduct this scan for you and use our expertise to remove false positives and produce a risk-prioritized report.

API Penetration Test

An API penetration test emulates an attacker trying to exploit vulnerabilities within your API that may allow him to bypass authentication controls, access sensitive data, or otherwise disrupt the service. The goal of the engineer performing this assessment is to comprehensively review your API for OWASP Top 10 vulnerabilities and exploit any vulnerability that may allow the engineer to bypass security controls. Our API Penetration Testing includes:

Method and parameter fuzzing
Injection attacks, such as SQLi, XSS, XPath, Command
Authentication bypass and privilege escalation attempts
Authorization testing to assess the security of data in multi-tenant configurations including: Direct object references, Client or user impersonation, Authorization bypass, Information Leakage between clients
Analyzing headers and error messages for information disclosure
Identification of unnecessary information returned or data leakage
Analysis of server-level transport encryption for security best practice

Expertise

We understand that you are looking for a security expert.

SIG is a CREST-accredited penetration testing provider and is well versed in the specific student information systems that hold your institution’s most sensitive data. Our engineers are masters of their craft and achieve industry leading certifications including:

* Certified Red Team Operator (CRTO)

* Cisco Certified Network Associate (CCNA)

* CMMC Registered Practioner

* CompTIA A+

* CompTIA Network+

* CompTIA PenTest+

* CompTIA Project+

* CompTIA Security+

* CREST-Accredited Penetration Testing Provider

* CREST-Registered Penetration Tester (CRT)

* CyberLock Cyber Essentials Plus

* EC-Council Certified Ethical Hacker (C|EH)

* EC-Council Certified Incident Handler (E|CIH)

* GIAC Certified Incident Handler (GCIH)

* GIAC Foundational Cybersecurity Technologies (GFACT)

* GIAC Information Security Fundamentals (GISF)

* GIAC Penetration Tester (GPEN)

* GIAC Python Coder (GPYC)

* GIAC Security Essentials (GSEC)

* GIAC Web Application Penetration Tester (GWAPT)

* HTB Certified Bug Bounty Hunter (HTB CBBH)

* INE Security: Certified Prof Penetration Tester (eCPPT)

* INE Security: Junior Penetration Tester (eJPT)

* INE Security: Web Application Penetration Tester (eWPT)

* INE Security: Web Application Penetration Tester (eWPTX)

* ISACA: Certified Information Secuirty Manager (CISM)

* ISACA: Certified Information Security Auditor (CISA)

* ISC2: Certified Information Security Professional (CISSP)

* ISC2: Info Systems Security Architecture Professional (ISSAP)

* OffSec Certified Professional (OSCP)

* OffSec Web Expert (OSWE)

* OffSec Wireless Professional (OSWP)

* PCI Security: Qualified Security Assessor (QSA)

* PeopleCert: ITIL Foundation

* SOC 2 Type II (SIG Cyber)

* TCM Practical Network Penetration Tester (PNPT)

Strategy & Optimization

Enterprise Applications

Data Services

Cybersecurity

ERP/SIS

CRM

Business Intelligence

Cloud