The risk landscape is constantly changing. New technologies, business areas and employees are integrated or areas that are no longer part of the core business are disinvested. The strategies of attackers change just as quickly. Accordingly, security must be put through its paces on a regular basis. Our specialists know the hackers' tricks and find the weak points before an attacker can exploit them.
OUR PENETRATION TESTING SERVICES
InfoGuard AG's Red Team has very extensive experience in the simulation of various threat actors. These range from simple "Script Kiddie" attacks to very complex vulnerability chaining for "Nation State" level attacks. Close, continuous cooperation with the internal Blue Team and the implementation of unannounced crisis team exercises at InfoGuard's Cyber Defence Centre have resulted in a unique wealth of experience for particularly complex and well-shielded environments. Attacks have also gone so far as to deliberately exploit vulnerabilities that are still unknown to the public (development of so-called zero-day exploits). This has made it possible to circumvent state-of-the-art security appliances and achieve a breakthrough in high-security environments. Our individual team members have broad and deeply specialised know-how (e.g. from BlueTeam/RedTeam dual roles, forensic analyses, reverse engineering, cryptography or exploit development), resulting in a unique combination of offensive and defensive IT security.
Cyber attacks such as WannaCry and Petya showed once again the sophisticated methods cyber criminals use nowadays. Successful attacks cause enormous damage - not only in the financial area, but they also endanger reputations.
Do you want to know how far a hacker can get in your network and how successful a targeted attack would be? We can show you with a simulated attack on your company. Our experts specifically use different methods, such as technical audits and penetration tests, social engineering techniques (spear phishing, physical on-site, malware attacks) or research in social networks, on the internet, but also in the darknet.
As part of the external penetration test, our penetration testers specifically look for vulnerabilities that cannot be detected or exploited by automated tools. This also includes information gathering, looking for information to identify client systems that are freely available on the internet. These available systems represent the exposed attack surface, which is in principle available to any anonymous attacker via the internet. Depending on the previously identified services, the further specific tests are adapted and carried out.
This audit involves a technical check of the web application (including the server on which the web application is operated) from the perspective of a script kiddie or an attacker who primarily acts automatically. The aim of the web application security audit is to identify obviously critical vulnerabilities (so-called "low-hanging fruits") and to assess the general attack surface.
This penetration test involves a technical examination of the web application (including the server on which the web application is operated) from the point of view of an experienced attacker - optionally the source code is also analysed. The aim of the web application security audit is to identify vulnerabilities that could threaten the application immediately or could lead to a security problem in the future (e.g. through the combination of other vulnerabilities). The audit is carried out in a structured manner on the basis of the OWASP Web Security Testing Guide (WSTG) and the OWASP Top 10 Web Application Security Risks and supplemented with specific tests from InfoGuard.
This audit involves a technical review of the Web API (including the server on which the Web API is operated) from the perspective of an experienced attacker. The audit is carried out in a structured manner on the basis of the OWASP Web Security Testing Guide (WSTG) as well as the OWASP API Top 10 Security Risks and supplemented with specific tests from InfoGuard, so that all attack possibilities as well as the potential danger from advanced attackers are taken into account.
InfoGuard AG's mobile app penetration test is based on the OWASP Mobile Application Security Verification Standard (MASVS) and for the backend API, tests are taken from the OWASP Web Security Testing Guide. This ensures that all relevant technical attack vectors are covered by the penetration test.
To take into account the different security requirements of mobile apps, the MASVS divides all tests into two levels:
Level 1 should be met by all mobile apps and confirms basic protection against possible attacks, both on the app itself and on the backend API.
Level 2 is intended for apps with increased security requirements, such as e-banking apps or apps in the healthcare industry. This includes, for example, defence-in-depth measures such as certificate pinning or the enforcement of basic device security.
The WLAN audit checks all security-relevant parameters of the WLAN infrastructure. The aim of the audit is to verify existing security measures and the application of industry standards and to identify possible attack vectors. Thus, the danger of an external attack is realistically assessed, both from an anonymous attacker's perspective and in an authenticated context connected to the network.
Bei diesem Audit erfolgt eine technische Überprüfung der E-Mail-, resp. Proxy Infrastruktur. Dabei wird verifiziert, ob technische oder Konfigurations-Schwachstellen existieren, welche einem Angreifer den initialen Zugriff auf das interne Netzwerk mit Hilfe bösartiger E-Mail-Anhänge oder Download-Links ermöglichen - oder die Kontrolle von internen IT-Systemen aus dem Internet (C2), resp. den unbemerkten Datendiebstahl erlauben.
Windows 10 (VDI) Client Security Audit
Windows Server 2016 Terminal Server Security Audit
This audit involves a technical review of a physical or virtual Windows 10 client or a Windows Server 2016 terminal server. The audit identifies vulnerabilities in the relevant attack areas (physical, network and similar) and verifies important hardening measures that significantly impede the use of attack techniques. The check catalogue developed by InfoGuard is based on recognised security standards such as the "Center for Information Security" (CIS) benchmarks and the Microsoft Security Baselines.
The phishing simulation is used to determine whether and how many employees are susceptible to a phishing email, whether organisational measures are in place to report phishing emails and whether these are being taken. Employees are lured to a fake website where they are asked to disclose confidential information. The indicators that point to a phishing email can be varied at will.
As part of our social engineering audits, we check the security behaviour of your employees. Our social engineers try to elicit confidential information from your employees through personal contact by exploiting their trust, credulity and helpfulness or even excessive demands and insecurity. Depending on the audit objective and target group, we use different audit methods and types of social engineering attacks. These range from personal contact with the target person by telephone or physically on site, to electronic contact via e-mail, chat or social network platforms, to postal contact. But also the targeted delivery of manipulated USB storage media or the systematic data analysis on the Internet are part of our attack repertoire.
InfoGuard offers targeted security audits to verify your security processes, IT infrastructure and employees. Cyber criminals are constantly changing their tactics and your own ICT infrastructure changes just as quickly. The current threats and vulnerabilities are part of the agenda of our security specialists. Our security audits, penetration tests and cyber attack simulations provide you with an optimal basis for increasing your information security in the long term and help to identify, assess and eliminate risks at an early stage.
WHITEPAPERS & VIDEOS –
all about Penetration Testing
Would you like to learn more about cyber attack simulation, social engineering or vulnerability management? Our experts regularly produce whitepapers, checklists, videos and posters so that you can check your cyber security and find out about vulnerabilities today. Once downloaded, our Content Offers are available to you as a useful reference work at any time - and free of charge, of course. You can download our three top offerings on the topic of cyber defence here: