3. Vulnerability Assessment
• A process to evaluate and review key
systems, networks and applications
• To identify vulnerabilities and
configuration issues that may put the
organization at risk of being breached
• Effective in identifying vulnerabilities,
but it cannot differentiate between
exploitable vs non-exploitable
4. Penetration Testing
• Goal-driven test focused on identifying
all possible routes of entry an attacker
could use to gain unauthorized entry
into the target
• Identifies the potential damage and
further internal compromise an
attacker could carry out once they are
past the perimeter.
• Proof of concept strategy to
investigate, exploit and validate the
extent of the identified vulnerability
5. • Testing from an external network with no prior
knowledge of the internal network and system
• Test being performed from within the network
• Prior knowledge of the network, architecture and
• Testing from an internal or external network
• Partial knowledge of the internal network and system
• Combination of both white and black box testing
• Internal & External IPs
• VoIP & Cloud ;Telephony
• Devices – Firewall, Switches, Routers, etc
• AWS Cloud
• AWS Cloud Assessment
• Devices – Firewall, Switches, Routers, etc
Objective - The scope will be scanned and tested for vulnerabilities using a wide variety of tools and
techniques. The tools and techniques used will be consistent with current industry trends regarding exploitation
of vulnerabilities. The tools and procedures are:
• Threat and attack vectors
• Combination of vulnerabilities exploited in a particular sequence
• Business and operational impact of attacks
• Efficiency of the client’s network and environment to detect and respond to attacks
• Areas of focused investment to reduce or mitigate risks
7. Objective – Key objective is to impersonate a
real-world attacker and discover security issues
within an application. We also want to assist the
organisation in resolving the findings. We also
want to provide a business case for investing in
relevant security controls.
Methodology – Industry standard test cases like,
cookie attacks, sensitive data exposure, session
management, data validation, business logic,
security misconfigurations and much more.
Evaluation – Impact and Risk Factor for the
business. Remediation methods
USB PhishingEmail Phishing
Objective – A simulated attack vector that relies
heavily on human interaction and often involves
manipulating people into breaking normal security
procedures and best practices in order to gain
access to systems, networks or physical locations.
Baiting – An attacker leaves a malware-infected
physical device, such as a USB flash drive, in a
place it is sure to be found. The finder then picks
up the device and loads it onto his or her
computer, unintentionally installing the malware.
Spear Phishing/Phishing – Phishing is when a
malicious party sends a fraudulent email disguised
as a legitimate email, often purporting to be from a
trusted source. The message is meant to trick the
recipient into sharing personal or financial
information or clicking on a link that installs
11. VAPT for SMEs
Cybersecurity Myths for SMEs
• I have a firewall, so I’m safe from attacks
• Hackers understand strategies adopted by a firewall quite well. Disrupting codes and exploiting basic IT
oversights to gain access to your system is easy.
• While most cyber security threats are avoidable, your organizations can not rely solely on firewalls for
• I use HTTPS, so my site is secure
• HTTPs safeguards the transmission of information from source to destination. This is web security at a
• It does not block attacks like DDoS, brute force, injections, etc.
• There is also the issue of organizations using fake SSL certificates, resulting in their organization being
• SMEs are safe because they are not worthwhile targets
• SMEs are considered to be low hanging fruits for hackers because so many do not take security seriously.
• One of the most popular attacks that hackers use against SMEs is ransomware.
12. VAPT for SMEs
Why do SMEs need VAPT?
• Basic security measures are not enough.
• Firewalls or anti-virus solutions are not sufficient to protect against attacks.
• Security budget
• Unlike MNCs, SMEs do not have the budget to implement everything.
• There is limited or no resource for security expertise.
• What VAPT adds value to is to streamline what is needed for the organization.
• Potential clients or business partners will feel insecure on collaboration.
• Contributing factors can be issues like safeguard of important data.
• SMEs also lose out on potential/existing business.
• Compared to SMEs, larger organizations have a much greater potential to survive an attack due to the help of
current investors and existing large clients. (E.g. Sony (04/2011) survived through the attack.)
13. VAPT for SMEs
Almost 40% of cyberattacks in Singapore target small and medium enterprises (SMEs), according to the Cyber
Security Agency of Singapore (CSA). Phishing attempts and ransomware were the most common methods used.
Insurance Business Asia, 20-Jun-2018
15. Company: Fortnite / Online Gaming
- In January 2019, it was announced that all 200 Million user accounts on Fortnite had been
compromised through a company-wide data breach.
- By using a website developed in 2004 by Fortnite makers, Epic Games, hackers were able to gain access
to the database that housed usernames, and passwords. They used this to purchase in-game currency,
V-Bucks, and also listen into in-game chats.
Checkpoint Research, 16-Jan-2019
16. Company: Dow Jones / Financial
- American financial information and publishing firm, Dow Jones, suffered a data leak in March 2019. It
compromised over 2 Million identity records for politicians and government officials around the
Security Discovery, 27-Feb-2019
17. Company: Instagram / Social Media
• On May 20th, 2019, news broke that over 49 million Instagram influencers, celebrities, and companies
had large amounts of their personal data compromised. The data compromised included personal
telephone numbers, emails, and location data.
• The breach is a result of Indian social media marketing firm, ChatrBox, having completely unsecured
Tech Crunch, 23-May-2019
18. Below is an extract of a price table, based on Infosec Institute.
Infosec Institute, 15-Jan-2019
Hacking web server (vps or hosting) USD 250 (1,04 BTC at the time I’m writing)
Hacking personal computer USD 200 (0,83 BTC at the time I’m writing)
Hacking Social Media Account (Facebook, Twitter) USD 300 (1,25 BTC at the time I’m writing)
Gmail Account Take over USD 300 (1,25 BTC at the time I’m writing)
Web Server security Audit USD 400 (1,66 BTC at the time I’m writing)
Remote Access Trojan USD 150 – 400 (0,62 – 1,66 BTC at the time I’m writing)
Banking Malware Customization (Zeus source code) USD 900 (3,75 BTC at the time I’m writing)
Rent a botnet for DDoS attack (24 hours) USD 150 – 500 (2,08 – 1,66 BTC at the time I’m writing)