Penetration Testing Services
The CIS flagship service is an extensive offer of advanced penetration testing operations. A penetration test is an authorized simulated cyber attack on information technology infrastructure performed to evaluate the security of the systems.
Our team is continuously involved in extensive offensive research and intelligence gathering in order to provide our partners with advanced assessments in order to strengthen cybersecurity posture for products, services, and infrastructure.
External Penetration Testing reconnaissance provides an in-depth profile of an organization’s security weaknesses from outside threats and adversaries trying to breach confidentiality, integrity, and availability.
Traditional, Cloud, and Hybrid Networks/Infrastructures Communications Services and Microservices - AWS, Azure, Google, and more.
With Internal Penetration Testing , we provide unique insights into established internal networks, helping partners identify vulnerabilities, build up security, and defend against threats from within the boundaries of the organization’s network.
LAN, WLAN, MAN, SAN, Distributed, Centralized, and Hybrid Networks/ Infrastructures On-Site - Siloed and Isolated/Dark Network Testing
We provide our extensive Application Penetration Testing designed for Financial, Govtech, CII, Healthcare, and more, in order to protect from data breaches, coordinated cyber attacks, industrial espionage, and loss of service.
Contemporary Web Application Technologies Mobile Applications for both Android and iOS, SCADA Systems, and Embedded Systems in IoT
Sentry offers in-depth Security Code Reviews for some of the most popular
technology stacks in the market:
C, C++, C#, Java, Python, Javascript, Ruby, Node.js, PHP, .Net, ASP, Golang, + more
A penetration test identifies an organization's weaknesses the same way an attacker would by hacking it. This enables organizations to better understand and ultimately minimize the risk associated with IT assets.
During a penetration test, CIS identifies vulnerabilities for technology systems and infrastructure. Vulnerabilities are identified in information systems which could be tangible or intangible threats to the business/ organization.
CIS examines any identified vulnerabilities to determine whether they can be exploited by an attacker to compromise targeted systems, gain access to sensitive information, incapacitate IT systems, and any other harm that may come from various types of cyber attacks.
Black Box Testing*
This methodology requires no prior information about the target network or application. it's a real-world hacker attack scenario. It's preferred because it enables the security experts to look at various levels of security controls from an attackers perspective. This is usually the best approach because it enables security teams to think out of the box and perform tests on all levels according to practical expertise and knowledge.
The benefits of this method are as follows:
-
Realism - This is a more realistic testing scenario which emulates what a real 0 knowledge cyber attack would affect systems.
-
Rapidity - The preparation time of these tests is very short since no information about the infrastructure is required.
White Box Testing*
In white box testing, conversely, the client shares in-depth knowledge of the internals of the systems being tested. That understanding is used to simulate attacks that directly assess how secure the systems actually are.
The benefits of this method are as follows:
-
Highly Effective - This type of assessment guarantees a much larger and detailed coverage of testing and assessment
-
Expert Recommendations - Maximizes remediation quality.
Risk Classification Systems
The report classifies vulnerabilities in a five-step hierarchy:
Critical Vulnerabilities - these vulnerabilities allow an attacker to compromise confidentiality, integrity, and access to information fully. An attacker is able to gain full control over a system or completely cripple critical business activities. Examples of critical vulnerabilities include Unauthorized Code Execution, SQL Injection, Buffer Overflows, etc.
High-Risk Vulnerabilities - these vulnerabilities have a significant impact on confidentiality, integrity, and access to your information, but usually do not allow for a full compromise or control of an organization. Some examples include denial of service on specific resources, cross-site scripting, path traversal, and insecure direct object references.
Medium Risk Vulnerabilities - they are similar to high-risk vulnerabilities which allow for the unauthorized use of specific resources or systems, but they do not have a high impact on either confidentiality, integrity, or access. Some examples include weaknesses in SSL/TLS protocols, weak hashing algorithms, etc.
Low-Risk Vulnerabilities - include weaknesses which give relevant information to an attacker in order to further compromise a system. Some examples of this may be information leakage on critical applications, full path disclosure, insecure elements,
etc.
Informational Vulnerabilities - these are usually missing best practices or smaller information leaks which may help an attacker further compromise a system. Some examples of these vulnerabilities include verbose or default error pages, insecure cookies, information leaks on technologies used and so on.
The vulnerabilities found are classified according to CVSS V3 (Common Vulnerability Scoring System). When scores are computed, the vulnerabilities become contextual and help provide better understanding risk posed by this vulnerability to the organization.
Apart from vulnerability mitigation, this section will also include a top level look at your organization's resources followed up with recommendations on upgrading the various layers of security in order to build highly secure environments.
Additional Services
Information Security Operations Center - MSSP
CIS’s security team is responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. CIS’s security operations center is staffed with security analysts and network defense operators as well as managers who oversee security operations.
CIS SOC team’s goal will be to detect and analyze all the suspicious ongoing traffic and data flow to ensure security issues will be addressed quickly upon discovery. Our incident response teams are highly specialized in incident response and forensics.
Compliance Audit
CIS offers audits and tests in order to get your organization up to speed with the latest standards in information and cyber security. Our team ensures that you have all of the prerequisites in place for standards implementation.
● ISO/IEC 27001
● ISO/IEC 27002
● PCI-DSS
● HIPAA
● And More
Risk Assessment
CIS Risk Assessments are based on NIST Standards in order to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals, resulting from the operation and use of information systems.