How it works?
Many businesses utilize security testing to comply with regulations and assess their overall security status, then sharing the results with auditors. However, this process can be challenging due to poor report quality, lengthy test deployment, employee exhaustion, regular code updates, and conflicting tester schedules. To address these issues, more than half of businesses are turning to outsourcing their security testing to support their internal teams. Furthermore, a growing number of companies are embracing a constant testing approach, with 44% conducting tests at least once a month.
Our company offers streamlined security solutions through our Secure Client Portal, available as either Managed or Pay-as-You-Go options.
How can we Help?
- Cyber Legion offers professional cyber security services that are both on-demand and pay-as-you-go, incorporating augmented intelligence to help you reach all of your security testing objectives through a single web portal.
- We recognize that every organization approaches security differently, depending on their specific environment, ecosystem, and requirements.
- To best support you, we provide comprehensive security assessments that address your organization’s cyber security needs, including attack surface management, adversary emulation testing, static and dynamic application security testing, risk assessment, penetration testing for web and API, IoT, networks, mobile apps, and more.
- Reduced third-party testing reliance and expenses
- Minimize cost and dependency on
- 3rd-party pen testing services
- Increased cybersecurity team efficiency
- Increase security personnel validation productivity across the entire attack surface
- Maximized security with existing resources
- Ongoing security validation allows the prioritization and repair of the most critical security gaps first
- Accelerated time to remediation
- Identify the critical security gaps and mitigate risk before it materializes
Security Testing Workflow
1. Client Onboarding
Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.
2. NDA , Agreements & Digital Signature
The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.
3. Submit Work Request
Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.
The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.
4. Security Testing & Report
We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.
Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.
5. Retesting & Validation of Remediation
We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.
There are different types of pen testing methods that are used by ethical hackers. The depth of the test may be dictated by your budget, scope, or regulatory considerations. It comes down to what is being targeted and what is asked for. Applying a risk based approach when considering what to target can be helpful. For example, an increase in attack surface due to the addition of a new product or change in the network architecture may be a good time for a pen test.
Knowing a bit about the different approaches to pen testing may help in determining how deep a test to request:
- Black Box – The pen tester has no knowledge of the system and goes in blind. This type of testing can be very time consuming and is like a trial and error approach. This type of pen test is typical for SOC 2 or other audits.
- White box – The pen tester has full knowledge of the system and can gain more access because instead of guessing where to look for vulnerabilities, they can go straight to an app or area of a network. This is usually an internal pen test
- Gray box – The pen tester has some knowledge of the system and uses this to gain more and more access. This test is also typical for a SOC 2.
The time that penetration testing takes depends on the size and complexity of your organization’s system structure, as well as the scope of the test itself. For the ‘average’ company, a network penetration test should take around three days. For a merchant processing millions of credit cards a year, for example, a pen test will take over a week, or possibly two.
It is recommended that external vulnerability assessments are run on a more regular basis compared to penetration testing, this could be monthly or quarterly as cyber threats are constantly evolving and will detect any potential issues in between any annual testing.
If major changes are made to the infrastructure or new applications are developed, then it is recommended that additional testing is conducted. This ensures that any recent changes are not introducing new vulnerabilities into the environment.
Some certifications such as ISO 27001 or PCI DSS, require a certain frequency of testing to remain compliant.
The penetration testing cost depends on the facts identified during scoping, such as the agreed time, goals, technical resources, approach, and remedial support.
Both penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary and both should be performed.
A vulnerability scan is an automated, low-cost method for testing common network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.
A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.
Penetration testing and automated vulnerability scans both serve a purpose and both types of testing belong in a comprehensive vulnerability assessment program. Automated vulnerability scanning should be scheduled to run on a frequent basis, ideally at least weekly, with network penetration tests scheduled quarterly or when significant changes are planned to an environment.
Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
Penetration tests (or pen tests) are attacks on your companies’ software and hardware systems, carried out by ‘ethical hackers’ to expose your system’s vulnerabilities. One example is a web application pen test. Web apps, browsers and plug-ins can house sensitive financial or personal data, so hackers are increasingly putting their efforts towards gaining access to them. The test would examine the endpoint of every web application.
Penetration tests are organized attacks on your IT system (organization assets), executed to expose the vulnerable spots in your system’s defenses. This include High and Critical flaws such as RCE, SQL injection, cross-site scripting, source codes, logic, and network configurations. Penetration tests give your IT team an understanding of the vulnerabilities in your assets.
They are multiple types of penetration testing:
- External network pen tests involve an ethical hacker (hacking on behalf of you instead of themselves), trying to break into your organization.
- Internal network pen tests are similar, but the IT professional doing it has a degree of existing network access.
- Web application pen tests investigate the weakness of web apps, browsers and plug-ins, as they often house sensitive financial or personal data.
- Social engineering pen tests identify vulnerabilities in your workforce or workplace.
- Mobile penetration testing
- IOT devices Penetration Testing
- API Penetration Testing
Fixing these vulnerabilities will help you improve your information security defenses for not just your business but your staff, clients, customers, and partners.
- Identify weaknesses
- Prevent attacks
- Protect sensitive data
- Protect reputation
- Avoid fines and ransom costs
Security scanning, or vulnerability scanning, can mean many different things, but it can be simply described as scanning the security of a website, web-based program, network, or file system for either vulnerabilities or unwanted file changes.
Retesting enables programs to ask hackers to verify whether a vulnerability has been fixed in order to secure the protection of their data. If you submit a valid vulnerability report, programs can elect to invite you to retest the vulnerability to verify the fixes.
Our specialized team of security professionals hold industry qualifications such as CREST, OSCP, CISSP, CISM, CEH and Cloud security certification such as AWS, azure, GCP etc.
We are a SC Cleared team combine this with many years of industry experience at the highest level working across all industry sectors. We are skills hands-on engineers with clear track record of implementing, running managing security testing programs across various organizations.
A typical penetration test will follow this pattern: Initial engagement, scoping, testing, reporting and follow up. There should be a severity rating for any issues found.
For this model we assume that:
- You wish to know what the impact of an attacker exploiting a vulnerability would be, and how likely it is to occur
- You have an internal vulnerability assessment and management process
Initial engagement of the external team
- You should ensure that the external team has the relevant qualifications and skills to perform testing on your IT estate. If you have any unusual systems (mainframes, uncommon networking protocols, bespoke hardware etc.) these should be highlighted in the bid process so that the external teams know what skill sets will be required.
Scoping a penetration test should involve:
- All relevant risk owners
- Technical staff knowledgeable about the target system
- A representative of the penetration test team
Where the goal of the test is to ensure good vulnerability management:
- Risk owners should outline any areas of special concern
- Technical staff should outline the technical boundaries of the organization’s IT estate
- The penetration test team should identify what testing they believe will give a full picture of the vulnerability status of the estate
Assuming you have one, a current vulnerability assessment should be shared with the testers at this stage. Testing can then be designed to support a reasonable opinion on the accuracy and completeness of the internal vulnerability assessment.
During scoping, you should outline any issues which might impact on testing. This might include the need for out-of-hours testing, any critical systems where special handling restrictions are required, or other issues specific to your organization.
Plan of action
The output of the scoping exercise should be a document stating:
- The technical boundaries of the test
- The types of test expected
- The timeframe and the amount of effort necessary to deliver the testing – usually given in terms of resource days
- Depending on the type of approach agreed, this document may also contain a number of scenarios or specific ‘use cases’ to test
- The penetration testing team’s requirements. This will allow you to do any necessary preparation before the date of the test. For example, by creating test accounts or simply allocating desk space
- Any compliance or legislative requirements that the testing plan must meet
- Any specific reporting requirements, for example the inclusion of CVSS scores or use of CHECK severity levels
- Any specific time constraints on testing or reporting, that a penetration testing company will need to consider when allocating resources
Staying in contact
During the test phase, you should ensure that a technical point of contact is available at all times. The point of contact does not need to spend all their time working with the test team but should be available at short notice. This allows the test team to raise any critical issues found during testing, and resolve problems which are blocking their testing (such as network misconfiguration).
The testers should make every effort to avoid causing undue impact to the system being tested. However, due to the nature of penetration testing, it’s impossible to guarantee that no unexpected reactions to testing will occur.
During a penetration test or security assessment, the testing team may identify additional systems or components which lie outside of the testing scope but have a potential impact on the security of the system(s) which have been defined as in scope.
In this event, the testing team may either suggest a change to the scope, which is likely to alter testing time frames and cost, or they may recommend that the exclusion of such components be recorded as a limitation on testing.
The decision on which would be the preferred option will generally be down to the risk owner, with the penetration team responsible for clearly articulating the factors to consider.
The test report should include:
- Any security issues uncovered
- An assessment by the test team as to the level of risk that each vulnerability exposes the organisation or system to
- A method of resolving each issue found
- An opinion on the accuracy of your organisation’s vulnerability assessment
- Advice on how to improve your internal vulnerability assessment process
A debriefing can also be useful. At this meeting the test team run through their findings and you can request further information or clarification of any issues.
When rating vulnerabilities it is common for penetration testers (often at customer behest) to use the Common Vulnerability Scoring System which attempts to give a numerical score identifying the severity of a vulnerability.
To simplify this measurement, CHECK reports are required to state the level of risk as HIGH, MEDIUM, LOW or INFORMATIONAL in descending order of criticality. For CHECK reports, scoring systems such as CVSS may be used in addition to (but not in place of) this.
Whilst vulnerabilities are ordinarily categorised at one of these levels in a consistent manner, exceptions can sometimes occur. For example, other mitigating controls in place could minimise the effectiveness of a vulnerability, or the presence of additional vulnerabilities could have a synergistic effect.
Any deviation from associating a vulnerability with its standard rating should be documented and justified by the penetration testing team.
5.Follow up on the report
1. Do your own assessment
The penetration test report should be assessed by your organisation’s vulnerability management group in a similar manner to the results of an internal vulnerability assessment.
The penetration test team will have rated each issue found and given a potential solution. However, it’s important to note that risk assessment and decisions on the application of fixes are your responsibility.
The test team may not have had access to all details about a specific system or the potential business impact of the exploitation of a vulnerability. Consequently, they may rate issues either lower or higher than you. This process of assessing vulnerability levels should not be used to downplay issues – it should be a process of looking at issues and identifying the risk to your organisation.
2. Previously unknown vulnerabilities
Any vulnerabilities identified by the penetration test which you did not previously know about should be given special attention, with the aim of identifying ways in which you might go about spotting such issues in future.
3. Choosing solutions
The solutions proposed by your penetration testers may not be the only ones possible. You should take advice from your own technical staff and suppliers on alternatives.
As an example, imagine your pen testers have suggested patching a piece of software. You should ask yourself, ‘Is this the only solution to the problem?’ It may be possible to simply uninstall the software if it’s not actually required, or other controls could be put in place to limit exposure to the vulnerability. It may even be that additional monitoring of the vulnerable component is sufficient to reduce the risk to an acceptable level.
Vulnerability risk assessment and mitigation is a business process and should not be wholly outsourced to the test team.
Vulnerability assessments are typically more frequently performed as an ongoing assessment against the environment. Typically external vulnerability assessments are performed monthly or quarterly in between any annual manual penetration testing to identify any potential changes to the environment such as missing patches, unsupported software or configuration weakness that may put the environment at risk and would go undetected until the next manual penetration test.
Attack surface management is the continuous discovery, inventory, classification and monitoring of an organization’s IT infrastructure.
Attack surface management is important because it helps to prevent and mitigate risks stemming from: Legacy, IoT, and shadow IT assets. Human mistakes and omissions such as phishing and data leaks. Vulnerable and outdated software.
Bug bounties employ a competitive model that leverages the use of ethical hackers (or, security researchers) to detect and submit bugs or vulnerabilities within an organization’s digital assets with the potential for reward if found and validated within a predefined scope.
A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs.
A cybersecurity risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those assets.
The importance of risk assessment in business is identifying vulnerabilities that may threaten these regular operations and, resultantly, an organization’s reputation. Risk assessments improve overall cyber defense posture, help protect endpoint devices, and minimize potential damage from specific threats.
A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. It is normally an automated scan using a commercial scanning engine tool. It is different to a penetration test where a human tester uses a variety of different methods to try to exploit and verify any weaknesses.
Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their “attack surface.”
Mobile testing covers many areas such as the device configuration, the management of the device and the applications used on the device.
Applications used on mobile devices can be tested at an application level to ensure no vulnerabilities exist that could lead to data being obtained from the device or the server that the application communicates with.
Cloud testing is penetration testing or vulnerability assessments of applications, infrastructure or the portal configuration of systems that are hosted within Cloud providers such as Microsoft Azure, Microsoft,
VMware, Oracle, IBM, Amazon AWS etc.
Servers or applications that have been incorrectly configured when installed or after migration to Cloud hosting providers may be exposing services or vulnerabilities to the Internet.
Adversary emulation is a practice that “aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs).” Basically, adversary emulation is a way for security organizations and consultants to carry out the same tactics, techniques, and procedures (TTPs) that bad actors would use against you in the real-world but in a contained emulation.
Basically, adversary emulation is a type of red (or purple) team engagement that uses real-world threat intelligence to impersonate the actions and behaviors that your red team (or bad actors) would use in practice.
And while many different frameworks can be used to carry out your adversary emulation exercises, many opt to use MITRE’s expansive knowledge base of real-world adversary behaviors outlined in the ATT&CK framework and their Adversary Emulation Plan
A penetration test can provide assurance that the systems and security controls tested have been configured in accordance with best security practice and that there are no common or publicly known vulnerabilities in the target system at the time of the test. If vulnerabilities are found these can be rectified before an attack or security breach occurs.
Penetration testing will enable you to:
Avoid extra cost and reputation damage from a security breach
Provide evidence of compliance with regulatory and certification standards
Provide assurance to customers and suppliers that their data is secure
This tests the hosts in scope for any identified vulnerabilities in software versions or configuration issues on exposed services. It does not login to the system, therefore does not run more detailed checks that would only be possible when using local administrative user credentials.
This tests the hosts in scope for any identified vulnerabilities in software versions or configuration issues, by logging into the host as an administrative user. This performs a much more detailed review and covers patch checking and configuration issues for the unexposed services on the host. If you wished to check all patching levels of systems across your network, an authenticated test would be the best option.
Application security testing (also known as a pen testing or pentesting) is an authorised security test on an application to identify vulnerabilities that may be present and could be exploited. Testing can be conducted via the Internet (if the application is externally facing) to identify any external facing vulnerabilities, or from inside the company for an internal application or if the application is not open to the Internet.
Vulnerabilities within applications could expose sensitive data to unauthorised users, or be used to further compromise systems within the organisation.
An application penetration test gives assurance of the applications security. It tests the application manually for weaknesses in access controls, user permissions and separation, input injection, file upload/download functionality, authorisation and authentication. It can identify weaknesses that may allow an unauthorised user to use the application in a non-intended manner and provide access to information they are not authorised to view.
The vulnerabilities identified are reported back to the system owner along with mitigation recommendations.
Penetration testing can also be used to test an organisation’s compliance with security policies, the security awareness of its staff and how effectively it can respond to security threats.
All security test results will be immediately available on the web portal, providing clear visibility of any vulnerabilities discovered. Along with the report of our findings, we offer a comprehensive set of recommendations to assist senior executives and IT/Dev/Engineering teams in implementing mitigation and remediation measures. We aid in the speedy resolution of all findings by providing specific technical details, testing methodologies, and actionable insights.
The web portal system offers visualization, analytics, tracking, and reporting capabilities, helping to eliminate any challenges in the remediation process with the guidance of Cyber Legion security researchers. Advanced technology features are also accessible through the Secure Client Portal.