For all your Internet services including Facebook, Twitter, LinkedIn, Google, Apple, Microsoft
It significantly improves security of your accounts
Do not use the traditional SMS verification, it is not secure enough
always prefer two-factor authentication (2FA)
Install Google Authenticator or Authy
Use secure password managers
Most people are not able to remember most of their passwords and passphrases
Using secure password managers is always a better idea than write your password to the text file or to the paper
The most advanced and secure are Dashlane, LastPass, KeyPass
Remember just one strong passphrase (and optionally enable 2FA)
What is a penetration test?
A method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker
Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities and exploitation
OSSTMM methodology or OWASP Testing Guide is used
TEST APPROACHES
Black box - a zero-knowledge attack - no relevant information about the target environment is provided, the most realistic external penetration test
White box - a full-knowledge attack - all the security information related to an environment and infrastructure is considered
Grey box - a partial-knowledge attack
Test Phases
Discovery - information about the target system is identified and documented (WHOIS service, public search engines, domain registrators, etc.).
Enumeration - using intrusive methods and techniques to gain more information about the target system (port scanning, fingerprinting).
Vulnerabilitymapping - mapping the findings from the enumeration to known and potential vulnerabilities.
Exploitation - attempting to gain access through vulnerabilities identified in the vulnerability-mapping phase. The goal is to gain user-level and privileged (administrator) access to the system (custom exploit scripts or exploit frameworks are used).
Standard Web Application Test
Reveal as much as possible the most critical security vulnerabilities in the web application/web server during 3 days
Exploit them and gain privileged access if it is possible
Reveals the most serious vulnerabilities (SQL/LDAP injections, XSS/CSRF, buffer overflows, business logical flaws, authentication bypass, local file inclusions)
Provides a technical report with an executive summary, all revealed vulnerabilities, risk levels, and recommendations.
Due to manual inspection, the test is highly recommended when you automatized security scanners have already failed.
Comprehensive Web Application Audit
The most comprehensive and deepest web application audit on the market
The comprehensive report in English/Spanish/Czech/Slovak
It takes 2-4 weeks per one application
Suitable for the large organizations (banks, any fintech companies)
Smartphone Application Security Audit
The smartphone security audit system involves a technical security audit of the mobile application itself and appropriate server web services (REST / SOAP).
During testing, we follow the OWASP Mobile Security Project mainly focusing on the Top Ten Mobile Controls
Suitable for all companies which develop or operate their own mobile applications
Testing time: 1-3 weeks depending on the complexity
Social Engineering
The best way to verify security awareness in your organization - it exploits the human basic nature - altruism, greed, the need to help
Depending on the project we plan multiple scenarios, many of them are 100% successfull
Internet Social Engineering - usually customized phishing (spearphishing) when we use publicly available information
Phone Social Engineering - with Caller ID spoofing it works very often
Physical Infiltration - bypassing physical obstacles in order to get the physical building, offices and customer's data
Red Teaming is a combination of Social Engineering and Black Box penetration tests