SECURITY TESTINGCYBERSECURITY SERVICES

WHO ARE THE THREAT ACTORS?

HACKTIVISMIdeological hacking

Motivation: shifting allegiances – dynamic, unpredictable

Impact on business: distribution of public activities/services, reputation loss

ORGANISED CRIMEGlobal, difficult to trace and to prosecute

Motivation: financial gains

Impact on business: theft of information

INSIDERIntentional or unintentional

Motivation: grudge, financial gain

Impact on business: distribution or destruction, theft of information, reputation loss

OPPORTUNISTICUsually performed by amateur criminals

Motivation: desire for notoriety, profit from finding and exposing flaws in a network

Impact on business: theft of information

INTERNAL USER ERRORSCan damage critical company resources

Motivation: accidental configuration mistakes

Impact on business: largest threats that organizations face — these may damage the whole company or one of the departments

STATE-SPONSOREDEspionage and sabotage

Motivation: political advantage, economic advantage, military advantage

Impact on business: disruption or destruction, theft of information, reputation loss

CYBERSECURITY SERVICES

Hacken provides a wide range of cybersecurity services that respond to the needs of clients. Our team employs the best specialists and technologies in the security industry to capitalize on the extensive experience and to provide custom-tailored

cybersecurity solutions for all businesses. Hacken delivers mature solutions that improve clients’ operational and business performance by following a convergent modern cybersecurity approach to IT infrastructure protection.

https://twitter.com/Hacken_iohttps://twitter.com/Hacken_iohttps://www.facebook.com/hacken.io/https://www.facebook.com/hacken.io/ https://www.linkedin.com/company/hacken/https://www.linkedin.com/company/hacken/ https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://t.me/hackeniohttps://t.me/hackeniohttps://twitter.com/Hacken_io

https://twitter.com/Hacken_io

https://t.me/hackenio

Real-world threat scenario and tailoring the testing to maximize its efficiency

Infrastructure Security Testing

Web Security Testing

Mobile Applications Security Testing

PENETRATION TESTING

Reconnaissance: research the target company

Email phishing testing

Vishing (voice phishing) other methods, if needed

SOCIAL ENGINEERING

Early discovery of bottleneck issues saves business reputation and money:

Basic service with automated tools

Custom-tailored service with tools and custom scripts

LOAD AND PERFORMANCETESTING

Analysis of the functionality of smart contracts

Checks against known vulnerabilities

Basic, Expert, and Comprehensive Security Audit

SMART CONTRACTSECURITY AUDIT

24-hour protection for companies from phishing, pharming, and other impersonation attacks

Fast detection and takedown of phishing websites and chat messages

Takedown of fraudulent Google ads and fake social media accounts

ANTI-PHISHING SERVICES

PENETRATION TESTING

NETWORK AND SYSTEM TESTING APPROACHOur approach is to identify the most serious risks and security flaws first and to focus on the less obvious areas as the project proceeds. First, we test the network for vulnerabilities from the outside. Initially, we conduct the test assuming the point of view of an uninformed attacker. We then gradually increase the amount of information given to testers until we assume the role of a trusted user of the network trying to access an unauthorized resource or

service. The following list provides additional details regarding the specifics of each access level.

The consistent deployment of this approach is ensured by the use of leading security solutions. Further, the expertise of our staff, combined with the use of comprehensive work-programmes that enhance quality control procedures, allows us to consistently deliver the best customer experience.

LAYER 1External penetration testing (naive hacker)• Establish whether unauthorized logical access can be gained via external network interfaces by a “naive” hacker who has limited and/or no previous knowledge of your network.

LAYER 3Internal penetration testing (unauthorised user)• Ascertain whether unauthorized access can be gained via internal penetration and audit testing of your systems by exploiting loopholes in your network’s services and resources.• Determine whether it is possible to manipulate key controls that protect your system(s).• Assess whether existing procedures for responding to such breaches of security are adequate and effective.• Assess the security of certain sensitive servers and workstations.

LAYER 2External penetration testing (supplier/customer level access)• Establish whether unauthorized logical access can be gained via external network components by a hacker who has the same level of access to the target production environment and other key systems as your customers and suppliers.

LAYER 4Firewall and security systems review Analyze the effectiveness of policies employed by your firewalls and administrative infrastructure• Review the configuration of the operating system to ensure secure implementation.• Review the procedures and processes responsible for the monitoring and reporting of incidents on the firewall.• Review network and host security components (e.g. IDS).

NETWORK, SERVERS AND INFRASTRUCTUREAccording to the Cisco 2018 Annual Cybersecurity Report, 31% of security professionals said their organization has already experienced cyber attacks on OT infrastructure. Further, ransomware attacks are growing by more than 350 percent annually.

One of the most common vulnerability assessment activities for companies is penetration testing, which is a proven method of evaluating the security of your computing networks, infrastructure, and application weaknesses by simulating a malicious attack.

Our approachWe combine both manual and automated techniques to

unveil vulnerabilities that could exist in your networks. To ensure your security, we create real-world attack scenarios in a controlled and professional fashion. Hacken helps to ensure your sensitive data is properly protected and compliance requirements being met by imitating the attacks of real hackers.

Key deliverablesConsultant Technical Report with a detailed findings sectionScreenshots or a detailed description regarding the reproduction of security issuesVulnerabilities ranked by Risk level, CWE, CVSS v3.0Remediation recommendations and technical references

THE TESTING PROCESS

STAGE 1. RECONNAISSANCE STAGE 2. NETWORK TESTING

STAGE 4. SCENARIO TESTING STAGE 3. HOST TESTING

Researchexternalportal

information

Identify andconfirm network

targets

Networkmapping andfoot printing

Identify andanalyse thefirewalls/gateways

YESNO

Augment thenetwork

security map

Scan hosts forsecurityexposures

Exploitstandalonesecurityexposures

Any other hostsidentified?

Perform thescenarioanalysis

Exploitnetworkexposures

WEB APPLICATIONSECURITY TESTING

• Password management• Social engineering• Phishing• Update management• Waterhole attacks• Data governance• Administrative access

• Phishing• Framing• Click jacking• Man-in-the-Browser• Buffer Overflow• Data Caching

• Cross-site scripting• Weak input validation• Brute force attacks• Zero-day exploits• Weak session management• Vulnerable libraries• Privileges escalation

Web Server• Platform vulnerabilities• Server misconfiguration• Cross-site scripting• Cross-site request forgery• Weak input validation• Brute force attacksDatabase• SQL injection• Privileges escalation• Data dumping• OS command execution• Privileges escalation

THE BROWSERTHE USER

THE APPLICATION THE BACKEND

Many web apps process sensitive data such as user and financial information, which means they are of huge interest to cybercriminals. As web apps become increasingly complex, the range of exploitable vulnerabilities is rising - like all software, they inevitably contain defects.

Traditional penetration tests and security reviews do not generally identify application vulnerabilities: no automated tools exist that can perform an adequate security assessment of a custom-tailored application.

Verizon 2017 Data Breach Investigations Report found that “almost 60% of breaches involved web applications either as the asset affected, and/or a vector to the affected asset”.

Our approachOur approach is based on the latest version of the leading web security standard “OWASP Testing guide” complemented by the custom security testing process and experience. We identify vulnerabilities that can be used to steal funds or damage the reputation of the project.

https://twitter.com/Hacken_iohttps://www.facebook.com/hacken.io/ https://www.linkedin.com/company/hacken/ https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://t.me/hackeniohttps://twitter.com/Hacken_iohttps://www.facebook.com/hacken.io/https://twitter.com/Hacken_iohttps://twitter.com/Hacken_iohttps://www.facebook.com/hacken.io/https://www.facebook.com/hacken.io/ https://www.linkedin.com/company/hacken/https://www.linkedin.com/company/hacken/ https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://t.me/hackeniohttps://t.me/hackeniohttps://twitter.com/Hacken_io https://www.linkedin.com/company/hacken/

https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilities

https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilities

https://t.me/hackeniohttps://www.facebook.com/hacken.io/

https://www.facebook.com/hacken.io/

The number of mobile device users has been increasing significantly in the last years: more than half the world now uses a smartphone, and mobile applications have become an integral tool in our daily life. Therefore, protecting data used by mobile applications has become critically important. The explosion of apps can be seen in just about every industry;

Hacken assesses the following application security mechanisms:AuthenticationSession ManagementInput ManipulationOutput ManipulationInformation Leakage

MOBILE APPLICATIONTESTING

Browser• Phishing• Framing• Click jacking• Man-in-the-Mobile• Buffer Overflow• Data CachingApplication• Sensitive data storage• No / Weak encryption• Improper SSL validation• Configuration manipulation• Runtime injection• Privileges escalation• Device accessPhone / SMS• Baseband attacks• SMS phishing

Operating System• Password management• Jail breaking / rooting• OS data caching• Data access• Carrier-loaded software• Zero-day exploit

Communication Channels• No / weak Wi-Fi encryption• Rogue access point• Packet sniffing• Man-in-the-middle• Session hijacking• DNS poisoning• Fake SSL certificate

Web Server• Platform vulnerabilities• Server misconfiguration• Cross-site scripting• Cross-site request forgery• Weak input validation• Brute force attacksDatabase• SQL injection• Privileges escalation• Data dumping• OS command execution

THE SYSTEM

THE NETWORK

THE BACKEND

Key deliverables: Consultant Technical Report with detailed findings Remediation recommendations and technical references.

SECURE SOURCE CODE REVIEW

Types of Secure Code Reviews & Analysis

Our approach to delivery Secure Source Code Review project:

Our Secure Source Code Review is a basic mechanism for validating the design and implementation of software. It also helps to maintain a level of consistency in design and implementation practices across projects and among the various modules inside the projects.

Advanced Secure Code Review: Security Code Reviewing of Client code repositories by automotive tools and manual verification of results

Kickoff meeting: Identify Objectives Conduct an Automatic Static code review

Coupling Source Code Review and Penetration Testing - 360° Review

Benefits of Secure Source Code Review

Reporting

Expert Secure Code Review: Line by line security code review of Client code repositories, where manual tests are performed to verify and expand the results of the automatic tools

A secure code review involves manual and/or automated review of an application’s source code to quickly identify security-related weaknesses in the code. We offer the next two type of review

This approach implies that results of a source code review are used to plan and execute a penetration test, and the results of the penetration test are, in turn, used to inform additional source code review.

Secure Source Code can often find programming flaws and bugs such as format string exploits, race conditions, memory leaks, and buffer overflows, thereby improving software security. It helps to improve both the overall quality of software and is a way of helping ensure that the application has been developed to be “self-defending” in its given environment.

We want to learn about your application’s use cases. For us critical to understand the types of bugs that are possible in the code we’re reviewing.

By understanding the context and setting clear objectives we can keep focused during code review.

Using the right tools is vital to the success of your code review. A static analysis tool can be used to automatically check code for compliance with a set of rules and best practices that you’ve predefined. A

static analysis scan is a fast and efficient way to detects low-hanging fruits and hundreds of other vulnerabilities.

For the next pass-over, we reading source code line-by-line in an attempt to identify

prioritize vulnerabilities. It is a tedious process that requires skill, experience, persistence, and patience. Vulnerabilities discovered, and subsequently addressed through the manual review process, can greatly improve an organization’s security posture. Findings give your developers a great starting point when looking for common bugs and vulnerabilities in your code.

Once you’ve completed your code review, the next step is to prioritise the vulnerabilities in order of severity, to ensure that the most serious vulnerabilities get fixed before less serious ones. You can then fix the bugs you’ve identified, and your dev team can learn from those mistakes. How were these bugs found, and how were they fixed? This knowledge will help to improve the code they write in the future.

1 24 3

Reduce costs associated with security bug fixes by producing secure code on an early stage in the software development cycleProactively harden your applications against malicious attacksIdentify and provide remediation guidance on coding flawsValidate security measures and processes against industry best practicesConduct security assessment of key applications and 3rd party softwareSatisfy compliance requirements such as PCI DSS and ISO27001Educate developers on secure coding best practices

SMART CONTRACT AUDITING

The goal of an audit is to help customers to find and fix security issues to protect the application from hacker attacks. Each smart contract contains a unique business logic, and our audit checks

whether a smart contract is vulnerable to known attacks, verifies whether it is free from logical or access control issues, and makes sure that it is compliant with the Solidity Code Style guide.

Team and experience

We are a team of high-level application security experts - every month, we perform 5-10 security audits and share our professional knowledge at conferences all over the globe.

Key features of the service

Hacken provides clients with a detailed report that contains general project info, executive summary, as-is overview, audit overview (highlights all issues and suggests solutions), conclusion, and appendixes with evidence.

Hacken Smart Contract Security Audit

PREPARATION

FUNCTIONALITY OVERVIEW

AUTOMATED TOOLS ANALYSIS

MANUAL ANALYSIS

FINAL STAGE

(OPTIONAL) SECONDARY AUDIT

OUR APPROACH

Security Audit(3-5 days)

Expert Audit(1-2 weeks)

Comprehensive Audit

(2-4 weeks)

Smart Contract Auditing Goals

01

02

03

04

05

06

AUTOMATED TOOLS ANALYSIS

MANUAL ANALYSIS

FINAL STAGE

Training

At CyberSchool developers study the fundamentals of secure development and secure testing as well as understanding the necessary industry regulations and standards.

Discovery

Discovery starts with an analysis to uncover all aspects of the future system which, then enables us to evaluate the terms and resources needed to plan for the development of the system.

System Design

System design starts with research and prototyping to find appropriate final design solutions. It ends with system architecture and threat modeling, to define back-end basis and its possible weaknesses.

Acceptance and Maintenance

We provide real-time security acceptance and maintenance by engaging with thousands of researches who tirelessly test application.s. This approach allows cybersecurity experts to work at finding exceptional vulnerabilities from an attackers mindset.

Secure Development

Secure Development mitigates the risk from internal and external sources, integrates security practices into the software development lifecycle and verifies the security of developed components using secure development testing before they are deployed.

Training Discovery System Design

Research

Prototype

Design

System Architect

Threat Modeling

Secure Development

Acceptance and Maintenance

AnalysisPlaning

Evaluation

Secure Coding

Secure Delivery

Secure Testing

SECURE SOFTWARE DEVELOPMENT

Welcomes Blocks links in 2 modes Anti-spam function

Spam pre-checks Statistics monitoring Whitelist

BlackList Wallet Recognition Fake Telegram Groups Warning

Anti-admin phishing Stopword list Limits the activity of new users

INCIDENT RESPONSE SERVICES

HACKEN ANTI-PHISHING BOT

Hacken provides 24-hour protection for companies from phishing, pharming, and other impersonation attacks.

Key services Continuous monitoring of potentially dangerous domains that engage in impersonation Continuous monitoring of brand mentions from search engines, social networks (Twitter, Facebook, Instagram) and open chats on Telegram for instant phishing detection. Abusive Domain Blocking & Takedown Automated Block & Takedown Manual Attack Takedown Block & Takedown of fake social media accounts (Twitter, Facebook, Instagram) using your brand Marking phishing wallets

Key deliverableContinuous brand name monitoring and protection from attacks and abuses.

Keeps your Telegram channels and groups clean and secure, protects your community against phishers, removes fraudulent links

What it does:

According to the Verizon Data Breach Investigation Report (DBIR, 2017), 43% of the documented breaches involved social engineering attacks. That makes up almost half of the attacks, and it is important to remember that the report only includes reported/documented breaches. Notably, 66% of malware came from malicious email attachments.

SOCIAL ENGINEERING TESTING

Our approach

To identify and gather entry points that can be used to attack a victim with social engineering

To evaluate the effectiveness of technical and organizational measures employed in social engineering attacks

To improve/create company privacy policy, suggest the list of recommendations to eliminate identified weaknesses

Social engineering combines a broad range of malicious techniques:

Email phishingFake or stolen accountsPretextingVishingSMShing or SMiSHingBaitingSpoofing

1

2

4

3

5

Research thetarget company

Develop the relationship

Research summary

Selectvictim

Exploit the relationship

https://twitter.com/Hacken_iohttps://twitter.com/Hacken_iohttps://www.facebook.com/hacken.io/https://www.facebook.com/hacken.io/ https://www.linkedin.com/company/hacken/https://www.linkedin.com/company/hacken/ https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://t.me/hackeniohttps://t.me/hackeniohttps://twitter.com/Hacken_io

https://twitter.com/Hacken_io

https://blog.hacken.io/@hacken/?utm_source=wp&utm_medium=mn&utm_campaign=hwvulnerabilitieshttps://t.me/hackenio

LOAD AND PERFORMANCE TESTING“The Need for Mobile Speed” report by DoubleClick (a Google subsidiary that develops and provides online ad serving services) says: Look at what statistics say:

53% of visits are likely to be abandoned if pages take longer than 3 seconds to load.

4.3% Loss in

revenue per visitor

3.75% Reduction in

clicks

1.8% Drop off in queries

What we provide Basic service Simulating load with automated tools

Custom-tailored service Simulating load with tools and custom scripts

Our approach Creating load scenarios Generating the load Detecting performance issues and analyzing the results.

The testing examines the responsiveness, stability, scalability, reliability, speed and resource usage of your applications and infrastructure to see how well they handle user requests.

01 Project assessment

02 Planning

03 Scripting

04 Test execution

05 Results analysis

06 Reporting

TESTING PROCESS:

CONTACTS

Zero Impact OÜ

sales@zeroximpact.com

zeroximpact.com

Head Office

Tallinn, Lasnamäe linnaosa,

Peterburi tee 47, 11415