Let your IT systems get hacked by our security experts.
Just like a malicious hacker would.
Penetration testing
From mobile applications all the way through network infrastructure
We create and design unique and custom attacks specific for your company and platform
Our testing is always done using industry best standards like OWASP’s ASvS. Through these standards, we are able to help our clients in multiple industries from tech, media, hospitality, entertainment, retail, manufacturing and more. Within all these industries there is one important similarity, they all have data that needs to be protected.
This is where insighti steps in. We can do what the hackers can do, we just do it first. Then, the holes can be fixed and future attacks can be prevented. It’s ok to get hacked, as long as its by the right team
Our insight.
-
Do you know the risks you face while using docker?
-
Did you know that some security guards are watching and yet can't see a thing? We use appropriate camouflage and props to execute our scenarios.
-
The most commonly used port for data exfiltration is port 53.
-
A camera remotely launched by a hacker does not make a distinctive sound when a picture is taken.
-
The top prize for a malicious hacker is your system's resources (processor time, disk, connectivity); your data is a nice bonus.
-
Improperly configured database user roles is a blessing for an attacker. Make sure you follow the principles of least privilege and implicit deny to create a strong access control policy.
-
One of the first points of interest for an attacker will be backups. Treat them as valuable as live data and make sure they have at least the same level of security.
-
Did you consider that your knock-off camera system could come bundled with intentionally designed backdoors straight off the production line?
-
It takes less than an hour to run a complex 140 GB dictionary attack on a password hash. It only takes a web browser to download the RockYou dictionary. Do not let your users have dictionary-based passwords.
-
You use ORM in 98% of database interactions? We will find those 2% and hack you right there!
-
Inter-process communication on newer Android platforms is a killer feature! Until you pass around OAuth refresh tokens to anyone knowing your package name. No authentication, just like that!
-
Sometimes the deadliest security holes lie not within technology but in application logic. Are you confident in your password reset functionality? We have seen password resets relying on random-generated secret user-identifiers. Sounds great! Until you discover, they inadvertently leak in a fringe functionality of the system.
Frequently asked, always answered.
The object of the test is not to disrupt service or damage any information. However, we cannot predict how the system will always respond to an exploit, so we recommend that there are operations personnel ready and backups available.
Being able to test on a production system usually provides the most accurate results, as any testing environment can differ slightly.
The simplest way to estimate a project and build a quote is by having someone from our team take a quick look at the environment to determine the size of scope. We found that this provides the most accurate result for the quoting process and allows for the project to include the desired scope without being over priced.
A penetration test is a security verification technique that attempts to find and exploit security vulnerabilities with the intent to improve or prove security of a system. This often includes the manual work of designing and planning attack vectors that can include one or more found vulnerability or known information. A vulnerability scan finds known vulnerabilities but cannot combine or exploit those vulnerabilities to further verify security of a system.
