With the reported breaches of SingHealth, Sephora, AXA Insurance, Uber, Red Cross, and many others, a spike in cyberattacks and cybercriminal activities could be clearly seen in Singapore since 2017. Studies claim that majority of the organizations reported a breach between 2018 and 2019, along with the major incident at the Ministry of Defence and Singapore Armed Forces (SAF). Reports also confirm a loss of $10,30,29,650 to scams from January to May 2020, and these security threats are estimated to increase every year. With such developments, all businesses in Singapore, whether small, medium, or large, should ponder whether the security assistance (penetration testing services) they have acquired or may approach in the near future provides holistic support. To answer the question, we attempted to take a brief look at the current cybersecurity options for Singapore’s local businesses, especially those claims to providing penetration testing. These security providers are acknowledged and considered by every cybersecurity expert to lie at the core of any security solution applied to business.
What is penetration testing? How is it done?
Penetration testing identifies and detects vulnerabilities in an organization’s digital space by attacking its security infrastructure through non-malicious means. The process is aimed at strengthening the organization’s IT and security infrastructure. Penetration testing involves a lot of planning or reconnaissance before initiating the test. The process is also known as vulnerability assessment, which consists of the identification of vulnerabilities by using various tools and techniques within the defined boundaries established by penetration testing protocols. Together, vulnerability assessment and penetration testing (VAPT) is also known as ethical hacking.
Why does your business need penetration testing?
With penetration testing being conducted at regular intervals, organizations can identify the loopholes in their IT infrastructure and put up the right security controls to fill in the security gaps. The process enables your business to detect potential cyberattacks and security threats and patch them before attackers can misuse them.
Penetration Testing in Singapore
To understand the current situation of vulnerability assessment and penetration testing services in Singapore, we looked at the top 20 cybersecurity service providers located in Singapore. They were all certified by CREST, a non-profit organization that provides accreditation and certification for information security service, knowledge, methods, and practices. Though organizations can acquire penetration testing services from providers established overseas, there are many benefits for choosing a regional one over the former, such as understanding business concerns, synchronized communications, etc.
What are the different types of penetration testing?
Considering the same sample of third-party cybersecurity service providers, we gathered the following data from their websites against different penetration testing domains:
Web Application Penetration Testing: It involves testing web applications by initially mapping the site for reconnaissance and then looking for open ports, misconfigured settings, login pages, and online forms (credential stuffing). It can either be classified as basic or advanced, which tests with SQL injections, cross-site scripting (XSS), encryption flaws, XML injections, and other attack forms. Being the most common and basic among other domains, all the reviewed organizations claimed to provide web application penetration testing.
External Network Penetration Testing: This service involves testing an organization’s network and infrastructure facing the external internet where open ports, firewalls, routers, switches, and every other live host are found on the network. Like web application penetration testing, every cybersecurity service provider claims to offer this service.
Wireless Penetration Testing: The growth in technology has helped every organization to incorporate wireless technology into its operations. This service tests for weak passwords or passphrases (for CDP, WEP, SNMP, and WPA protocols), encryptions, wireless devices, etc., through establishing access points as a lure for connection of less protected devices. Unlike the previous services, not all service providers offer wireless penetration testing.
From the reviewed websites, a majority of the service providers do not provide or describe the wireless penetration testing as service, which is a serious concern for medium- and large-scale organizations that generally have more wireless technology incorporated into their business operations.
Internal Penetration Testing: This service aims at testing your information security and assets for vulnerabilities from within the system. These vulnerabilities are popularly known as internal threats. Internal penetration testing also relies on social engineering to test your employee’s ability to recognize and respond to a threat. Surprisingly, 85% of the security service providers’ websites did not list internal penetration testing among their other services.
Cloud Penetration Testing: The popularity of cloud services is increasing exponentially as more organizations are adopting it. The continuous flow of information between two different layers, i.e., the organizations and cloud service providers, creates a high probability of vulnerabilities. Penetration testing in the cloud involves applications, storage, data access, password, virtualization, etc. Unfortunately, 90% of the service providers in Singapore do not list or provide cloud penetration testing among their other assessment services.
Mobile Application Penetration Testing: This service involves the assessment of the operating system (OS) and application mapping prior to its runtime, checking vulnerabilities against TCP, HTTP, and other attacks. As mobile security is not as robust as that of a PC, infecting a mobile is rather easy than to attack an organization or an individual. As mobiles are part of everyone’s daily life with new applications being installed frequently, it is surprising to find that only 50% of cybersecurity services in Singapore provide mobile application penetration testing. Without this test, many possible vulnerabilities like insecure APIs, sensitive file artifacts, plain text traffic, and SQL injections could be exploited by the threat actors.
Remote Access Penetration Testing: The COVID-19 pandemic compelled organizations across the globe to provide IT services by making their employees work from home. Multiple cases of attacks on the remote workers were noticed initially and only increased from after that. As many IT employees work remotely, the threat of attackers gaining access through their remote connection is increasing. Thus, with penetration testing, the remote access could prove helpful, but unfortunately, this option is out of reach for many Singapore employees as 90% of the reviewed websites either do not provide or stress on the implementation of remote penetration testing service.
IoT Penetration Testing: An IoT penetration test could be defined as the assessment and exploitation of different IoT device components to detect vulnerabilities. This process is diverse and complex as IoT itself involves multiple layers like physical link, network, database, cloud, applications, storage, etc., implying that tests across all these layers could be termed in the true sense as the IoT penetration testing. The advancement in technology has made it possible to incorporate IoT in an organization’s infrastructure. Many IoT uses applications developed by a third-party organization; thus, implying the need for IoT penetration testing to secure any IoT infrastructure. Only 20% of the reviewed organizations provide or advertise IoT penetration testing among their other services.
Social engineering and physical penetration testing: Social engineering attacks lie at the core of any malware attack as 90% of malware is delivered via email phishing. With social engineering attacks on the rise since 2017, measuring the level of security awareness amongst your employees is an effective method to test and identify the risk at your organization due to social engineering. But unfortunately, this option is out of reach for many Singapore organizations, as 80% of the reviewed websites either do not provide or stress on the implementation of social engineering and physical penetration testing.
A Comprehensive Approach with EGS Penetration Testing Service
Our penetration testing services, which utilize a wide range of methodologies, help both the tester and the organization find vulnerabilities that are normally difficult to identify. It allows the penetration tester to step in the shoes of a malicious attacker to simulate a cyberattack against the organization’s security infrastructure to search for vulnerabilities, which upon identification could be patched by the security engineers. For organizations in Singapore and elsewhere, our holistic approach deals with
- Intelligence-led Red Teaming
- Blue Teaming
- Purple Teaming
- Cloud Penetration Testing
- Network Penetration Testing
- Wireless Penetration Testing
- Internal Penetration Testing
- Remote Penetration Testing
- Mobile Penetration Testing
- Web Application Testing
- IoT Penetration Testing
- Social Engineering
- Physical Penetration Testing
EGS services are designed to equip your security infrastructure with the best security solutions. We help you build and develop a threat-aware program that ensures the safety of your organization’s information system from intrusions.