Build a Risk-Free System with Pentesting
Multiple cybersecurity studies have reported an exponential rise in digital threats in Malaysia. Some experts estimate the increase to be staggering 82.5% during the Movement Control Order (MCO). The business of all scale (small, medium, and large) are highly susceptible to these cyber threats. In less than a month, over 800 security incidents were reported across Malaysia, including Kuala Lumpur, Seberang Perai, George Town, Ipoh, Shah Alam, and Melaka. To deal with such incidents, businesses in Malaysia need credible penetration testing services. To assess the current penetration testing option available to the Malaysian business, we conducted a brief review of some of the widely known cybersecurity service providers in Malaysia.
What is penetration testing? And How Is It Done?
Penetration testing is defined as the process of detection and analysis by assuming the role of a hacker. The penetration tester then attempts to penetrate an organization’s security infrastructure under a controlled environment. In the process of testing or prior to it, the penetration tester (also known as a white-hat hacker or an ethical hacker) conducts a vulnerability assessment to find any security gaps. The professional then try to exploit them to assess their impact on the organization’s security and other functions. The primary focus of penetration testing is to strengthen the organization’s IT and security infrastructure by fixing any vulnerabilities identified in the process. Both vulnerability assessment and penetration testing (VAPT) together is called ethical hacking, which involves the phases of detection, testing, and reporting the results under a controlled and monitored environment. Depending upon the domains, approach, and layer in a complex architecture of any digital entity, the test is being conducted, penetration tests could be classified as:
Web Application Penetration Testing: It involves testing vulnerabilities and exploiting them to assess their potential impact on the organization. For reconnaissance purposes, the sites are mapped to detect the vulnerabilities and then test SQL injections, cross-site scripting, encryption flaws, XML injections, credential stuffing, etc. on open ports, misconfigured settings, login pages, and online forms. This the most common service provided by and cybersecurity managed service providers.
External Network Penetration Testing: As the name suggests, penetration tests are conducted on the parts running on external internet and open ports, firewalls, routers, switches, and other hosts on the network. This involves a lot of preparation and multiple tools, one of which is the widely known NMap, an open-source tool used to map the network to discover hosts and services running on the network.
Wireless Penetration Testing: This service tests the wireless technology involving wireless protocols like CDP, WEP, SNMP, and WPA, incorporated in an organization’s infrastructure. Wireless penetration service tests for weak passwords or passphrases, encryptions, wireless devices, etc. These tests also identify and fix the coding mistakes which occur during the development stage.
Internal Penetration Testing: This service aims to test your information security and assets for vulnerabilities within the organization or internal network. It relies on social engineering to verify an employee’s capability to recognize and respond to a security threat or an attack.
Cloud Penetration Testing: With the increasing popularity of cloud computing as more organizations are moving their data to the cloud, the corresponding risk of a breach has also increased. As most cloud services are usually provided by a third-party vendor, there is a layer between the service provider and the client through which continuous information flows. The cloud penetration service tests for any misconfiguration or vulnerabilities in this layer, along with the cloud-based applications, storage, data access, password, virtualization, etc.
Mobile Application Penetration Testing: Mobile penetration testing involves assessment of the operating system (OS) along with mapping the mobile-based application before testing client-side security, file system, hardware, and network security. The ethical hacker analyses the source code and test for runtime, TCP, HTTP, SQL injection attacks against insecure APIs, sensitive file artifacts, plain text traffic, etc.
Remote Access Penetration Testing: The COVID-19 pandemic has led to employees of many organizations across the globe to work remotely from their homes, which has also led to an opportunity for the attackers to aim at these remote connections, i.e., the virtual private networks (VPNs). Multiple cases of attacks onto the remote workers were noticed in the first half of the year 2020, and experts expect an increment in these attacks. With many IT employees working remotely, it has become necessary for organizations to test their remote access for vulnerabilities through remote penetration testing and fix them.
IoT Penetration Testing: An Internet of Things (IoT) penetration test can be defined as the assessment and exploitation of different IoT device components to detect vulnerabilities. This process is diverse and complex as IoT itself includes multiple layers like physical link, network, database, cloud, applications, storage, etc., implying that tests across all these layers could be termed in the true sense of the IoT penetration testing. The advancement in technology has made possible the incorporation of IoT in an organization’s infrastructure. As a third-party organization develops most of these IoT applications, there is a need for IoT penetration testing to secure IoT infrastructure.
Social Engineering and Physical Penetration Testing: As the majority of malware is delivered by e-mail phishing, social engineering attacks lie at the core of any malware or ransomware attack, the businesses are under a continuous security threat. With social engineering attacks on the rise since 2017, understanding your employee’s level of security awareness proves an effective method to identify and mitigate potential social engineering risks to your organization.
Why do your business penetration testing?
Businesses need to conduct penetration testing at regular intervals to identify the loopholes in their existing infrastructure and put up the right security controls. The process enables your business to detect potential cyberattacks and release a patch to fix the security gaps.
What is Vulnerability Assessment?
Vulnerability assessment is defined as the structured review of any organization’s security infrastructure to detect vulnerabilities and assess the degree of risk it possesses to its operations and security. Vulnerability assessment is conducted based on a structured security guideline and simultaneously utilizing an extensive set of tools to help organizations identify, classify, and address vulnerabilities across their security posture. The vulnerability assessment stages involve risk assessment, security posture review, patch fixing, and comprehensive reporting.
Penetration Testing in Malaysia
To understand the current situation of vulnerability assessment and penetration testing service options for businesses in Malaysia, we reviewed the top 17 cybersecurity service providers against the penetration testing type described above. All the reviewed organizations were located in Malaysia and accredited by CREST, a non-profit organization providing accreditation and certification on information security service, cybersecurity knowledge, methods, and practices. However, every organization doesn’t incorporate service from the regional provider and may opt for global and overseas security service providers. In this case, the third-party vendors do not have the necessary regional details of their clients. Thus, there is no harm to assume the current cybersecurity state of a country can be estimated by looking at the number of security service providers. Logically, the increasing cyber risks in a country should directly affect the establishment and populace of the security service providers. The following results could be concluded by reviewing the websites of the selected organizations against the different types of penetration testing services provided.
- Only 76% of the service providers, provided web application penetration testing to help organizations in Malaysia mitigate detect vulnerabilities.
- All the cybersecurity organizations provided or advertised external and network penetration testing.
- More than 58% of service providers do not provide or advertise wireless penetration testing.
- Nearly 95% of the organizations did not provide or incorporate internal penetration testing into their websites, along with their other services.
- Only 11.76% of service providers are capable of helping organizations in Malaysia with cloud penetration testing.
- More than 50% of the organizations did not provide or list mobile penetration testing among their other service.
- Only 6% of the service providers, provided remote access penetration testing for the business in Malaysia to avail.
- Nearly 94% of the service providers did not provide or list IoT penetration testing among their security services.
- Only 47% of the reviewed cybersecurity organizations provided social engineering and physical penetration testing.
- More than 82% of the service providers did not provide security awareness and related training.
A comprehensive approach with EGS Penetration testing Service
EC-Council Global Service (EGS) provides multiple solutions tailored to the need of the client organization and helps them protect, detect, and respond to potential threats. EGS penetration testing service offers a comprehensive solution that caters to all your penetration testing needs. Our penetration testing services utilize a wide range of methodologies, which helps the organization detect vulnerabilities that are normally difficult to identify. Our red team steps in the shoe of a malicious hacker to try and attack the client organization’s security infrastructure similar to that of an actual hacker (but under a controlled environment) to detect and exploit vulnerabilities. Upon identification of gaps could be patched by the organization’s security engineers.
For organizations in Malaysia and elsewhere, our holistic penetration testing approach includes intelligence-led red teaming, blue teaming, purple teaming, cloud, network, wireless, internal, external, remote, mobile, web application, IoT, and social engineering. Also, being the part of the EC-Council group EGS services are partnered with OhPhish that has proven records of testing the employees of different types of phishing and social engineering attacks. EGS services are designed to better equip your security infrastructure by helping your organizations build and develop a threat-aware program that ensures the safety of your organization’s information system from intrusions.