Build a Risk-Free System with Pen Testing
Multiple cybersecurity studies have reported an exponential rise in digital threats in Malaysia. Some experts estimate the increase to be a staggering 82.5% during the Movement Control Order (MCO). Busineses of all scales (small, medium, and large) are highly susceptible to these cyber threats. In less than a month, over 800 security incidents were reported across Malaysia, including Kuala Lumpur, Seberang Perai, George Town, Ipoh, Shah Alam, and Melaka. To deal with such incidents, businesses in Malaysia need credible penetration testing services. To assess the current penetration testing options available to Malaysian business, we conducted a brief review of some of the widely known cybersecurity service providers in Malaysia.
What Is Penetration Testing and How Is It Done?
Penetration testing is defined as the process of detection and analysis by assuming the role of a hacker. The penetration tester then attempts to penetrate an organization’s security infrastructure under a controlled environment. In the process of testing or prior to it, the penetration tester (also known as a white-hat hacker or an ethical hacker) conducts a vulnerability assessment to find any security gaps. The professional then tries to exploit them to assess their impact on the organization’s security and other functions. The primary focus of penetration testing is to strengthen the organization’s IT and security infrastructure by fixing any vulnerabilities identified in the process. Vulnerability assessment and penetration testing (VAPT) are together called ethical hacking, which involves the phases of detection, testing, and reporting the results under a controlled and monitored environment. Depending upon the domains, approach, and layers in the complex architecture of any digital entity the test is being conducted in, penetration tests could be classified as:
Web Application Penetration Testing: It involves testing vulnerabilities and exploiting them to assess their potential impact on the organization. For reconnaissance purposes, the sites are mapped to detect the vulnerabilities and then test SQL injections, cross-site scripting, encryption flaws, XML injections, credential stuffing, etc. on open ports, misconfigured settings, login pages, and online forms. This is the most common service provided by cybersecurity service providers.
External Network Penetration Testing: As the name suggests, penetration tests are conducted on the parts running on external internet and open ports, firewalls, routers, switches, and other hosts on the network. This involves a lot of preparation and multiple tools, one of which is the widely known NMap, an open-source tool used to map the network to discover hosts and services running on the network.
Wireless Penetration Testing: This service tests the wireless technology involving wireless protocols like CDP, WEP, SNMP, and WPA, incorporated in an organization’s infrastructure. Wireless penetration services test for weak passwords or passphrases, encryptions, wireless devices, etc. These tests also identify and fix the coding mistakes which occur during the development stage.
Internal Penetration Testing: This service aims to test your information security and assets for vulnerabilities within the organization or internal network. It relies on social engineering to verify an employee’s capability to recognize and respond to a security threat or an attack.
Cloud Penetration Testing: With the increasing popularity of cloud computing the corresponding risk of a breach has also increased. As most cloud services are usually provided by a third-party vendor, there is a layer between the service provider and the client through which continuous information flows. The cloud penetration service tests for any misconfiguration or vulnerabilities in this layer, along with the cloud-based applications, storage, data access, password, virtualization, etc.
Mobile Application Penetration Testing: Mobile penetration testing involves assessment of the operating system (OS) along with mapping the mobile-based application before testing client-side security, file system, hardware, and network security. The ethical hacker analyzes the source code and test for runtime, TCP, HTTP, SQL injection attacks against insecure APIs, sensitive file artifacts, plain text traffic, etc.
Remote Access Penetration Testing: The COVID-19 pandemic has led to employees of organizations across the globe to work remotely from their homes, which has also led to an opportunity for attackers to take aim at these remote connections, i.e., the virtual private networks (VPNs). Multiple cases of attacks on remote workers were noticed in the first half of 2020, and experts expect an increment in these attacks. With many IT employees working remotely, it has become necessary for organizations to test their remote access for vulnerabilities through remote penetration testing and fix them.
IoT Penetration Testing: An Internet of Things (IoT) penetration test can be defined as the assessment and exploitation of different IoT device components to detect vulnerabilities. This process is diverse and complex as IoT itself includes multiple layers like physical link, network, database, cloud, applications, storage, etc., implying that tests across all these layers could be termed in the true sense of the IoT penetration testing. The advancement in technology has made possible the incorporation of IoT in an organization’s infrastructure. As a third-party organization develops most of these IoT applications, there is a need for IoT penetration testing to secure IoT infrastructure.
Social Engineering and Physical Penetration Testing: As the majority of malware is delivered by e-mail phishing, social engineering attacks lie at the core of any malware or ransomware attack, and the businesses are under a continuous security threat. With social engineering attacks on the rise since 2017, understanding your employee’s level of security awareness proves an effective method to identify and mitigate potential social engineering risks to your organization.
Why Does Your Business Need Penetration Testing?
Businesses need to conduct penetration testing at regular intervals to identify the loopholes in their existing infrastructure and put up the right security controls. The process enables your business to detect potential cyberattacks and release a patch to fix the security gaps.
What Is Vulnerability Assessment?
Vulnerability assessment is defined as the structured review of any organization’s security infrastructure to detect vulnerabilities and assess the degree of risk it possesses to its operations and security. Vulnerability assessment is conducted based on a structured security guideline. It simultaneously utilizes an extensive set of tools to help organizations identify, classify, and address vulnerabilities across their security posture. The vulnerability assessment stages involve risk assessment, security posture review, patch fixing, and comprehensive reporting.
Penetration Testing in Malaysia
To understand the current situation of vulnerability assessment and penetration testing service options for businesses in Malaysia, we reviewed the top 17 cybersecurity service providers against the penetration testing type described above. All the reviewed organizations were located in Malaysia and accredited by CREST, a non-profit organization providing accreditation and certification on information security services, cybersecurity knowledge, methods, and practices. However, every organization doesn’t incorporate services from the regional provider and may opt for global and overseas security service providers. In this case, the third-party vendors do not have the necessary regional details of their clients. Thus, there is no harm in assuming the current cybersecurity state of a country can be estimated by looking at the number of security service providers. Logically, the increasing cyber risks in a country should directly affect the establishment and populace of the security service providers. The following results could be concluded by reviewing the websites of the selected organizations against the different types of penetration testing services provided.
- Only 76% of the service providers, provided web application penetration testing to help organizations in Malaysia mitigate and detect vulnerabilities.
- All the cybersecurity organizations provided or advertised external and network penetration testing.
- More than 58% of service providers do not provide or advertise wireless penetration testing.
- Nearly 95% of the organizations did not provide or incorporate internal penetration testing into their websites, along with their other services.
- Only 11.76% of service providers are capable of helping organizations in Malaysia with cloud penetration testing.
- More than 50% of the organizations did not provide or list mobile penetration testing among their other services.
- Only 6% of the service providers provided remote access penetration testing.
- Nearly 94% of the service providers did not provide or list IoT penetration testing among their security services.
- Only 47% of the reviewed cybersecurity organizations provided social engineering and physical penetration testing.
- More than 82% of the service providers did not provide security awareness and related training.
A Comprehensive Approach with EGS Penetration Testing Service
EC-Council Global Services (EGS) provides multiple solutions tailored to the need of the client organization, helping them protect, detect, and respond to potential threats. EGS’ penetration testing service offers a comprehensive solution that caters to all your penetration testing needs. Our penetration testing services utilize a wide range of methodologies which helps organizations detect vulnerabilities that are normally difficult to identify. Our red team steps into the shoes of a malicious hacker to try and attack the client organization’s security infrastructure similar to that of an actual hacker (but under a controlled environment) to detect and exploit vulnerabilities. Upon identification of gaps, the holes could be patched by the organization’s security engineers.
For organizations in Malaysia and elsewhere, our holistic penetration testing approach includes intelligence-led red teaming, blue teaming, purple teaming, cloud, network, wireless, internal, external, remote, mobile, web application, IoT, and social engineering. Also, being part of the EC-Council group EGS services are partnered with OhPhish, which has a proven track record of testing employees on different types of phishing and social engineering attacks. EGS services are designed to better equip your security infrastructure by helping your organizations build and develop a threat-aware program that ensures the safety of your organization’s information system from intrusions.