Vulnerability Scanning & Penetration Testing

Vulnerability Scanning

Nowadays, most organizations use websites to reach customers and provide services. However, failing to take care of information security will result in damaging reputation and losing fortune. Furthermore, websites and other types of public servers are often channels for attackers to penetrate internal systems, steal sensitive information, perform denial of service attacks, install malicious software, and cause many other intractable problems for companies.

The most basic way to identify vulnerability of websites is to do vulnerability scanning. It’s an automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. After performing vulnerability scanning, we will provide clients with detailed guidance in fixing problems.  Besides web servers, we help companies identify security vulnerabilities of their routers, databases, web application firewalls, and other network equipment. Our vulnerability scanning service can detect if clients’ systems are vulnerable to SQL injection, cross-site scripting, cross-site request forgery, denial of service, etc.  We also check if companies’ websites comply with international standards and other strict information security standards. 

Aiming at providing the most advanced technology for customers, Ray Aegis Information Security’s lab keeps adding unique and modern testing data to the scanning database, including zero-day tests. Clients could feel relieved because Ray Aegis owns the most complete and modern testing database in the world, and we will deliver the most complete report to customers.

We mainly use RayScanner to do vulnerability scanning, and according to customers’ needs, we can also integrate results from different commercial and open source vulnerability scanners. The delivered reports will rank vulnerabilities based on severity, and detailed steps of fixing problems will be included as well.

Penetration Testing

Doing a well-organized penetration test by a professional team gives you the chance to know what attackers will do and the consequences of such attacks. These are some benefits of doing penetration tests:

  • Analyzing weak points of your information systems and then fix or mitigate problems
  • Determining feasibility of certain attack vectors and doing risk assessment
  • Discovering both known and unknown vulnerabilities 
  • Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited
  • Finding problems that are hard or impossible for automatic tools like vulnerability scanner to detect
  • Assessing the magnitude of potential business and operational impacts of successful attacks

In addition to the above advantages, we also find subtle vulnerabilities, which can’t be detected by software but manipulated by information security experts. Besides standard testing, we execute the evaluation with our zero-day database, which is the key that we are different from other information security companies.

The test will deeply analyze both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures, so our clients have the chance to fix or mitigate vulnerability, before something goes wrong. We use RayInvader, RayScanner, and a set of software tools to emulate cyber attacks and identify weakness in the network infrastructure of clients. Our penetration test follows OWASP and OSSTMM standards. With the tools and standards, we make the test best practice, minimizing both false negatives and false positives.

Penetration test (i.e., ethical hacking) is a mechanism that examines effectiveness of security controls in the company from hackers’ perspectives. We provide both external and internal penetration test for customers. Our external penetration test emulates an attacker sitting on the Internet and tests the security of the systems that are connected to the Internet. Common targets of the test are customers’ websites. This scenario represents typical cyber attacks, as most attackers are from the Internet, and they own less privilege and information than insiders. On the other hand, in internal penetration test, we simulate an attack from the inside of the organization. The insider threat is usually characterized as an employee performing malicious behavior-through sabotage, stealing data or physical devices, or purposely leaking confidential information, and it usually causes more catastrophic results than external hackers. The main objective of internal penetration test is to evaluate the security of the internal infrastructure and procedures, in particular the security of the equipment that is not publicly accessible but processes, stores, or transmits sensitive information that can be accessed by personnel connected to the internal network. Attackers sitting on the Internet may also gain privilege in local area network of an organization using many kinds of techniques, for example, social engineering attacks. To achieve defense in depth, both external and internal penetration tests are necessary. Our penetration test flowchart is as follows.

Please note that for organizations, which needs strong security, we suggest that at least do penetration test two times a year. When configurations or applications are changed, a complete testing is necessary as well.

Ray Aegis Information Security owns complete testing database for customers and the database is keep growing with modern technology. Our elite team members check problems manually and get support from the most advanced tools, so clients’ information systems can be examined under the strictest conditions.