Ethical security testing is performed by our experts in coordination with the
customer and in accordance with the customer’s requirements in each event. Its
objective is to explore the security loop holes and inadequacies in the customer’s
Ethical hacking steps
Its objective is to collect information on the customer's system through different
channels. Many people think that intrusions into the computer network originate
in system errors exploited by intruders. However, in reality the security of a
system is not only threatened by the errors of the system elements but also by
the other inadequacies traceable in the other elements constituting part of the
system. Human resources and physical insurance are also such elements. Information
which can be gained through human resources quite often helps the attacker in
avoiding the security barriers, such as firewalls or intrusion detection systems.
The credulousness or lack of alertness by computer users often facilitates an
easy intrusion into a protected system, even in situations when the attacker is
not authorized to access at all.
Technical information technology testing
The technical security checking comprising of the following activities is performed
on the basis of the information gained by social engineering.
External intrusion testing
In the course of the external intrusion testing a simulated attack is performed
against the customer's network, mainly aiming at exploring any system errors.
In the course of the testing, tools which are accessible to anyone are intended
to be used so that the generality of the test can be ensured. A continuous contact
shall be kept between the representatives of the two companies for the purpose
of coordinating certain points. The testing can be divided into several stages,
such as mapping investigation, passive exploration, general, low risk level testing,
specific and high risk level testing.
Synergon Information Systems Plc. creates a journal on each point of the performed
tests so the events can be exactly traced during occasional control tests in the
future. The derived test results are interpreted, the interpreted material is
handed over consisting not only of the explored problems and inadequacies, but
the solutions to them as well. The test results are also handed over as appendices
to the document, comprising of the recommendations required for correction.
Internal system testing
In the course of the testing, Synergon Information Systems Plc.’s experts aim
at mapping the system and its vulnerable points from the customer’s internal system
side. The unauthorized intruder attempting an attack from outside either stops
or starts a systematic mapping after a successful intrusion. Synergon Information
Systems Plc. starts the system testing with the knowledge of the basic system,
since the external attacker may come across any kind of information and employees
may also have extensive information about things.
Unfortunately, the significant ratio of attacks committed starts from within
the company’s own network. So, in the course of the testing, information is intended
to be gained from the internal network taking in consideration that the tested
network is an internal network. Although the smoothness of the internal work shall
also be observed, everything shall be tested in a systematic manner, which may
require a relatively long time due to an extended field or the applied systems.
The external testing concerns only a couple of machines which are under complete
supervision, while the devices located on an internal LAN network often meet only
less tight requirements.
Server and network resource testing
This phase contains the lowest risk factor in the course of the testing. The
implemented network is scrutinized together with the supervision of the entire
documentation in the course of the testing. This is based on personal consultation,
where Synergon Information Systems Plc.’s experts appear on the site and inspect
the settings of certain software. This requires the constant presence of an expert
on the customer’s side who has an adequate knowledge of the system and the rights
and authorizations to provide information on the use of the devices constituting
the object of the inspection and to give the required authorization for the person
performing the testing. Documentation is compiled as a result of the testing on
the condition of the system(s) and the recommendations for modifications. The
testing makes only recommendations but does not modify the system, unless authorized
to do so in a written form. The testing result can be compared to the system documentation
and provides a good basis for a procedural audit. The testing is mainly extended
to firewalls, servers, routers, but upon request, to workstations as well.