A Pentest, also known as Penetration Test, is often performed by experts or hackers who are hired to hack into secured network systems of organizations. In the industry, ethical hacking is the only authorised way to simulate and predict potential cyber attacks on a company’s computer system, private and confidential information.
A similar test, Vulnerable Assessment, is also regularly performed on computer systems of banks, government agencies, large geo-challenged companies with multiple locations and systems, and just about any company that work with a large database of private and confidential information.
Don’t confuse vulnerability assessments with a Pentest. Vulnerability assessments processes and searches the system for loopholes and known vulnerabilities to prevent misuse and unauthorized access to the system.
Penetration tests ACTIVELY puts a ‘stress test’ on the system to exploit a company’s own computer system and environment to identify them and protect the system against it. While a Vulnerability test can be automated and conducted with tools and software, a Penetration Test takes the whole test to a whole new level, often requiring the help of professionals and deep-penetration tools.
How Pentests Work in Malaysia?
A Penetration Test often starts off with targets and goals. Before carrying out the test, the company equips the tester tool or team with background information about the system, be it a whole computer system or a black box. A target is set; the tool attempts to hack into the secured system using various means and innovative, creative techniques.
The test will help the company help the company decide if the existing defense system is adequate and prepare it for the potential cyber attacks. These loopholes are then reported to the organization with suggested measures to be taken in order to reduce the risk.
Many organizations perform this test to ensure their security system is almost impenetrable against ill-intended unauthorized access to the company’s private and confidential information.
A Pentest should be done, and is quite an important aspect of IT security, because it identifies processes in the system and how adversaries can exploit lax security settings. Pentest should be done regularly as the world and computer intelligence evolves over time.
Find the Right Company to Perform Penetration Test for You
In Malaysia, as with the rest of the world Pentests are often done by a third-party vendor and not an internal staff because, in order to make the Pentest work, the running of the Pentest needs to be done in an objective way to avoid conflicts of interest.
This requires complete trust on the do-er of the penetration test. An experienced, reliable tester should shoulder the task based on its breadth and depth of its knowledge, information, ability to think and penetrate abstractly like a real malicious threat could compromise the system.
Once you’ve found the right company to work with and get accustomed to the process, penetration tests on Malaysian companies should be intermittently done at least once or twice a year. This is not counting the unpredictable times when a new threat is detected or when the system undergoes internal changes.
The Importance of Running Pentests
The danger of not running Pentests is that without the recommended regular runs of these checks, the vulnerability points within the structure could go undetected for months, if not years. While users and organizations are left in the dark about the unknown visitors in their systems who are probing (and sometimes manipulating and stealing) your assets, these breaches may cause a downfall spiral downfall of the company’s privacy policies.
How to Get Penetration Service in Malaysia
A penetration test runs on different levels, both internal and external. There are companies offering one, both or either one because the level of penetration test depends almost completely on the organization’s requirements.
Simplified, we can safely say that Malaysian IT security companies offer both internal penetration testing and external Pentests.
An internal penetration test is conducted from within the cyber walls of the organizations to test the system’s internal firewalls, identify loopholes, and identify solutions. An external penetration test is done by a third-party with an eagle-eye.
Hired Hackers, thinking and behaving like legitimate hackers with ill-intent, do their level best to beat the system from the outside in order to provide the organization with a comprehensive report on what can be done to improve the organization’s security system.
So, here are a few criteria you should look into when looking for a Pentest service provider in Malaysia.
Questions to Ask Your Pentest Service Provider in Malaysia
1 – Define the Extent of Pentest Your Organization Needs
Penetration tests, be it in Malaysia or outside the country, depends on what your organization requires. Are you trying to perform a penetration test on:
- A web application?
- Your new mobile application?
- Your network or company system infrastructure?
Once you’ve put your finger on the kind of test you need done, the company is able to decide on the types of tools, knowledge, expertise, and the cost of the test. Do a little bit of research (or ask around the IT inner circles) about the company to see if they’re experienced or capable of performing the pentest you require.What you need to know is that there are, basically, three types of Pentests done on organizations, large or small and they’re:
- Black box test where the testers go in pretty much blindfolded, with no knowledge of the environment they’re trying to hack into.
- Grey box tests where testers have basic knowledge about what is required of them and the kind of system they’re dealing with
- White box tests are mainly internal tests of system structure and design. The testers know what they’re up against.
2 – Know the Team of Pentesters
Taking a closer look at the team of pentesters who will be performing the security test given because you’ll be revealing a lot of information about your company’s system to the team. During the engagement, they’ll often have to think on their feet, make decisions, apply complicated tasks, and use acquired skills to perform high-quality pentest.
Questions you might want to ask about the Pentesters include:
- How long has the Pentesting company been around
- Who is performing the penetration test
- The list of clients they’ve worked for
- Ask for a sample report
- An evaluation of the success rate of the pentesting team
- What is the time of delivery and budget
- How will your organization’s sensitive data be transmitted, stored, erased, and retained?
- What kind of reports and solutions will be provided by the team once the Pentest is concluded
- Did the report include discovered vulnerabilities? If yes, are recommendations provided?
- If you’re asking for referrals, ask if the overall performance of the test was satisfactory and would they recommend the pentesters to their closest friends and family
3 – Is There Liability Insurance?
Pentest companies are in the business of gaining accesses and information that you would have otherwise kept private and confidential. They should have liability insurance in place as a protection to your business in the event damage is caused to your network, computer system, and data during the testing and intrusive activities.
4 – Verifiable Completed Projects
Pentesting is a very serious organizational endeavor and much of it depends on the competency and diligence of the Pentest team. Before engaging the Malaysian company’s pentesting services, ask them about the kind of processes, methodologies, tools and people they have deployed for similar projects.
As a potential customer, it would also be great if the company made the resume and list of completed projects of their team members transparent. Most experienced pentesters come with credentials like the Project Management Professional (PMP) certification.
5 – Detailed Methodology and Pentesting Process
Before signing on the dotted line, your organization, especially your IT team, needs to run through and validate the pentesting methodology with the Malaysian pentesting service provider. A lot is at stake.
Perform a drill down on the kind of tools, tests, procedures, reports, timeline, and exploit evaluation are to be used during the process. Don’t be afraid to probe hard to get to the bottom of every detail regarding the process because not only will it ensure complete transparency and accuracy of the test, it will only help to improve the quality of the pentesting service they provide.
6 – Is Penetration ReTesting an Available Option?
This is an important question to ask if you’re looking for a reliable, long-term pentest partner. Pentesting processes are often required throughout the course of your business, so ask if it is possible to run a retesting exercise after the initial one is done and dusted.
Most pentesting companies in Malaysia are forward-looking. They provide your organization with cybersecurity measures that not only sifts out threats now, but also includes retesting options in the future.
Pentest services in Malaysia are actually a long-term business because it is not a one-off service.
You can find out more about Penetration Testing and how it differs from Vulnerability Testing – here’s a good read from eCouncil.org.
If you have concerns about your systems’ security, please get in touch with us today for a free consultancy here. AceTeam Networks is a Cybersecurity Solutions and Services Provider certified with ISO 27001:2013 (Information Security Management System).
Contact us today for a free consultancy.