Ask us a question

You are here

Performing penetration tests

Why penetration tests?

Websites suffer 22 attempted cyberattacks per day on average, as a result of which 64% of companies experienced a successful web-based attacks last year. One effective way to protect your online services and applications is to assess their exposure to cyberattacks.  Intrusion testing, also known as pen test or penetration test, is a form of security assessment which simulates a real-world attack from malicious users and helps to indentify vulnerabilities in a proactive manner.

Taking appropriate cyber-security defence measures can ultimately save sizeable amounts of money in potential data breaches, losses and frauds, prevent damage to your company's reputation and customer confidence, and avoid business disruptions.

Penetration testing is also very useful for improving the reputation and trust of your company, so as to:

  • convince your customers and partners that your applications and solutions are secure;
  • be prepared for an audit or a certification;
  • To limit the risk of data breach and ensure your GDPR compliance;

Studies have shown that 43% of cyberattacks now target small businesses. Whether you are a start‑up, a SME or a large company, intrusion testing is a wise investment to improve the security of your information systems. As such, we can either perform in-depth intrusion tests or conduct limited quick tests.

Approach intrusion testing services cover:

  • Web application intrusion testing;
  • Mobile application intrusion testing;
  • Infrastructure intrusion testing;
  • Network (wired and wireless) intrusion testing;
  • Red team attack simulation;
  • Social engineering intrusion testing;
  • Embedded devices and IoT intrusion testing;
  • Dedicated hardware (smartcard, HSM, firewalls, etc.);
  • Home‑made communication protocols intrusion testing.

Approach, your most valuable partner

Approach is one of the leading intrusion testing companies in Belgium, having performed hundreds of missions for more than 15 years. Our team of ethical hackers combines the highest skills with in-depth experience.  Its members keep continuously abreast of new threats by attending conferences, writing technical papers or obtaining new certifications.

Our service offering covers the whole chain of cyber-security (GRC, secure development, operational security, etc.), so our ethical hackers can also rely on the expertise of the other teams to deliver the best contextualized recommendations and not only generic ones.

Our deliverable: an exhaustive report with concrete recommendations

Like all the security assessments we perform, the result is a detailed and contextualized report containing valuable recommendations to make attacks much harder (or impossible). These recommendations are rated, prioritized by criticality and cost, englobed in structural measures if possible, and formalized to be usable in compliance reports and customers’ communication. This is usually completed by a management summary section and a presentation.

Approach intrusion testing methodology is based on the OSSTMM:

Pursuant to the principles of the OSSTMM, our missions may encompass the following phases (which may or may not be required, depending on the customer's needs):

  • Scope definition
  • Architecture discovery
  • Services enumeration
  • Vulnerability tests 
  • Attack scenario
  • Exploitation
  • Lateral movement to attack other systems
  • Reporting and recommendations

Approach vulnerability tests

We distinguish two kinds of vulnerability tests: 

  • Vulnerability scanning, i.e. a process that uses some (semi-automated) scanning tools to detect known and usual problems (SANS top 25, OWASP Top 10, …).
  • Manual intrusion testing, i.e. a more sophisticated process used to detect complex security issues in the application and environment. Unlike the automated scanner, the ethical attacker will focus on business priorities and on valuable assets, as the real hacker does.

Both kinds of interventions can be applied at three levels

  • The network level targets mainly the network protocols and open ports, but may also encompass a discovery of the network topology and/or connected devices, by direct access and/or public information stored on the Internet (“whois” databases, search engines, etc.). It also includes all network services such as DNS, mail relays, etc.
  • The system level targets the operating system and/or its components (Web server, Application server, database, etc.). As a lot of aspects are related to network protocols, this may encompass network firewall settings (depending on where the security is performed, on the machine or at the perimeter).
  • The application level targets the code – either the business logic, or the development libraries/frameworks.

Application vulnerability scanning and intrusion testing can be performed from different perspectives:

  • Before a user is authenticated, trying to break into the application without valid credentials
  • After a user is authenticated, trying to elevate his privileges – for example to access another customer's data, change a purchase price, enter the administrative application, etc.

Security tests can be performed either in a “black box” (used to perform the tests without any knowledge of the environment) or in a“grey box" (used to perform the tests with some internal knowledge of the environment).  We also have a “white box” approach, which is a review of the actual architecture, design and code looking for the roots of potential holes. This addresses more the cause of a vulnerability whereas tests address the result.



Client references

“Thanks to Approach's intrusion tests and recommendations, we higher a lot our security level before being exposed to an attack.”  Alexandre Lienard, Chief Information Security Officer, Nethys Group

"For more than 10 years now, Approach has been helping NATO, maintaining an extremely high level of security for applications managing restricted information".   Dimitris Stavrakis, Head of NATO Standardization Office

LuxTrust - Approach

"Thanks to Approach, we were able to provide our partners and customers with a solution combining high security and smooth integration."  Stéphane RIES, Deputy CEO & COO, LuxTrust

“Edenred takes privacy of its customers and employees very seriously. In Approach we found an ideal partner to help us assess our maturity level against the General Data Protection Regulation, establish and drive a roadmap with the objective to meet our compliance obligations.”  Koen Reyniers, COO BENELUX EDENRED

Publications & events

Published on 05 June 2018

Approach is recruiting IT Security experts

The Waldorado team from RTL TVI visited us to know more about our activites and the profiles we are recruiting.  Watch the movie !
Read more

Published on 09 May 2018

The mechanism of a targeted phishing attack

Several cases of targeted phishing by email have been reported by some of our clients.  Download our white paper to learn more about...
Read more

31May

Namur Expo (1 day )

Approach at ICT Infrastructure Namur

Meet us during ICT Infrastructure Exhibition on May 31st.
Read more

Published on 13 April 2018

Replay of the RTL TVI show "Tout s'explique" dedicated to cyber-security

During the interview,  we had the opportunity to demonstrate, in a popularized way, how easy it is for a third-party application to...
Read more

Published on 04 April 2018

Rise of DDoS Amplification Attacks

Since the end of February 2018, we’ve seen a rise of DDoS Amplification attacks, with in some case more than 1Tbps of traffic generated. ...
Read more

Published on 26 February 2018

Can we really trust an antivirus when it comes to unknown threats?

Approach CSIRT Team reproduced a similar attack in its lab ...
Read more

14March

Brussels Expo (2 days)

Approach at Infosecurity

Meet our experts to discuss about your cyber-security challenges and attend our session "the advent of mobile digital identity" at...
Read more

Published on 14 December 2017

Approach service offering and mission - brochure

We enable our customers to succeed by delivering state‑of‑the‑art solutions to cyber‑security challenges.
Read more

Our Approach to cyber-security

Our customers benefit from the expertise and talent of our people, combined with pragmatic and proven methods and the efficiency brought by our assets:

1

Expertise and talent

Since 2001 we have applied our experience in cyber-security gained in various industries, from small to large businesses. Our people are seasoned, certified professionals who continuously improve and extend their knowledge.

2

Pragmatic and proven methods

We rely on most recognised, easily auditable and adopted standards and good practices and apply them pragmatically. We always tailor our approach to your particular context, needs and organisation culture.

3

Asset-based approach

We make use of the most advanced and reliable tools and solutions to support our services. This enables us to be more efficient during delivery, enforce the use of standard auditable methods and provide transparency about our achievements and your results.

+
Certified professionals
0+
Success stories
0
Year of establishment
+ 0%
Average annual growth