Pentesting, a pentest, or penetration test

Penetration tests, also known as pen tests, are ‘legal’ or ‘ethical hacker’ attacks on your network, website, Internet access or computer system to gain insight into the security risks and vulnerabilities. These legal hacking tests that Triple-B performs for you are carried out in three ways:

1. White box testing:
2. Gray box testing:
3. Black box testing:

   The difference lies in the amount of knowledge and background information that the tester (the ‘hacker’) receives. Does the tester have prior insight into all aspects of the system architecture? This is referred to as white box hacking. Does a tester have partial information? This is called a Grey box and is referred to as Blackbox if the tester has minimal prior knowledge.

Which test applies to you? We will be happy to explain it to you in a free introductory meeting. Did you know that:

• Did you know that regular pen testing contributes to protecting your company’s reputation and the continuity of your business?
• Did you know that a penetration test can prevent data leaks and fraud?
• Did you know that performing a pen test can even save you money?
• Did you know that the IT administrator of companies has not learned to test vulnerabilities in software and on network layer?
• How do you know or can you prove that your business information is secure? How sure are you of that?
• An accountant audits your accountant, but who audits your ICT manager? Are gates unnecessarily open? Are the possibilities of your systems being used optimally and, above all, securely?
• Did you know that the ISO 27001 is the standard for information security? Does ISO 27001 specify and specify requirements for the implementation, execution, monitoring, evaluation, maintenance and improvement of a documented Information Security Management System (ISMS) in the context of the general business risks to the organization?
• Did you know that there are privacy rules that all companies have to comply with? Under the new AVG / Privacy rules it has become mandatory to regulate security. With our pen tests in which the reports are made by a CISSP (certified pen tester) you have already largely fulfilled your obligation to make the security demonstrable.

Website scan

You spend money on a beautiful website with interesting and useful content. You may sell your products or services through your site or make your site available as a discussion forum. Did you or your web builder pay the same attention to the security of your site when you built it? Enter your own website address at https://internet.nl and you may know more within 1 minute. On this website, the Dutch government, together with SIDN, offers an initial indication of how safe and good your website is. Don’t you score 100%? If so, you will probably run risks and your website will also be less easily found by search engines such as google. If you want to solve this problem, Triple-B knows how to do it. The test of internet.nl we do, but much more complete and complex. This is called a pen test. We invest in knowledge and equipment to stay ahead of the hackers as much as possible. A 100% secure website does not exist but we can make it safer.

Pentest on server and network

During a penetration test on server and network, we test the security of servers and components from the outside. We test the connection(s) between your office and the internet. This is something different from your website, which is often hosted externally. This gives you insight into vulnerabilities or security leaks within your network. We scan the security of one or more servers or a network segment via the internet or at your location. We can also include the route to the server and other network components in the scan in consultation with you.

Penetrationtest on applications

We advise you to have a pen test carried out on applications when custom software is used within your organisation. If you are not allowed to view independent pen test reports from your builder, please have them tested yourself! In this test we focus on your specific applications, such as databases, content management systems and custom software. We use specialist software to scan source codes. This is also called source code scanning or application vulnerability scanning.

Penetrationtest on VOIP

Often organizations do not yet realize the consequences of access to VOIP. Hackers then call their own expensive premium rate numbers via your (hacked) telephone exchange. Your VOIP systems often have their own network or cloud service, and therefore do not always automatically go along with the pen test of your office. In addition, specifically for VOIP, we have developed other tests that we can use for you to test security.

Penetrationtest on e-mail

Sixty percent of all business infections come by e-mail. So it is wise to test this channel regularly. We have developed our own system for this purpose, which we have developed ourselves. For larger companies we also have software available that works via a plugin. This also allows us to link an awareness training and every employee can always ask for assistance with (another) strange e-mail at the push of a button. With a nice competition element, your colleagues can show each other who is the most sensible. And…such a learning moment is a regular occurrence and lasts a maximum of 30 seconds. Permanent security on mail without that taking up a lot of time. The latter solution (with plugin) is only possible for the time being in companies with 100 or more employees, which is why we also have our own tooling from 1 mailbox.  

Pentest on LAN

What would happen if a hacker got on your network? Or what could an angry employee do? To do this, we will visit you on location to assess the safety of the connected systems via your internal network. Many computer viruses spread quickly between the computers of a company or organization. Is this also possible with you? Wannacry was one such example. If we had been at the company before wannacry, the impact would have been 1 workstation instead of a complete organization that is out of action for days or more. You will receive the result of the penetration test in the form of a clear and useful report, with which you can put your supplier or ICT manager to work. Triple-B can also set out the steps to be taken and/or take care of the roll-out in a subsequent process.  

When should you have a penetration test done?

There may be several times when a pen test is useful:

1. In the acceptance phase of a new system or a new application.
2. In the event of significant changes to an important system or application.
3. Periodically (annually/biennially, every week, every day), to test existing systems for new break-in techniques or configuration errors of your system administrator(s).
4. If there is another reason to think that the security of a system is not as good as expected.

Please contact us for more information about the different types of penetration tests.  

Cost of penetrationtest / security scan

Automated website security scans for easy website or office access are quick and cheap for you to perform. If you also want an official report and advice on the measures to be taken, then that is usually 4 to 6 hours of work for us. In addition, good pen tests are a combination of the automated scan and a number of hours or days of manual checks. Not all errors can be detected by software. For pen tests that also include a report and/or manual checks, we always offer a fixed price in advance.   Below you will find an overview of still common attacks and hacking techniques:

SQL Injection

SQL injection is the injection of special characters and code lines into pages and connections to and from your website. Usually tools are used for this, but it can also easily be done manually. The characters and codes can cause your website to become unusable and your database to become full of unusable information. In some cases a hacker can take over your website, database or even your company servers via an SQL injection.   What can you do about it? Using capcha codes and choosing the right technical design for a website are the most common countermeasures.   Cross-site scripting / X-site scripting   With this dangerous technique, the hacker places a number of code lines in your website that are used to capture or take over sessions and transactions. You run the risk that important and privacy-sensitive information of your customers will be left on the street. In some cases a hacker can take over your website, database or even your company servers. Be careful when making input fields available on your website! One unprotected field on one of the web pages is sufficient to place malicious codes. This also applies to a guestbook or forum page!   Phishing Phishing is ‘fishing’ for data from your customers. A big problem in banking! The most common and used technique is to send fake e-mails on behalf of and in the format of the victim. The e-mails invite your customers to leave their personal details, such as login details or credit card numbers. The consequences are very serious. Many customers give their personal data in good faith, which gives those hackers access to your database. What can you do about it? Strong authentication is an important counter-measure against phishing. A token or key cannot be typed into an email.   Website Defacement Website defacement is to customize your website so that visitors see other information. Usually this is the work of script-kiddies; diligent computer freaks who often adapt a website as a hobby. The consequences depend on the number of visitors to your website and the form of deface used.