Ready to start a project with us? Let us know what's on your mind.

1501 Broadway STE 12060
New York, NY 10036-5601

inquiry@winmill.com
1-888-711-6455

    Select Service(s)*

    x Close

    Cyber Security Penetration Testing

    Penetration testing, also called pen testing, is a cybersecurity exercise in which a security testing expert, called a pen tester, identifies and verifies real-world security flaws–vulnerabilities–by simulating the actions of a skilled cybercriminal determined to gain unauthorized access to an organization’s data, systems, and infrastructure.

    Our Process

    At Winmill no two penetration tests are the same. We use the Penetration Testing Execution Standard (PTES) as a baseline to customize our services to your specific requirements. The seven stages of penetration testing as defined by PTES are as follows:

    two people and chat bubbles icon

    Pre-engagement interactions

    Define project scope, goals, and rules of engagement.

    magnifying glass scanning a paper icon

    Intelligence gathering

    Perform reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases.

    circle image icon

    Threat modeling

    Analysis of business assets, business processes, threat communities, and threat capabilities to identify the organization’s appetite for risk and prioritization of vulnerabilities.

    circle with check mark icon

    Vulnerability analysis

    Discover flaws in systems and applications which can be leveraged by an attacker. Flows can range from host and server misconfiguration to insecure application design.

    computer with spy man icon

    Exploitation

    Focus solely on establishing access to a system or resource by bypassing security restrictions. The main focus is to identify the main entry point into the organization and to identify high value asset targets.

    list with checkmarks icon

    Post-Exploitation

    Determine the value of the compromised machine and maintain control of the machine for later use. Identify and document sensitive data, configuration settings, communications channels, and relationships with other network devices that can be used to gain further access to the network.

    pen and paper icon

    Reporting

    We report the findings of the Penetration Test. The intended audience are those in charge of oversight and strategic vision of the security program, as well as any members of the organization who may be impacted by the identified/confirmed threats.

    At Winmill no two penetration tests are the same. We use the Penetration Testing Execution Standard (PTES) as a baseline to customize our services to your specific requirements. The seven stages of penetration testing as defined by PTES are as follows:

    Pre-engagement interactions

    Define project scope, goals, and rules of engagement.

    Intelligence gathering

    Perform reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases.

    Threat modeling

    Analysis of business assets, business processes, threat communities, and threat capabilities to identify the organization’s appetite for risk and prioritization of vulnerabilities.

    Vulnerability analysis

    Discover flaws in systems and applications which can be leveraged by an attacker. Flows can range from host and server misconfiguration to insecure application design.

    Exploitation

    Focus solely on establishing access to a system or resource by bypassing security restrictions. The main focus is to identify the main entry point into the organization and to identify high value asset targets.

    Post-Exploitation

    Determine the value of the compromised machine and maintain control of the machine for later use. Identify and document sensitive data, configuration settings, communications channels, and relationships with other network devices that can be used to gain further access to the network.

    Reporting

    We report the findings of the Penetration Test. The intended audience are those in charge of oversight and strategic vision of the security program, as well as any members of the organization who may be impacted by the identified/confirmed threats.

    Services

    Web Application Assessments

    A Winmill Web Application Penetration Test consists of two phases: a black box penetration test, and an OWASP Top 10 security assessment. Phase 1 assesses how far a skilled attacker can get, without credentials or prior knowledge, towards compromising the application’s Confidentiality, Integrity, and Availability (CIA). This phase consists primarily of manual testing with BurpSuite Pro and open-source tools. Phase 2 is a grey/white box security assessment that starts with a credentialed vulnerability scan using Qualys WAS and open-source scanners and continues with manual testing in all OWASP Top 10 vulnerability categories.

    Areas of Focus

    • Broken Access Control
    • Cryptographic Failures
    • Injection
    • Insecure Design
    • Security misconfiguration
    • Vulnerable and Outdated Components
    • Identification and Authentication Methods
    • Software and Data Integrity Failures
    • Security Logging and Monitoring Failures
    • Server-Side Request Forgery

    Network Penetration Assessments

    Our network penetration assessment attempts to identify exploitable vulnerabilities in networks and network devices, servers, and DNS. Our assessment uses tools and manual processes to reveal open ports and running services. We assess the integrity of firewalls, switches, routers and load balancers, and discover misconfigured proxy servers, FTP servers, and TLS/SSL configurations.

    We Assess

    • Firewalls & switches
    • Routers & load balancers
    • Proxy servers & FTP servers
    • TLS/SSL configurations

    Mobile Assessments

    Our iOS and Android application mobile assessment evaluates your mobile application against the OWASP Top 10 Mobile Vulnerabilities. Amongst others, these include improper platform usage, insecure data storage, insecure communication, and insecure authentication. Mobile Assessments are typically performed by jailbreaking an iOS device or rooting an Android device.

    We Prevent

    • Improper platform usage
    • Insecure data storage
    • Insecure communication
    • Insecure authentication

    Social Engineering Assessment

    Our social engineering assessment imitates real-world attacks to help measure the security posture of your organization and confirm roles and responsibilities used to protect critical business information. This includes Open Source Intelligence (OSINT) gathering, which attempts to reveal organizational information from publicly available data and phishing attacks, where crafted emails are sent to select employees with the intent to convince the user to click a “malicious” link. Based on the results, we can further assist you to design security awareness training.

    We Use

    • Publicly available data
    • Simulated phishing attacks

    "They are honest, smart people. I’ve never seen a dud come out of that company. "

    Winmill Client Survey

    Interested In Starting A Project With Us?

    Let's Talk
    x

      Select Service(s)*

      Thank you for your inquiry. We'll be in touch soon.

      Services

      Resources

      Contact Us

      © 2022 Winmill Software. All Rights Reserved. Read Our Privacy Policy.