Security Testing Services are offered by Barikat Cyber Security to many organizations from different sectors. In this blog post, we will try to share the testing services requested by the organizations and the findings of these testing services. Security Testing Services is a set of services where information systems are tested before cyber attackers in terms of confidentiality, integrity and accessibility, which are the three basic principles of information security, independently of the product, and where existing security gaps are detected and solutions are offered to eliminate these gaps.
In this context, Barikat Cyber Security provides security testing services on issues such as internet, local network, web application, wireless network, social engineering, DDoS, mobile application, software source code analysis, continuous vulnerability analysis, malicious traffic analysis, red team.
Related studies have been prepared on the demands of organizations from different sectors such as finance, public, transportation, e-commerce, energy and communication. If we go into the details of the Security Test Services requested by the organizations;Internet Security Tests: Examines the data of organizations accessible over the internet.Local Network Security Tests: Examines the data of organizations that can be accessed over their local networks.Mobile & Web Application Security Tests: Examines the data of organizations that can be accessed through web applications.Web Service / API Security Tests: Examines the malfunction data that may occur on the web services of the organizations.Wireless Network Security Tests: It examines the data of organizations ‘wireless networks’ access controls, configurations and user behavior evaluation, password cracking tests, testing of attacks to the corporate network over the accessed wireless networks.
Results obtained within these tests are labeled as urgent, critical, high and moderate findings, depending on their importance. The results obtained at the end of the relevant tests are labeled as 3% urgent, 16% critical, 59% high and 16% medium severity. If we look at the tests made in terms of sub-topics;Internet Security Tests: 14% critical, 43% high and 43% medium severity findings,Web Application Security Tests: 14% urgent, 17% critical, 33% high and 36% medium severity findings,Web Service Security Tests: 66% high and 34% medium severity findings,Local Network Security Tests: 5% critical, 94% high and 1% medium severity finding,Wireless Network Security Tests: 66% high and 34% medium severity findings,Mobile Application Security Tests: 4% emergency, 14% critical, 29% high and 53% medium severity findings,Software Source Code Analysis: 53% critical, 22% high and 25% medium severity findings were obtained.
Specific to DDoS and load tests, the evaluation examines the success or failure of the protection of the system. If we examine the tests performed in this context;DDOS Tests: 39% successful, 61% failedWeb Application Load Tests: 50% successful, 50% failed.
Social Engineering Tests, on the other hand, are a test service that aims to measure the level of awareness of the personnel about information security by using various deception techniques, which is performed for all or a part of the organization’s employees. Within the scope of this test, findings were obtained using e-mail and telephone communication tools. If we examine the tests performed in this context;E-mail: In the e-mail setup, a 3-stage test was organized in the form of opening the e-mail, clicking the link on the opened e-mail and filling the form after the relevant click. 30% of the users who received the e-mail opened the relevant e-mail, 90% of those who opened the mail clicked the link and 14% of those who clicked the link filled the relevant form.Telephone: Passwords were requested from the people in the telephone setup. 75% of the users contacted by phone gave their passwords.
In addition to all this information, a zero-day openness was found for a customer served in the energy sector within a similar evaluation period. The CVSS v3.0 Base Score for the day zero gap found during the penetration tests is specified as 8.1.
Barikat Cyber Security offers general solution suggestions for the findings. We hope that this blog post will be useful in terms of seeing the general vulnerability trends of organizations.
Please contact us for more information about our Security Testing Services.As a sample, the tests performed in the period of June 2020 were evaluated.