The Qantas App Data Breach: A Lesson in Human Error and System Resilience
Remember the Qantas app incident in May 2024? Users suddenly seeing other passengers’ booking details, able to change seats, even cancel flights – a digital
Complete our simple online form and we will have a proposal to you within 2 business days.
A penetration test is a form of legitimate and ethical hacking for the purposes of validating an organisation’s cyber security, using methods observed in real cyber attacks. A successful penetration test shows that an organisation’s systems and networks are vulnerable to real cyber attacks, and identifies steps which can be taken to improve cyber security.
Our expert, CREST certified penetration testers are experienced and trained in hacking complex computer networks, systems, websites, APIs and applications.
Actively enhance your cyber resilience, minimise your organisation’s risk exposure, and conform to top cyber security standards.
Achieve and maintain compliance with cyber security industry standards such as ISO27001, NIST, PCI DSS, HIPAA and SOC2.
Identifying and rectifying vulnerabilities enables improvement of your security posture thus reducing both the likelihood and impact of cyber attacks. This gives you a competitive advantage in your market.
Strengthen the security of your computer systems, networks, and applications to reduce vulnerabilities and protect against cyber attacks. Hardening your systems plays a crucial part in your risk management.
Receive feedback on vulnerabilities so that development teams can improve their secure code practices.
Prevent the disruption to your business (network downtime), the increased costs, the reputational damage and the legal ramifications caused by preventable cyber attacks and data breaches.
Your organisation has set up its WebApp, Network, Website, computers, cloud servers and apps and you hope it’s secure. How do you know?
Once you engage us and provide permission to perform penetration testing (ie provide permission for us to ethically hack your system or network), the relevant URLs, IP addresses, apps, APIs and login need to be provided. Login access is important as it allows us to quickly identify potential access points and specifically test the security of those access points.
Identify the systems, pages, inputs, APIs, platforms, logins and technical components to map out the possible attack options. To reduce time spent in this step, this information can be provided as part of the engagement so more time can be spent on finding vulnerabilities.
Vertex penetration testers will attempt to break your security – just like a hacker would – using real-world attacks to attempt to gain access.
A combination of manual testing, following a standardised process, along with tools and in-house developed code will be used to identify points of weakness.
For typical engagements, testing will occur over a 1 to 2 week period.
Vulnerabilities and recommended rectifications are documented in our PenTester platform with associated evidence.
We will provide our industry leading report on the outcomes of the pentration test, including details of all vulnerabilities found and how to fix them.
Once your development team or provider has implemented fixes for the identified vulnerabilities, we will typically perform a retest of the resolved vulnerabilities to confirm effectiveness of the applied fixes against future cyber attacks.
Penetration testing can be performed manually or automatically depending on specific need, frequency and budgetary constraints.
Automated penetration testing employs software tools to systematically scan and identify potential vulnerabilities within a computer system. While efficient and capable of covering a wide range of issues, automated testing may overlook nuanced or complex security flaws that require human intuition and expertise to detect.
Manual penetration testing, on the other hand, involves skilled cyber security professionals conducting in-depth examinations of the system. This method allows for a meticulous analysis that can uncover subtle vulnerabilities missed by automated tools, albeit requiring more time and resources.
WebApp and Website penetration testing is the process of systematically assessing the security of the WebApp or website to uncover vulnerabilities that could be exploited by attackers.
It combines automated scans with manual testing by cyber security professionals to simulate real-world attack scenarios and identify weaknesses in areas such as authentication, input validation and access controls.
This proactive approach helps organisations address security issues before they can be exploited by malicious actors.
Infrastructure penetration testing involves assessing the security of a company’s IT infrastructure, including servers, networks, and other critical components.
It aims to identify vulnerabilities that could be exploited by attackers to gain unauthorised access or disrupt services.
This process typically includes both automated scans and manual testing techniques conducted by cyber security experts. By simulating various attack scenarios, infrastructure penetration testing helps organisations uncover weaknesses in their systems and take steps to strengthen their security defenses.
Application penetration testing focuses on evaluating the security of software applications to uncover vulnerabilities that could be exploited by attackers.
This assessment involves examining mobile applications to identify potential weaknesses in areas such as authentication, configuration settings, data storage, authorisation, data input validation and session management.
Through a combination of automated scanning tools and manual testing by cyber security professionals, application penetration testing aims to simulate real-world attack scenarios and provide insights into how attackers might exploit vulnerabilities.
By proactively identifying and addressing security flaws, organisations can enhance the overall security posture of their applications and protect sensitive data from unauthorised access or manipulation.
API penetration testing is a method used to assess the security of APIs (Application Programming Interfaces), which are used to enable communication and data exchange between different software applications.
This process involves testing the API endpoints for vulnerabilities that could be exploited by attackers to gain unauthorised access to data or manipulate the behaviour of the application.
API penetration testing typically includes analysing authentication mechanisms, input validation, access controls, and data encryption.
By identifying and addressing security weaknesses in APIs, organisations can prevent potential data breaches and ensure the integrity and confidentiality of their data.
WIFI penetration testing typically includes evaluating the configuration of WiFi access points, encryption methods, authentication mechanisms and network segmentation.
By simulating various attack scenarios, such as eavesdropping on network traffic or attempting to crack WiFi passwords, WiFi penetration testing helps organisations identify weaknesses in their wireless networks and implement appropriate security measures to protect against unauthorised access and data breaches.
Physical penetration testing assesses the security of physical premises, facilities, and assets by attempting to gain unauthorised access through various means.
This includes testing the effectiveness of physical security controls such as locks, alarms, surveillance systems and access control mechanisms.
By simulating real-world intrusion attempts, physical penetration testing helps organisations identify weaknesses in their physical security posture and implement measures to prevent unauthorised access and protect sensitive assets from theft vandalism, or other physical threats.
Social engineering penetration testing involves assessing an organisation’s susceptibility to manipulation or deception by exploiting human psychology.
This includes tactics such as phishing emails, pretexting phone calls or physical impersonation to trick employees into divulging sensitive information or performing actions that compromise security.
By simulating these social engineering attacks, organisations can identify weaknesses in their security awareness training programs, policies and procedures, and take steps to improve employee resilience to social engineering tactics.
OT, SCADA and IoT penetration testing entails evaluating the security of operational technology systems and Internet of Things devices.
This involves identifying vulnerabilities in network infrastructure, communication protocols, and device firmware.
By employing both automated scans and manual testing by cyber security experts, these assessments simulate real-world attack scenarios to uncover weaknesses and mitigate potential risks before they can be exploited by malicious actors, enhancing the resilience and reliability of critical infrastructure and IoT deployments.
Choosing a CREST-certified provider for penetration testing offers assurance of quality, expertise, and ethical conduct. These providers undergo rigorous training, ensuring they possess the skills to effectively identify and mitigate security vulnerabilities. Their independence and impartiality guarantee unbiased results. CREST certification is widely recognised in the industry, enhancing the credibility of the organisation’s security program. Additionally, ongoing professional development ensures these providers stay updated on the latest threats and technologies, offering cutting-edge testing services. Ultimately, selecting a CREST-certified provider strengthens the organisation’s cybersecurity posture and resilience against cyber threats.
An authenticated penetration test involves testing a system or application with valid credentials, simulating an attack by an insider or a compromised user. This allows testers to assess security controls and vulnerabilities accessible to authenticated users, such as inadequate permissions or weak authentication mechanisms.
In contrast, a non-authenticated penetration test does not involve using valid credentials. Instead, testers attempt to exploit vulnerabilities from an external perspective, simulating an attack by an unauthorised user. This type of test focuses on identifying weaknesses accessible without authentication, such as misconfigured services or publicly exposed sensitive information.
Both types of tests provide valuable insights into an organisation’s security posture, but authenticated testing offers a deeper assessment of internal vulnerabilities and controls, while non-authenticated testing focuses on external threats and surface-level weaknesses.
Automated penetration testing is suitable for scenarios where efficiency, scalability, and repeatability are essential. However, it’s crucial to supplement automated testing with manual testing to ensure comprehensive coverage and uncover more nuanced vulnerabilities.
Organisations might choose to engage a different or second provider for penetration testing due to several reasons:
Diverse Expertise: The second provider may offer specialized expertise or experience in areas that the primary provider lacks, enabling a more comprehensive assessment of security risks.
Validation and Verification: Employing multiple providers can provide validation and verification of findings, reducing the risk of overlooking critical vulnerabilities or misinterpreting results.
Conflict of Interest: Concerns about conflicts of interest with the primary provider, such as being involved in the design or implementation of security measures, may prompt organisations to seek an independent assessment from a different provider.
Regulatory Compliance: Regulatory requirements or industry standards may necessitate independent verification of security controls, prompting organisations to engage multiple providers to ensure compliance.
Risk Mitigation: Diversifying penetration testing efforts across multiple providers can help mitigate the risk of bias, errors, or oversights inherent in relying solely on one provider.
Benchmarking and Comparison: Engaging multiple providers allows organisations to benchmark the effectiveness of their security measures and compare findings to gain deeper insights into their security posture.
Overall, leveraging different providers for penetration testing can enhance the thoroughness, objectivity, and effectiveness of security assessments, contributing to a more robust cybersecurity posture for the organisation.
Login credentials are necessary for penetration testing to simulate real-world attack scenarios where attackers might have access to valid user accounts. This allows testers to assess security controls and vulnerabilities accessible to authenticated users, ensuring a thorough evaluation of the system’s security posture and the identification of potential risks and weaknesses.
Penetration testing alone cannot guarantee the prevention of cyber incidents and data breaches, but it significantly reduces the risk by identifying and addressing vulnerabilities before they can be exploited by malicious actors.
For example, in 2017, Equifax suffered a massive data breach exposing the personal information of millions of individuals. The breach occurred due to a known vulnerability in the Apache Struts software, which Equifax failed to patch. If Equifax had conducted regular penetration testing and addressed the vulnerability promptly, they could have prevented the breach.
Penetration testing helps organisations proactively identify and mitigate security weaknesses, reducing the likelihood of successful cyberattacks and data breaches. However, it should be part of a comprehensive cybersecurity strategy that includes regular patch management, employee training, and other security measures to effectively mitigate risks.
Penetration testing is often a requirement under international cybersecurity standards such as ISO 27001 and SOC 2. These standards emphasise the importance of regularly assessing and testing security controls to ensure the confidentiality, integrity, and availability of information assets.
Under ISO 27001, penetration testing is typically included as part of the information security management system (ISMS) controls, specifically in control A.8.8 (2022). This control mandates organisations to periodically assess the security of information systems through activities like vulnerability assessments and penetration testing.
Similarly, SOC 2 requires organisations to conduct penetration testing as part of the Trust Services Criteria (TSC) related to security. Penetration testing helps validate the effectiveness of security controls and demonstrates the organisation’s commitment to safeguarding client data and sensitive information.
While not explicitly mandated in every cybersecurity standard, penetration testing is widely recognised as a best practice for identifying and mitigating security risks, and many organisations choose to include it as part of their compliance efforts regardless of specific regulatory requirements.
Internal penetration testing evaluates the security of systems and networks from within an organisation’s internal network, simulating attacks that could occur from employees or other authorised users.
External penetration testing, on the other hand, assesses the security of systems and networks from an external perspective, mimicking attacks from outside the organisation, such as hackers on the internet.
While internal testing focuses on insider threats and vulnerabilities accessible to authorised users, external testing targets vulnerabilities that could be exploited by unauthorised external parties. Both types of testing are crucial for identifying and mitigating security risks effectively.
The OWASP Top 10 is a list of the ten most critical security risks facing web applications, as identified by the Open Web Application Security Project (OWASP), a nonprofit organisation focused on improving software security. These risks are based on data from real-world security incidents and expert analysis. The OWASP Top 10 provides guidance to developers, security professionals, and organisations on the most pressing vulnerabilities to address when designing, developing, and testing web applications. It serves as a valuable resource for understanding and mitigating common security threats to ensure the resilience and integrity of web applications against cyberattacks.
OSINT, or Open Source Intelligence, refers to the collection and analysis of publicly available information from various sources such as social media, news articles, and online forums. In the context of penetration testing, OSINT is used to gather information about the target organisation, its employees, infrastructure, and potential security vulnerabilities. This information can help penetration testers identify potential attack vectors, such as weak passwords, outdated software, or misconfigured systems, which can be exploited during the testing process. By leveraging OSINT techniques, penetration testers can enhance the effectiveness of their assessments and provide valuable insights into the organisation’s overall security posture.
DDOS testing is not included as most cloud providers have T&C’s that prohibit or require notification for DDOS testing. Where allowed DDOS testing can be included for an extra cost, however if there is no DDOS protection it is most likely to succeed in causing an outage (DOS).
More than 60% of our Penetration Tests find Critical Vulnerabilities (allows an attacker full access to data/system). As we have seen from other data breaches like Optus the cost of a quality Penetration test would of been the cheaper option and avoided the negative impacts.
If the WebApp is really API + JS (React, VueJS, etc.), then the APIs are included for the ones that are used within the WebApp.
If there are specific APIs not used within the WebApp but still accessible from the internet then we just need to understand how many extra APIs are required so we can include them in the scope and pricing.
Typically we perform the Penetration Testing over a 1 to 2week window. We are focused on the outcome of running all our tests to identify as many vulnerabilities as possible. This means if we identify more tests that will take more time then it is included as it is fixed price and not restricted by effort. We feel that effort based pricing prioritises time and not vulnerabilities, so we don’t align to that model.
There is always a cost (e.g. free shipping) with these marketing tactics and as such it is likely the quality of the Penetration Testing and the quality of free addon has been compromised to provide those offer. This is not a model we align with as it sacrifices quality. We have received feedback from clients that they were disappointed with the quality of competitors with the free addon. We provide other Cyber Services like Audits so if you need a quality Cyber Audit we would recommend that as a separate priced item.
Hackers will find your vulnerabilities and the impacts and cost will be significantly larger.
Remember the Qantas app incident in May 2024? Users suddenly seeing other passengers’ booking details, able to change seats, even cancel flights – a digital
Dell, the tech giant, finds itself in hot water after a threat actor known as “grep” claimed to have breached the company not once, but
The recent data breach of Deloitte, a prominent audit, consulting firm and provider of cybersecurity services, serves as a stark reminder that no organisation is
(c) 2024 Vertex Technologies Pty Ltd.
We acknowledge Aboriginal and Torres Strait Islander peoples as the traditional custodians of this land and pay our respects to their Ancestors and Elders, past, present and future. We acknowledge and respect the continuing culture of the Gadigal people of the Eora nation and their unique cultural and spiritual relationships to the land, waters and seas.
We acknowledge that sovereignty of this land was never ceded. Always was, always will be Aboriginal land.