Why is it important?
According to statistics at the end of 2019, more than 45% of FinTech and E-commerce services related to startups and medium-sized companies are currently vulnerable to medium or high risk vulnerabilities. Critical business data may be at risk. This may be personal data of users or for example access to financial information of customers.
Why are these threats real?
The causes of cyber security threats FinTech and E-commerce services can be completely different. Below is a list of the most common reasons leading to hacking.
- Software development was conducted without feedback from information security specialists. The developers did not have information on how the software could be attacked and what needed to be improved.
- Critical errors are present in the source code or software architecture.
- The developers used simple and unsafe techniques in pursuit of ease of development or deadlines.
- Software functions for testing were not deactivated, allowing to bypass protection mechanisms.
- Software functions were built into the source code by the developer for subsequent use for personal mercenary purposes. These functions can be added both at the release stage and during the subsequent update.
- Programmers used open source libraries with security vulnerabilities.
- The service development team is not familiar with the development of secure software.
After reading this list, you can now assess how high the risk of vulnerabilities is with the help of which attackers can gain unauthorized access to critical data for your business.
Imagine that you are in a situation where your business is under a hacker attack. You run the risk of losing control simply because you were not aware of the potential cyber risks and did not eliminate the vulnerabilities. Under such circumstances, serious financial and reputational losses are possible, and in the worst case scenario, the advisability of continuing such a business may be in doubt.
Our team is an independent cybersecurity contractor.As part of the Penetration Testing, we will conduct an authorized attack on your infrastructure or its individual components in order to subsequently eliminate the identified vulnerabilities and increase the cyber security of your FinTech and E-commerce service. Please check out the details below.
What is Penetration Testing and what is the value of a service?
In short, you pay us for hacking your service. This is an authorized hacking of your services, whether it is a company’s corporate network, iOS or Android mobile application, Web application or Web service. After completion of the work, we propose ways to eliminate the identified vulnerabilities to ensure the appropriate level of protection for your business from cyber threats.
We conduct Penetration Testing based on business risks for each specific FinTech and E-commerce service. All individual features will be taken into account, for each group of critical data a test plan and attack scenarios will be drawn up.
We provide exclusively lawful services.We do not conduct penetration testing without official consent from the client in which we agree on the date, time and scope of work. You should be aware that when conducting penetration testing, your infrastructure or its individual components may be temporarily unavailable.
We help FinTech and E-commerce services in the fight against hackers, and if the business has been attacked, we will help you understand what is happening, find the reason, signs of hacking, take control of the situation and eliminate the problems with cybersecurity.
Penetration Testing Methods
After obtaining official permission to conduct Penetration Testing and agreeing on details, such as information system components, nodes or services to be tested, which are excluded from testing, it is necessary to determine the degree of awareness of the cybersecurity specialist – Black Box, White Box or Gray Box.
- Black box. Classical modeling of an attacker’s actions – the executor has no information other than that which he can collect himself in open sources using publicly available tools.
- White box. The contractor can request and receive any information about the tested systems of the customer. In this mode, the largest number of vulnerabilities is detected.
- Grey box. The contractor knows only about some elements of the web-infrastructure, he must learn the rest himself. This approach simulates a situation where an attacker has an insider inside the customer’s business.
All the nuances are agreed, get to work!
Penetration Testing Steps
*Deadlines are given for reference. In each specific project, the timing of work is individual and depends primarily on the complexity, scope of work and features of each object under study.
We send requests to the customer’s network node and analyze the responses to them. This activity can be detected by intrusion detection and prevention systems (IPS / IDS). To avoid blocking the IP addresses of the contractor, we recommend that you include them in the “white lists” before starting work. This stage takes from 2 to 10 days, depending on the number of objects and architecture.
We form a list of potential vulnerabilities. Vulnerabilities about which it is known that their operation will cause a malfunction in the service, we recommend checking within the framework of a specially created test bench. Vulnerability collection takes 4 to 15 days, depending on their number.
Checking the list of vulnerabilities
We confirm the presence of potential vulnerabilities from the list. Most of the work is done manually, the stage takes from 5 to 25 days.
At this stage, we analyze the results obtained and the information collected. The stage takes from 5 to 20 days, depending on the number of vulnerabilities and the methods of their exploitation.
Penetration Testing Report
At the brief stage, we ask the question – who will use the results of Penetration Testing? A person from a business or a technical specialist? As you can guess, depending on the answer to the previous question, the content of the report will be different. We will not overload the businessman with complex technical terms, but will talk about the work done in an accessible human language, at the same time, the technical specialist will also receive enough information to make decisions.
Penetration Testing Report Content
The Penetration Testing report contains a list of identified vulnerabilities, weaknesses, and errors in setting up security features with a detailed description of the causes, likelihood and consequences of exploitation, criticality assessment, and recommendations for elimination. Description of attack methods and scenarios with confirmation of their success and achieved results.
Thanks to the work done, you will have the opportunity to reduce cybersecurity risks and take the necessary measures to eliminate identified vulnerabilities, including making software changes, installing the necessary updates, changing the settings of the applied protection tools, or commissioning additional ones.