How It Works?
Kung Fu Cyber Security provides full service vulnerability assessments and penetration testing. We provide assessments of internal and external networks, web applications, and mobile devices.
Our penetration testing service aims to replicate real-world attacks and assess the client’s network infrastructure for vulnerabilities and threats at a specific point in time.
Following the assessment, our post-analysis presents a logical grouping of one or more security issues that share common causes and resolutions. This helps quantify and prioritize the business risk to the organization.
To assist the remediation team in prioritizing and tracking their efforts, we provide an actionable findings matrix that serves as an overarching workflow plan. Each finding is categorized based on its relative risk level and is rated according to the resources and work required to address it. We also provide hyperlinked references to relevant resources and detailed remediation information for each finding.
Our Proposition
Real-world understanding of risks posed to an organization from the perspective of an attacker, going beyond the limitations of automated scanning.
A prioritized risk rating (DREAD framework) that takes multiple business-driven criteria into account.
Direct communication with an offensive security expert with years of industry experience and with direct access to the product team of the most widely used penetration testing framework.
Standards of Testing
Penetration testing is essential for various reasons, including:
Breadth and Depth: Clients who seek a comprehensive security assessment with in-depth testing and detailed results.
Compliance: The Payment Card Industry Data Security Standard (PCI-DSS) mandates annual network penetration testing.
Best Practices: Many security frameworks suggest conducting penetration testing as part of an organization’s proactive security program, even if not explicitly required by regulations.
Contractual Obligations: Some larger enterprises require a penetration test as part of their business agreement.
Hosted Environments: As more organizations rely on the cloud, there is a growing risk of malicious users or customers accessing other siloed data. Manual penetration testing is necessary to accurately assess and mitigate this risk.
Steps of Penetration Testing
Our penetration testing methodology involves the following steps:
Reconnaissance and Enumeration: We scan the internet to identify the client’s public-facing presence and gather information about their network.
Network Surveying and Services Identification: We map out the client’s perimeter to assess their external security posture.
Manual Testing: We analyze the data gathered during the reconnaissance phase to develop and execute an attack plan.
Password Cracking: We attempt to crack password hashes and brute-force any authenticated mechanisms to identify vulnerabilities.
Application Vulnerability Validation: We perform proof-of-concept testing to identify and capture any web application-layer vulnerabilities.
Root Cause Analysis and DREAD Reporting: We pinpoint the root causes of identified issues and classify them based on severity. This information is then compiled into a final report for the client.