VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.

1. Innovative Solutions Hub for the Future
Introduction to VAPT – What, Why, When

2. What is VAPT?

3. Vulnerability Assessment
• A process to evaluate and review key
systems, networks and applications
• To identify vulnerabilities and
configuration issues that may put the
organization at risk of being breached
or exploited
• Effective in identifying vulnerabilities,
but it cannot differentiate between
exploitable vs non-exploitable
vulnerabilities

4. Penetration Testing
• Goal-driven test focused on identifying
all possible routes of entry an attacker
could use to gain unauthorized entry
into the target
• Identifies the potential damage and
further internal compromise an
attacker could carry out once they are
past the perimeter.
• Proof of concept strategy to
investigate, exploit and validate the
extent of the identified vulnerability

5. • Testing from an external network with no prior
knowledge of the internal network and system
Black Box
Testing
• Test being performed from within the network
• Prior knowledge of the network, architecture and
system.
White Box
Testing
• Testing from an internal or external network
• Partial knowledge of the internal network and system
• Combination of both white and black box testing
Grey Box
Testing
Process Type

6. Network
Vulnerability
Assessment &
Penetration
Testing
• Internal & External IPs
• VoIP & Cloud ;Telephony
• Devices – Firewall, Switches, Routers, etc
• AWS Cloud
Configuration
Review
• AWS Cloud Assessment
• Devices – Firewall, Switches, Routers, etc
Objective - The scope will be scanned and tested for vulnerabilities using a wide variety of tools and
techniques. The tools and techniques used will be consistent with current industry trends regarding exploitation
of vulnerabilities. The tools and procedures are:
• Threat and attack vectors
• Combination of vulnerabilities exploited in a particular sequence
• Business and operational impact of attacks
• Efficiency of the client’s network and environment to detect and respond to attacks
• Areas of focused investment to reduce or mitigate risks
Test Type

7. Objective – Key objective is to impersonate a
real-world attacker and discover security issues
within an application. We also want to assist the
organisation in resolving the findings. We also
want to provide a business case for investing in
relevant security controls.
Methodology – Industry standard test cases like,
cookie attacks, sensitive data exposure, session
management, data validation, business logic,
security misconfigurations and much more.
Evaluation – Impact and Risk Factor for the
business. Remediation methods
Application Security
Test Type

8. Social
Engineering
Training
USB PhishingEmail Phishing
Campaigns
Objective – A simulated attack vector that relies
heavily on human interaction and often involves
manipulating people into breaking normal security
procedures and best practices in order to gain
access to systems, networks or physical locations.
Methodology:
Baiting – An attacker leaves a malware-infected
physical device, such as a USB flash drive, in a
place it is sure to be found. The finder then picks
up the device and loads it onto his or her
computer, unintentionally installing the malware.
Spear Phishing/Phishing – Phishing is when a
malicious party sends a fraudulent email disguised
as a legitimate email, often purporting to be from a
trusted source. The message is meant to trick the
recipient into sharing personal or financial
information or clicking on a link that installs
malware.
Test Type

9. Why VAPT?

10. THE PROBLEM
Hacktivist Cyber Criminals Malware/Ransomware State Sponsored Attacks

11. VAPT for SMEs
Cybersecurity Myths for SMEs
• I have a firewall, so I’m safe from attacks
• Hackers understand strategies adopted by a firewall quite well. Disrupting codes and exploiting basic IT
oversights to gain access to your system is easy.
• While most cyber security threats are avoidable, your organizations can not rely solely on firewalls for
protection.
• I use HTTPS, so my site is secure
• HTTPs safeguards the transmission of information from source to destination. This is web security at a
minimal.
• It does not block attacks like DDoS, brute force, injections, etc.
• There is also the issue of organizations using fake SSL certificates, resulting in their organization being
compromised
• SMEs are safe because they are not worthwhile targets
• SMEs are considered to be low hanging fruits for hackers because so many do not take security seriously.
• One of the most popular attacks that hackers use against SMEs is ransomware.

12. VAPT for SMEs
Why do SMEs need VAPT?
• Basic security measures are not enough.
• Firewalls or anti-virus solutions are not sufficient to protect against attacks.
• Security budget
• Unlike MNCs, SMEs do not have the budget to implement everything.
• There is limited or no resource for security expertise.
• What VAPT adds value to is to streamline what is needed for the organization.
• Reputation
• Potential clients or business partners will feel insecure on collaboration.
• Contributing factors can be issues like safeguard of important data.
• SMEs also lose out on potential/existing business.
• Compared to SMEs, larger organizations have a much greater potential to survive an attack due to the help of
current investors and existing large clients. (E.g. Sony (04/2011) survived through the attack.)

13. VAPT for SMEs
Almost 40% of cyberattacks in Singapore target small and medium enterprises (SMEs), according to the Cyber
Security Agency of Singapore (CSA). Phishing attempts and ransomware were the most common methods used.
https://www.insurancebusinessmag.com/asia/news/breaking-news/smes-hit-by-40-of-cyberattacks-in-singapore-
103736.aspx
Insurance Business Asia, 20-Jun-2018

14. Use Cases (2019)

15. Company: Fortnite / Online Gaming
- In January 2019, it was announced that all 200 Million user accounts on Fortnite had been
compromised through a company-wide data breach.
- By using a website developed in 2004 by Fortnite makers, Epic Games, hackers were able to gain access
to the database that housed usernames, and passwords. They used this to purchase in-game currency,
V-Bucks, and also listen into in-game chats.
https://research.checkpoint.com/hacking-fortnite/
Checkpoint Research, 16-Jan-2019

16. Company: Dow Jones / Financial
- American financial information and publishing firm, Dow Jones, suffered a data leak in March 2019. It
compromised over 2 Million identity records for politicians and government officials around the
world.
https://securitydiscovery.com/dow-jones-risk-screening-watchlist-exposed-publicly/
Security Discovery, 27-Feb-2019

17. Company: Instagram / Social Media
• On May 20th, 2019, news broke that over 49 million Instagram influencers, celebrities, and companies
had large amounts of their personal data compromised. The data compromised included personal
telephone numbers, emails, and location data.
• The breach is a result of Indian social media marketing firm, ChatrBox, having completely unsecured
AWS databases.
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Tech Crunch, 23-May-2019

18. Below is an extract of a price table, based on Infosec Institute.
https://resources.infosecinstitute.com/hacking-communities-in-the-deep-web/#gref
Infosec Institute, 15-Jan-2019
Hacking web server (vps or hosting) USD 250 (1,04 BTC at the time I’m writing)
Hacking personal computer USD 200 (0,83 BTC at the time I’m writing)
Hacking Social Media Account (Facebook, Twitter) USD 300 (1,25 BTC at the time I’m writing)
Gmail Account Take over USD 300 (1,25 BTC at the time I’m writing)
Security Audit
Web Server security Audit USD 400 (1,66 BTC at the time I’m writing)
Malware
Remote Access Trojan USD 150 – 400 (0,62 – 1,66 BTC at the time I’m writing)
Banking Malware Customization (Zeus source code) USD 900 (3,75 BTC at the time I’m writing)
DDoS attack
Rent a botnet for DDoS attack (24 hours) USD 150 – 500 (2,08 – 1,66 BTC at the time I’m writing)

19. www.netpluz.asia
contact@netpluz.asia
+65 6805 8998