The growing diffusion and usability of IT services poses new challenges regarding the protection and protection of data and assets within the company, intrusion attempts are at an all-time high and the trend is increasing year by year.

 Protecting yourself effectively is now a necessity.

 The services offered by 4Shiva are aimed at offering an overview of the customer's IT system, performing specialized and targeted tests respectively called:

  Vulnerability Assessment and Penetration Testing which can also be contextualized in order to adhere to the most disparate regulations and standards, compliance with which also facilitates and guides the work of technicians and auditors

 who must verify and evaluate an analysis procedure that must guarantee exhaustiveness and completeness of the tests.

 The term Vulnerability Assessment refers to the set of activities carried out in order to identify the largest possible number of

 vulnerability of a computer system or a single application.

 The VA procedure differs in relation to the object of interest; any digital device equipped with an operating system, connected to a local network or exposed to the Internet, can be submitted to VA.

 This activity can be carried out both from within the company perimeter (internal vulnerability assessment), and totally from the outside (internet faced vulnerability assessment), with the visibility that an attacker would have.

 This last factor is of particular interest as more and more often, seeing a company through the eyes of an attacker,

 allowing to simulate different attack scenarios and verify the degree of reaction capacity of the company.

 The Vulnerability Assessment procedure, as already mentioned, is aimed at adapting to the system whose IT vulnerabilities are to be detected, and for its practical execution.

 usually standard methodologies are considered (such as for example OWASP or OSSTMM etc ...), consolidated, shared and interpretable by the IT community that deals with cybersecurity.

 Technicians can carry out vulnerability assessments as if the system of interest were a "black box",

 without prior knowledge of the infrastructure specifications of the customer's network / application, or in "white box" mode, with full access to the technical specifications of the object in question.

 Thanks to the aforementioned methodologies, it is possible to carry out the analysis of the vulnerability of the systems that sometimes specifically require

 the use of a certain standard to be compliant with current regulations. vulnerabilità dei sistemi che talvolta richiedono specificatamente
l'uso di un determinato standard per essere compliant alle normative vigenti.

 
The term Penetration Testing refers to a set of procedures and tests designed to reveal the penetrability of a network infrastructure or a web application.

 In particular, the workflow, depending on the chosen testing methodology, tends to simulate the various phases of an actual attack by a malicious user.

 - Information gathering

 - Network scanning

 - Exploitation

 these are the crucial phases of a pentest business.

 Multiple practices, even not purely technical, such as "social engineering" are often adopted in order to gain access to the system and can be replicated and adopted by technical staff

 with the aim of demonstrating the permeability of an IT infrastructure.

 Here too, as for the Vulnerability Assessment, the adoption of standard and consolidated methodologies is used in order to make everything understandable to the reference community operating in the infosec field.

 The attack scenario and the starting point (internal or external) of the Penetration Testing and the Vulnerability Assessment also share characteristics and common name, varying precisely from

 black box mode in which a hacker's workflow is simulated in all respects, basically a blind test, the gray box in which you have partial information on the target network, up to the white box

 in which you have full knowledge of the technical characteristics of the target in question

 Some of the different thematic areas combine to define different areas for VA & PT activities

 VA & PT infrastructures: in this case, we talk about vulnerability checks of wired networks, both server and client.

 VA & PT applications: the points "exposed" online and the login pages are taken into consideration through punctual checks,

 administration and user of mobile applications, software, web portals, CRM ...

 VA & PT wireless: whose target are the access points of a particular target "

 IDENTIFY THE THREATS BEFORE IT'S TOO LATE...