CREST-Certified Singapore Company | Penetration Test Service

Singapore, December 1, 2020

GROUP8, a Singapore-based cyber intelligence and cybersecurity company, is thrilled to announce that it is now a CREST-certified organisation in the area of Penetration Testing. CREST is a global not-for-profit accreditation and certification body that offers international recognition for individuals and organisations in the services of threat intelligence, penetration testing and more.

To obtain the certification, GROUP8’s Penetration Testing solutions were analysed by a series of comprehensive and rigorous assessments to make sure that its methodologies and the organisation’s experience, skills and knowledge measured up to CREST’s demanding standards.

Ian Glover, president of CREST, said that GROUP8 has entered the community of cyber intelligence and cybersecurity businesses in Singapore having attained CREST accreditation through a series of stringent evaluation of its processes, data security and security testing methodologies. He then went on to state that GROUP8 provides penetration testing and vulnerability assessments to local and overseas customers, with an attestable level of assurance that is globally recognised.

Heng Yu Lee, cofounder of GROUP8, shared his sense of satisfaction in attaining the CREST accreditation. He commented that with thorough evaluations and frequent assessments, CREST is internationally recognised as the cyber assurance organisation for the technical services industry. In this increasingly competitive industry, he added that GROUP8’s customers can be confident that their security is well-protected by services aligned with top-tier CREST standards.
About CREST

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST was set up in 2006 in response to the clear need for more regulated professional services and is now recognised globally as the cyber assurance body for the technical security industry.

CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence services and Security Operations Centre (SOC) services. All CREST member companies undergo stringent assessment; while CREST qualified individuals have to pass rigorous professional level examinations to demonstrate knowledge, skill and competence. CREST also supports the industry by providing in-depth guidance material and commissioning detailed research projects. All CREST research is provided to the industry free of charge.

Through CREST’s demanding accreditation process, organisations buying security testing and incident response services get the assurance that:
- The services will be delivered by trusted companies with best practice policies and procedures.
- The work will be conducted by highly-qualified individuals with up to date knowledge, skill and competence to deal with all the latest vulnerabilities and techniques used by real attackers.
- Both the company assessments and individual qualifications are underpinned by meaningful and enforceable codes of conduct.
About GROUP8

GROUP8 is a Singapore-based cybersecurity and cyber intelligence company backed by prominent artificial intelligence, information security and defence industry veterans. It operates on the philosophy of ‘Offensive-Led Cyber Defence’, whereby its proactive cybersecurity research and unparalleled threat intelligence visibility drives the development of effective defensive techniques. Its suite of tailorable solutions covers the entire cybersecurity ecosystem, including blockchain security, CREST-certified penetration testing and web security services, to protect organisations’ digital assets and allow them to be in control.
Offering CREST-Certified VAPT Services In Singapore

As a believer in delivering quality cybersecurity solutions for you and your business, our team takes certification for vulnerability assessment and penetration testing seriously. We tailor web solutions for your needs while keeping to high standards, as validated by the CREST tester services. So, if you’re in need of VAPT services in Singapore - GROUP8 has got you covered. We are your one-stop cyber intelligence and cybersecurity company, backed by CREST-certified testers and accreditation, to protect your digital assets as they continue to grow with your business.

What is cybersecurity?

Cybersecurity is defined as applying technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks. These unauthorised attacks are designed to exploit vulnerabilities in an individual's device or an enterprise’s system to disrupt, disable, destroy, or control their data or infrastructure.

What is the difference between a vulnerability assessment and penetration testing?

A vulnerability assessment helps you to find out which vulnerabilities exist in your system, but it does not reveal the precise ones that can be utilised by hackers to cause actual damage. A penetration test, also known as a pen test or ethical hacking, fills this gap - it is an authorised and controlled hacking attempt on your system which pinpoints its exploitable vulnerabilities and the extent of damage that can be caused by their exploitation. Combining both tools will provide you with a most comprehensive cybersecurity assessment of your system, allowing you to formulate the best solution to protect your organisation’s safety and operations.

Why is penetration testing important for my organisation?

As technologies continually evolve, new system weaknesses will always emerge for threat actors to target and inflict unthinkable damage to your data, operations, business revenue and client relations. As such, regular penetration testing is needed as an offensive and proactive approach to protecting your business. It pinpoints your urgent security risks, determines their level of exploitability and derives appropriate response measures before cyber-attacks can threaten your Confidentiality, Integrity and Availability (CIA).

Penetration testing also serves as an evaluation of your organisation’s own security personnel and hones their efficiency at preventing or fending off cyber-attacks. You will raise customers’ trust in your commitment to protecting their confidentiality.

Penetration tests are even more necessary for companies whose industries have certain compliance standards to meet, like ISO 27001 or PCI DSS. Such businesses include those in the IT, finance or telecommunications sectors.

When should my organisation conduct a penetration test?

There is a consensus among cybersecurity experts that penetration tests should minimally be conducted once or twice a year. For high-growth industry members that integrate new generation technologies into their mode of business, quarterly penetration tests are believed by professionals in the field to be more favourable. Other key factors that influence penetration test frequency include your organisational size, desired penetration testing scale and resource limitations.

Penetration testing should also be carried out under the following business circumstances: Your organisation uses open-source software like Java technologies, received negative press recently, just made significant reforms or additions to its infrastructure, network or range of applications, installed the latest security patches, revised end user policies, acquired or merged with other bodies or just set up new office locations.

Of course, if you require further professional advice about the optimal time and rate at which you should conduct your penetration tests, you can always contact us via email at hello@group8.com or via our online form with your enquiry.

What types of VAPT services does GROUP8 offer?

Web application VAPT: We help you to locate and evaluate the severity of security flaws in your web-based applications, corporate website and API, before offering strategies to improve your web code, design and development. This helps you to prevent future cyber-attacks such as information-stealing attempts by hackers. In conducting a web application VAPT, you can meet industry compliance standards, preserve the integrity of your assets, increase ROI and ensure client confidence in your business.

Mobile application VAPT: We unearth and assess the risk of exploitable holes in the system, database, code and API of your mobile applications which run on platforms like Android or iOS. Our test will allow us to address data leakage, authorisation, authentication and session handling issues, among others. Initiating a mobile application VAPT will help you to not only validate the effectiveness of your cybersecurity controls and adhere to your industry’s compliance regulations, but to maintain public goodwill and safeguard assets.

Network VAPT: We test your network hardware (e.g, modems, routers and switches), design, applications, protocols and security (e.g, firewall programme) to surface vulnerabilities in your internal and external networks and highlight to you the easiest targets for cyber threat actors. This helps you to eliminate the identified weaknesses, protecting your business continuity, resources and public image.

What are the different penetration testing methods available for me?

We offer three penetration testing methods: Black box, grey box and white box. They offer different benefits and are distinguished from each other by how much access to and knowledge of the target system that the penetration tester has, prior to when they launch an authorised cyber-attack simulation.

Black box penetration testing:

Our penetration tester will attempt to hack into your system without any insider knowledge of your source codes, implementation details or security infrastructure, nor any internal access to your network and applications. They are basically mimicking the average hacker launching an attack on your system through an external interface. With a black box test, you are notified of vulnerabilities that can be exploited from outside your network, hidden GUI errors and issues with functional specifications.
Black box testing can be the quickest to run among the three methods, unless our penetration tester has to conduct extensive research on your system during the reconnaissance stage. The trade-off for this benefit is that the vulnerabilities of your internal services may remain undetected on the chance that the perimeter of your system cannot be broken through.

Grey box penetration testing:

Our penetration tester will acquire a level of system intelligence and access similar to a privileged user or an attacker who has breached your system boundaries for an extended period. They will typically have in hand login credentials and possibly even network design, architecture documentation and application logic flowcharts to help them infiltrate your system.
The advantage of this penetration testing method is that its assessment of your cybersecurity infrastructure will be more thorough and focused than a black box test, since our tester knows which systems are the riskiest or most critical at the very start. This type of penetration testing also may be a closer simulation of real-life cyber-attacks and save you more time than the black box method, as our tester assumes the role of a hacker who has already conducted reconnaissance and system footprinting.

White box penetration testing:

For this method, our penetration tester will have full access to your organisation’s system, including its applications, source codes, infrastructure documentation, credentials and network maps. They can imitate a hacking scenario in which as many attack vectors as possible are employed against your system.
This type of penetration testing produces the most detailed and comprehensive assessment of your internal and external cybersecurity weaknesses among the three methods. This also means that it is usually the most time-consuming. Do note that this method may veer away from creating an authentic real-world hacking scenario, since our pen tester is working closely with the system developer and operating on information that the usual hacker is not privy to.

Need help to determine what penetration testing method is best suited for your organisation’s needs? You can drop us an email at hello@group8.co or a message via our online form and we will be more than happy to answer any additional enquiries that you have.

What does your CREST accreditation in penetration testing mean?

CREST is a global not-for-profit accreditation and certification body that represents and supports the technical information security sector.

As we are a CREST-accredited penetration testing service provider and all our employees are CREST-certified cybersecurity experts, this confirms to clients that our entire penetration testing process is conducted at the highest legal, ethical and technical standards. Our customers can entrust us with their cybersecurity needs completely and be in control of their business with greater peace of mind.

What are the stages of your VAPT?

There are five phases to our VAPT process: Planning, Reconnaissance, Enumeration, Exploitation and Reporting.

Planning: This is when we hold a kick-off meeting to understand your organisation’s needs and discuss the logistics, legalities, methods and objectives of your VAPT. We will clarify particulars such as whether on or off-site testing is conducted, if your security team is to be informed of the upcoming penetration test or not, how important the tested system components are and what is the number of devices to be used.
Reconnaissance: We will conduct research and hunt for Open-Source Intelligence (OSINT), or publicly available information that can supplement a cyber-attack against your system. This can comprise your employees’ names and email addresses, IP addresses, domain names and network topology, among other free-source data. The objectives of your VAPT determine the extensiveness of our investigation.
Enumeration: We initiate a vulnerability scan to identify system weaknesses that hostile cyber actors may leverage upon. During a white box penetration test, this is typically done through static analysis, which is examining a software’s code without running any programs, or dynamic analysis, in which the application’s code is inspected while it is running. As for black and grey penetration tests, we run automated scanning tools to determine what services or code libraries have vulnerabilities that can be probed further. Based on the information we obtained from the Reconnaissance stage, we will also identify and categorise high-value assets and internal and external threats in mapping attack vectors.
Exploitation: Using the list of system weaknesses from the Enumeration stage, our penetration tester will officially begin the hacking simulation to assess each vulnerability for its level of risk. Once they manage to infiltrate your system, they can choose to escalate the intrusion and try to seize the highest level of access privileges and network information possible with the data and systems already in their possession. They will also check if the specific vulnerabilities they exploited can allow them to gain a prolonged residence in the system and identify high-level targets, all the while escaping detection. The extent of escalation will be based on the terms set in the Planning stage.
Reporting: Our penetration tester’s findings from the Exploitation stage will be presented to you in our Initial Penetration Testing Report. The report includes details like our testing methodology, every identified vulnerability and its severity rating, affected system constituents, evidence to support our findings and recommendations on how to remediate your vulnerabilities. We will also provide remediation support and one re-test for up to three months after the Initial Penetration Testing Report is produced. The re-test checks if the recommended preventive and corrective measures to counter system vulnerabilities detected in the first penetration test have been implemented. At the end of the VAPT project, we will provide you with a Final Penetration Testing Report.

What are the tools that you use to conduct your penetration testing?

The tools we use include, but are not limited to, the following:

Burp Suite: An integrated platform that bolsters the whole penetration testing process from the initial mapping and examination of your application’s attack surface, through to finding and exploiting a wide range of vulnerabilities involving authentication, authorisation, business logic bypass and various client-side attacks.
Nessus: A remote security scanning tool that utilises plugins to detect and alert you of vulnerabilities on your computer.
Metasploit: A tool to test servers or networks for vulnerabilities via command line alterations or GUI and use the new information to engineer solutions.
Postman: An API development tool that we use mainly to test API calls, but it can also help in building and modifying APIs.
Kali Linux: A Linux distribution that contains over 600 penetration tools. One such tool is Wireshark, a network protocol analyser that captures packets of information from network traffic.
Wireshark: A tool under Kali Linux that our penetration testers use to troubleshoot poorly performing networks and information disclosure issues. It helps us to fulfil tasks like identifying bursts of network traffic and suspicious network transactions.
Curl: A command-line tool that can connect to web applications and APIs to extract and transfer data specified with URL syntax. We use it together with Wireshark to identify information disclosure issues.
SQLmap: A penetration testing tool that automates the discovery and exploitation of SQL injection flaws, as well as the infiltration and control of a database server.

How long will the average VAPT process take?

Our penetration testing process is estimated to last for around a month on average, from the initiation of the kick-off meeting to the submission of the Final Penetration Testing Report. The longest phase of our penetration testing process is the Exploitation stage, which is typically completed within 1-2 weeks.

How can GROUP8 help my organisation?

Our dedication to cyber intelligence and cybersecurity is supported by notable information security, artificial intelligence, and defence industry experts.

At GROUP8, we pride ourselves on providing multiple solutions to best cater to our clients’ needs. Dedicated to being proactive in securing your digital assets with our ‘Offensive-Inspired Cyber Defence’ philosophy, GROUP8’s development of the most efficient defensive techniques will ensure that your organisation is always protected.

Which types of organisations can benefit from penetration testing?

Penetration testing is necessary for a wide range of businesses, including but not limited to the following:

Small and medium enterprises
Energy and utilities
Healthcare
Telecommunications provider
Government
Financial services

What is third-party penetration testing?

Third-party penetration testing is the practice of engaging the services of an external cybersecurity company, like Group8, to conduct a thorough assessment of one's security systems. This assists in identifying any concealed vulnerabilities before they are used maliciously by attackers to steal or delete data.

What factors to consider when selecting a reliable penetration testing company?

Engaging a licensed third-party penetration testing firm is a reassurance for the security of your data. When selecting the pen testing service that best suits your needs, take into account the following factors:

Ensure the pen testing team has sufficient knowledge of your sector.
Verify the pen testing team's credentials, such as the CREST accreditation.
Make sure they disclose the formalised procedure they employ for the pen test.

GROUP8 achieves CREST accreditation in Penetration Testing

Singapore, December 1, 2020

About CREST

About GROUP8

Offering CREST-Certified VAPT Services In Singapore

Frequently Asked Questions | FAQ

Vulnerability Assessment and Penetration Testing (VAPT) Service