Cloud Environment Penetration Test

During the last decade, technology environments based on cloud services have become key components within companies that increasingly migrate their services and/or systems to providers of this type of service.

The Cloud Environment Penetration Test covers the need for external security actions, considering the technological particularities, limitations, and considerations that must be taken into account when performed on cloud services, simulating the actions of an attacker attempting to compromise services, applications, or components, always using the tools and methodologies used by hackers, but in an ethical manner.

At Internet Security Auditors, we provide the most appropriate security solutions for all areas of Information Systems, with audit projects based on Ethical Hacking being one of them.

The best way to perform this security assessment is by conducting controlled attacks on the systems. These can be carried out remotely (from Internet Security Auditors’ facilities) or from the client’s facilities, depending on the objectives and scope of the audit.

During the execution of a Penetration Test, different phases must be carried out. Each of them requires multiple actions and considerations. The following sections cover each of these phases and describe the action guidelines.

A Penetration Test consists of the following phases:

PLANNING

PLANNING

Definition and identification of the systems to be audited.

AUDIT

AUDIT

Execution of the tests, which are carried out progressively until intrusion is achieved and, once achieved, escalation within the systems.

DOCUMENTATION

DOCUMENTATION

Drafting of all results obtained.

Scope of the tests

To carry out these attacks, both techniques and hacking tools will be used. The tools will be the same as those used in the underground world by hackers to perform attacks, as well as tools created by the technical team at Internet Security Auditors to perform Penetration Tests, developed based on guidelines defined in the OSSTMM, ISSAF, and PTES standards.

Execution of tests at network and system level

Identification of services, operating systems, and network components:

  • Enumeration and identification of live hosts.
  • Port scanning and identification of their state (open, closed, filtered).
  • Identification of protocols.
  • Identification of platform and version installed on the services running on each open port.
  • Identification of platform and operating system version.

 

Update analysis:

  • Identification of installed versions on different systems.
  • Port scanning and identification of their state (open, closed, filtered).
  • Search for vulnerabilities affecting detected versions.
  • Manual exploitation of vulnerabilities.

Configuration analysis:

  • Detection and identification of default parameters in configuration.
  • Detection of enabled debugging options.
  • Detection of poor configurations.
  • Use of default access credentials.
  • Manual exploitation of vulnerabilities.

Authentication system analysis:

  • Identification of all services using any type of authentication.
  • Validation of credential transmission over an encrypted channel.
  • Validation of account lockout mechanisms.
  • Identification of protections against automated attacks.
  • Verification of absence of default or weak passwords.

 

Execution of tests at application level

Information gathering:

  • Searching for information on the Internet.
  • Platform identification.
  • Search for robots.txt and humans.txt.
  • Information leaks in the application.
  • Identification of application entry points.

 

Authentication system analysis:

  • Identification of all services using any type of authentication.
  • Validation of credential transmission over an encrypted channel.
  • Validation of account lockout mechanisms.
  • Identification of protections against automated attacks.
  • Validation of credential recovery process.
  • Authentication system bypass.
  • Verification of absence of default or weak passwords.

 

Infrastructure configuration analysis:

  • Identification of administration tools.
  • Verification of default credentials.
  • Identification of example resources.
  • Identification of backup and unreferenced files.
  • Identification of supported HTTP methods.
  • Identification of HSTS header (HTTP Strict Transport Security).
  • Identification of anti-clickjacking protections.

 

Identity management analysis:

  • Verification of access policy defined by the application for each existing role.
  • Validation of user registration process.
  • Verification of predictable user accounts.
  • Validation of possibility of enumerating user accounts.

 

Authorization analysis:

  • Identification of path traversal vulnerabilities.
  • Identification of RFI (remote file inclusion) vulnerabilities.
  • Validation of authorization scheme bypass.
  • Validation of insecure direct object references.

 

Session management analysis:

  • Identify cookies used by the application.
  • Analyze session tokens.
  • Verify cookie attributes.
  • Validate existence of persistent cookies.
  • Validate logout functionality.
  • Validate session expiration after reasonable inactivity.
  • Validate session fixation vulnerability.
  • Validate exposure of session variables.
  • Validate CSRF vulnerability.

 

Data validation analysis:

  • Verify existence of centralized data validation mechanism.
  • Confirm application correctly validates data before use.
  • Verify absence of vulnerabilities such as SQL Injection or Cross-Site Scripting.

 

Error management analysis:

  • Generate uncontrolled error scenarios.
  • Analyze error messages for information leaks.
  • Analyze stack traces.

 

Weak cryptography analysis:

  • Validate that sensitive information is not transmitted in clear text.
  • Validate that weak ciphers are not used.
  • Validate that weak protocols are disabled.
  • Validate that insecure SSL/TLS renegotiations are disabled.
  • Validate that MD5 is not used (collision attacks).
  • Validate that RC4 is not used (crypto-analytical attacks).
  • Validate that the server is protected against the BEAST attack.
  • Validate that the server is protected against the CRIME attack.
  • Validate that the server is protected against the POODLE attack.
  • Verify validity of the SSL certificate.

 

Verification audit

The Verification Audit aims to carry out a verification of the corrections applied by organizations to the vulnerabilities detected in the penetration test that is the object of the service.

As a result of the penetration test, the report will include the vulnerabilities discovered during the service and the solutions that must be implemented by each company’s staff.

Results

After the execution of the tests, the results obtained are analyzed and the associated documentation is generated.

  • Executive summary of the Audit results.
  • Results obtained in the different tests carried out, identifying the security issues found and specifying the conditions under which they were discovered so that they can be reproduced (as far as possible) to facilitate their identification and resolution.
  • Recommendations to optimally address the identified security issues.
  • Classification of detected security issues according to their level of severity.

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will get in touch with you as soon as possible.
CAPTCHA