Security audit & Pentest
Involve security aspects from very beginning of your IT project
Vulnerability assessment or pen-testing will bring you an external view on security of your IT infrastructure and allow you to assess security of your environment or your application. Applications of your infrastructure project may contain some vulnerabilities or some mitigations could not be configured as they should be. Automated cyber attacks, viruses, ransomwares, hackers, internal fraudsters could take advantages of these vulnerabilities and cause serious troubles to your organization.
Our Vulnerability Assessment, or pentesting service, helps you to identify vulnerabilities and fix them before it’s too late. We will deliver you a detailed report and professional advise how to fix issues and improve your security.
We are working in different modes: white-box or black-box pentesting.
Each methodology has advantages and disadvantages.
Black-Box pentesting
The pen-tester is acting without any knowledge of the system running at the customer. He is acting as an external intruder who would breach your system. The findings of this pentest are representative of what a user could do without any specific knowledge of installed systems, without local account or knowledge of design.
Nevertheless, testing time could not be maximized in this scenario. Some areas of infrastructure might remain untested (e.g. parts of network only accessible from specific zones or IP).
White-box pentesting
In this case, the pentester has reviewed all documentation, architecture and design which are in scope of the pentesting: documentation regarding website, application or web application or infrastructure assets. The pentester is able to identify potential weaknesses in advance and can concentrate his time to analyse priority attention points.
In this scenario the pentester is simulating an intruder who has access to a limited quantity of information (such as design or IP addresses) of a target system.
Our recommended methodology is hybrid and based partly on black-box and partly on white-box to combine advantages of each methodology. We are standard using a non destroy way of working.
Targets: websites and web applications
We are mostly looking for most common vulnerabilities (OWASP Top 10) which are representing 90% of all web attacks in the industry such as SQL injection (inband, OOB, Blind), XSS, CSRF etc.
Identify vulnerabilities in framwork (Java, .Net, PHP) or in configuration.
Analyse modules or extensions of framework.
Validate configuration of all layers, from Operating System to Application. Also database etc.
This approach is risk based and allows technical and non technical people to understand level of risks they are facing.
Application of security assessment
Target : FAT client applications, business applications, VoIP/IP PBX or media applications, Web-services etc.
Based on project, new infrastructure or application renewing, we will test its security level and deliver you a report.
Infrastructure security assessment
Target: Partner link, IPSec, SSL VPN, work@home solutions, Extranet, Wireless networks, 802.1x solutions, BYOD, datacenter, Active Directory.
Besides applications, infrastructure components have a predominant role in global security of your organization. Be sure they are securely configured and patch level is up to date.
Social engineering
Target: Test your incident response and test reactions of your employees facing external threats. Social engineering is an excellent tool to get greatest information in smallest time. These people could receive via email a fake Linkedin invitation containing resume. Also security update from software supplier). Also they open attachment or link provided in the message and their computer gets infected by a dangerous malware. We can simulate this kind of attacks and contact, with your agreement, some of your staff members.
However some of your staff members are security aware. Also can help organization to alert the ICT services about potential cyber-attacks. However other staff members don’t have any knowledge about cyber-security. Also could become victims of hackers. Identify those users and offer them opportunity to learn more about cyber-security. Though what are potential dangers and how they need to react to those threats.
There are multiple reasons. You can find a non-exhaustive list of reasons why customers have previously contacted us regarding the setup of pentests.
- Build a governance process around development and deployment of new applications for organization
- Setup a validation process before go live of Internet facing applications
- Mitigate risks related to conceptual or implementation issues in scope of infrastructure or application projects
- Answer audit points or be in-line with a compliance
- Evaluate level of maturity in security domain of your organization or of a sister-organization which was recently purchased
- React immediately to security problems: ensure all assets have been correctly patched
- Anticipate attacks, take initiative and be an actor in security prevention
- Guest Wi-Fi network: is a visitor able to access your internal network ?
- Your SSL VPN solution: our staff is using massive home working solutions, but is a hacker able to bypass our policies and connect from unauthorized computer to the enterprise network ?
- Test your Wireless solutions: how strong is our Wireless solution to protect against unauthorized access ?
- Our main firewall has more than 3000 firewall rules, are the rules up to date ? Are the rules in line with applications documentation ? Is approval process to add/delete rules under control ?
- Part of our ICT infrastructure is outsourced. Also the IT company managing our ICT infrastructure is remotely accessing our environment. Do we have enough auditing to trace what happened ?
- How many servers are still running outdated OS systems or outdated databases ?
Get in Touch
Subscribe and stay up-to-date on the latest improvements and services.