Identify, Protect, Detect, Respond, Recover

Prevent, Detect, Protect & Respond

Offensive Security

Vulnerability Assesment & Penetration test

Scope
Web Application

This assessment is designed to identify, quantify and prioritize vulnerabilities of a Web Application by validating and verifying the effectiveness of application security controls.

Es.
- Web Portal (cms, custom website, ...)
- CRM, ERP, TTS

Network

The network pen test provide suggestions to better protect sensitive data and prevent take-over of systems for malicious/nonbusiness purposes by identifying real-world opportunities to compromise systems and networks

Es.
- Public Subnet
- Private Subnet (LAN, DMZ, etc)

Insider Threat

The aim of this assessment is to simulate actual risks and areas of concern to the organization impersonating a disgruntled employee or a fraudulent consultant trying to steal info, data or to allow others to get into the company perimeter.

Testing Assignement
Black Box

In this assignment, there is no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A blackbox penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

Gray Box

A gray-box test is made with the access and knowledge levels of a user, potentially with elevated privileges on a system. Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.

White Box

During a White Box test, PTs are given full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness.

HOW DOES IT WORK?
Activity Flow

- Definition of activities and scope
- Definition of the Rules of Engagement
- Project Execution
- Reporting

Methodologies

- OWASP (Open Web Application Security Project)
- OSSTMM (Open Source Security Testing Methodology Manual)

Classification

- CVSS3 (Common Vulnerability Scoring System Version 3.0)

Security Consulting

Source Code Analysis

This type of analysis is not the basically automated code debugging: by looking the broader perspective of the application environment, the aim is to find bugs and faults that may not be obvious to a programmer. It is meant to find faults like possible buffer overflows or untidy use of pointers and misuse of garbage collection functions, all of which may be exploitable by a hacker.

Gap Analysis

Gap Analysis is the examination of the actual security level with the potential or desired risk level, compared against the best practices and current law. The current state (As Is) is depicted and the steps to reach the expected state (To Be) are described. The methodology uses the following references: Es. ISO 27001, NIST.

Digital Risk

In the most basic form, it is the analysis of the risk to an organization’s digital resiliency. As an organization extends its social media presence, web presence, mobile application capabilities, etc. and has a greater dependency on that digital footprint to achieve it’s revenue goals or mission, its digital risk increases. Digital risk spans outside the traditional view of cyber threat intelligence tools and technologies. Es. OSINT, SOCMINT.

Phishing Education

In order to increase the ability of the end user tospot fake or potentially harmful messages, via email or other media, it is mandatory to test your employee with generic or spear phishing attacks and to evaluate their response; this activity allows the company to assess the related security risk.

Security Awareness

Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal.