A vulnerability assessment identifies, quantifies and prioritizes (or ranks) the vulnerabilities in a system, using both system and application vulnerability scans.
System vulnerabilities normally exist because of exploitable programming errors in the operating system, and vendors normally release patches when these errors are made public. Patching hundreds or thousands of systems is a tedious business, though, and can sometimes disable functioning applications. Consequently, it is often resisted by IT departments.
Vulnerability scans are semi-automated processes that can check whether patches or updates have been installed, bugs removed, and systems securely configured. They report everything found. Our assessors then carefully review the results to ‘sift out’ false positives, and check whether a vulnerability exists, and action needs to be taken.
A penetration test is a simulated attack to identify vulnerabilities in information systems. Our security experts, ‘white hat hackers’, put themselves in the position of someone determined to gain access to systems and data illicitly – for example, without knowledge of usernames and passwords.
Like a hacker or a malicious adversary, they try every trick in the book, every possible plan of attack. They find the ways applications could be modified, and confidential information such as price lists or customer databases stolen or subverted. They then provide a report – explaining how they ‘broke in’ and how an organization can avoid it happening ‘for real’.
APPLICATION SECURITY ASSESSMENT
An application security assessment can be compared with a penetration test, it focuses on the application layer and goes much deeper.
It is carried out by a team of application security experts using a combination of automated tools and manual tests. The assessment’s purpose is to identify vulnerabilities in the application, estimate the probability of them being exploited, and provide a risk profile for the application components.
Drawing on their own knowledge and experience, our assessors exploit logical errors in the application, as well as coding errors, to gain entry. They also consider the potential impact of any problems – and help you find ‘proportionate’ solutions.
SOCIAL ENGINEERING ASSESSMENT
When people think about security, hacking, security breaches, cyber-attacks, a lot have the fake picture in their heads that they probably have seen in Hollywood movies. Genius hacker who can work on couple of monitors and keyboards at the same time, write the code and commands faster than most of us normal people can read and destroy any system available in the world.
A bit more technical people assume exploiting the vulnerabilities from the systems and technologies used in order to get the access and the data that you shouldn’t have. One common thing is that most are immediately assuming that the technology will be exploited, and that technology is the reason why bad things happen, but even though this might be the case the real truth is that from the beginning of time, humans were the weakest link in security chain.
You can spend millions on latest technology, bullet proof systems, but as long as humans are managing it, it will be vulnerable. Social engineering assessment is trying to do exactly that. By using different approaches, we will try to use somebody’s trust, naivety, low security awareness and multiple other factors to get access and data that usually wouldn’t be allowed to get.
OPEN SOURCE INTELLIGENCE
OSINT (Open Source Intelligence) is data available in the public domain which might reveal interesting information about your target. This includes DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and more.
Is your network already compromised by a sophisticated attacker, malware, or internal attack? What risks do malware, ransomware, unauthorized software, or cloud services pose to your organization? Is your critical data being stolen by malware or hackers?
Recon your organization’s network & infrastructure for the presence of malicious threat actors.
SECURITY AWARENESS TRAINING
Create awareness among the people of your organization against common threats such as social engineering attacks.