Our service offerings
Vulnerability Assessment
Discovering technological vulnerabilities on the external perimeter or the internal network
Gain visibility into your technological security controls
Assessments include the following steps :
- Asset and resource discovery inside the network;
- Identification of vulnerabilities or potential threats for each resource;
- Mitigation recommendations or help in the mitigation of the most serious vulnerabilities for the most precious resources.
Assessments cover and report on :
- the vulnerabilities discovered, detailing the risk posed to the organization;
- the CVE references if applicable and the risk score according to the Common Vulnerability Scoring System (CVSS) standard;
- detailed steps to remediate each vulnerability, which may include applying patches or re-configuring operating systems and applications;
- steps to mitigate the risk if applicable, such as setting up automatic updates for the operating system to prevent the same type of issue from recurring.
Social Engineering
Assessing the need for employee awareness training in Social Engineering techniques
Assess your organization’s responsiveness to manipulation techniques
Phishing campaign
- Design of plausible pretexts within the target organization, likely to elicit a positive response from employees;
- Launch of a rapid dispatch campaign lasting a maximum of two working days to avoid contamination of the results;
- Collection of results and statistical analysis on different metrics such as opening links or attached files, entering sensitive information …
Vishing campaign
- Open-Source intelligence (“OSINT”) search on public sources;
- Use of social engineering techniques (“reconnaissance”, “watering hole”);
- Voice phishing attacks (“vishing”) :
- attempts to extort sensitive information;
- attempts to execute remote commands by manipulation;
- Testing the implementation of persistence in the internal network.
Application Tests
Assessing the security of Web, mobile or thick-client applications
Simulate the behaviour of malicious actors on your application from the Internet or in your internal network
Web or mobile testing
- Unauthorized access validation;
- Validating the strength of cryptographic mechanisms;
- Attempts to inject malicious code into the application;
- Validation of security configurations;
- Validation of known vulnerabilities in application components;
- Bypass of authentication mechanisms;
- Validation of the proper management of error messages.
Code review
- Conceptual review of the application;
- Threat modelling :
- Break down of the application;
- Threat categorization;
- Definition of countermeasures and remediation methods;
- Automated and manual analysis;
- Static and dynamic code analysis;
- Risk assessment by controls :
- Web;
- Input management;
- Session management;
- Data management;
- Architectural and business logic.
Penetration Tests
Assessing the internal, external and physical security of the organization through realistic attack methods
Put your organization’s security to the test versus hackers
External perimeter
- Searching for information on the public Internet (“OSINT”);
- Attack by “password spraying” or brute force;
- Attempted breach into the organization’s internal network;
- Validation of protection mechanisms against brute force attacks;
- Listing common application vulnerabilities;
- Searching for misconfigurations;
- Exploitation of discovered vulnerabilities.
Internal network
- Analysis of the organization’s technological environment :
- Active Directory domain mapping;
- enumeration of high-risk services;
- Interception of communications using methods known to malicious actors;
- Wireless network analysis;
- Simulation of realistic attack scenarios based on vulnerability “kill chains”;
- Assessment of configurations and practices.
Physical security
- Assessment of the robustness of physical security controls, including :
- Physical barriers;
- Perimeter surveillance;
- Authentication mechanisms;
- Detection of unauthorized access;
- Physical security management process;
- Design of intrusion scenarios to validate the effectiveness of controls, such as :
- Unauthorized access to a sensitive internal perimeter;
- Equipment theft;
- Obtaining an unauthorized connection to the internal network;
- Demonstrating the ability to disable business-critical equipment.