Our service offerings
![](https://hexa-security.ca/wp-content/uploads/2022/03/loupe_blanc-300x276.png)
Vulnerability Assessment
Discovering technological vulnerabilities on the external perimeter or the internal network
Gain visibility into your technological security controls
Assessments include the following steps :
- Asset and resource discovery inside the network;
- Identification of vulnerabilities or potential threats for each resource;
- Mitigation recommendations or help in the mitigation of the most serious vulnerabilities for the most precious resources.
Assessments cover and report on :
- the vulnerabilities discovered, detailing the risk posed to the organization;
- the CVE references if applicable and the risk score according to the Common Vulnerability Scoring System (CVSS) standard;
- detailed steps to remediate each vulnerability, which may include applying patches or re-configuring operating systems and applications;
- steps to mitigate the risk if applicable, such as setting up automatic updates for the operating system to prevent the same type of issue from recurring.
![](https://hexa-security.ca/wp-content/uploads/2022/03/hamecon_blanc.png)
Social Engineering
Assessing the need for employee awareness training in Social Engineering techniques
Assess your organization’s responsiveness to manipulation techniques
Phishing campaign
- Design of plausible pretexts within the target organization, likely to elicit a positive response from employees;
- Launch of a rapid dispatch campaign lasting a maximum of two working days to avoid contamination of the results;
- Collection of results and statistical analysis on different metrics such as opening links or attached files, entering sensitive information …
Vishing campaign
- Open-Source intelligence (“OSINT”) search on public sources;
- Use of social engineering techniques (“reconnaissance”, “watering hole”);
- Voice phishing attacks (“vishing”) :
- attempts to extort sensitive information;
- attempts to execute remote commands by manipulation;
- Testing the implementation of persistence in the internal network.
![](https://hexa-security.ca/wp-content/uploads/2022/03/roue_blanc.png)
Application Tests
Assessing the security of Web, mobile or thick-client applications
Simulate the behaviour of malicious actors on your application from the Internet or in your internal network
Web or mobile testing
- Unauthorized access validation;
- Validating the strength of cryptographic mechanisms;
- Attempts to inject malicious code into the application;
- Validation of security configurations;
- Validation of known vulnerabilities in application components;
- Bypass of authentication mechanisms;
- Validation of the proper management of error messages.
Code review
- Conceptual review of the application;
- Threat modelling :
- Break down of the application;
- Threat categorization;
- Definition of countermeasures and remediation methods;
- Automated and manual analysis;
- Static and dynamic code analysis;
- Risk assessment by controls :
- Web;
- Input management;
- Session management;
- Data management;
- Architectural and business logic.
![](https://hexa-security.ca/wp-content/uploads/2022/03/cible_blanc.png)
Penetration Tests
Assessing the internal, external and physical security of the organization through realistic attack methods
Put your organization’s security to the test versus hackers
External perimeter
- Searching for information on the public Internet (“OSINT”);
- Attack by “password spraying” or brute force;
- Attempted breach into the organization’s internal network;
- Validation of protection mechanisms against brute force attacks;
- Listing common application vulnerabilities;
- Searching for misconfigurations;
- Exploitation of discovered vulnerabilities.
Internal network
- Analysis of the organization’s technological environment :
- Active Directory domain mapping;
- enumeration of high-risk services;
- Interception of communications using methods known to malicious actors;
- Wireless network analysis;
- Simulation of realistic attack scenarios based on vulnerability “kill chains”;
- Assessment of configurations and practices.
Physical security
- Assessment of the robustness of physical security controls, including :
- Physical barriers;
- Perimeter surveillance;
- Authentication mechanisms;
- Detection of unauthorized access;
- Physical security management process;
- Design of intrusion scenarios to validate the effectiveness of controls, such as :
- Unauthorized access to a sensitive internal perimeter;
- Equipment theft;
- Obtaining an unauthorized connection to the internal network;
- Demonstrating the ability to disable business-critical equipment.