• ADVISORY SERVICES

Quality and safety management systems

We offer partnership in the comprehensive development and implementation of a selected quality, security, GDPR, business continuity or environmental management system, including:

Zero audit of the company in terms of its compliance with the requirements of the specified standard,
Training of the executive staff, implementation team, internal auditors and an agent on the selected standard,
Development of system documentation according to the motto: ‘the less, the better’,
Comprehensive implementation supervision of the selected management system:
ISO 9001 – quality
ISO 13485 – medical devices
ISO 14001 – environment
ISO 22000 – food safety
ISO 22301 – business continuity
ISO 27001 – information security
ISO 28000 – security in the logistics supply chain
ISO 45001 – occupational health and safety
AQAP – quality for NATO suppliers
HACCP/BRC/IFS – food safety
RODO – personal data security
WSK – dual use product control
CSR – corporate social responsibility
Supplier audits (optional),
Pre-certification audit of a selected system,
Assistance in the selection of a suitable certification organisation,
Participation of the consultant in the certification audit,
System improvement after certification, including periodic reviews and audits.

We also provide services consisting in the management of our clients’ systems. In this case, the consultants act as agents for that management system or as data protection officers. We have a dozen or so contracts at present for such systems as ISO 9001, ISO 14001, HACCP/IFS/BRC, ISO 27001, GDPR or ICS (Internal Control System).

Hello from the Pomorskie Voivodeship! If you are planning to implement and certify any management system, but lack sufficient funds, do not worry. We can do everything for you to get 50% funding from the Pomorza Development Agency’s SPEKTRUM programme, or from a bank loan (currently up to PLN 600,000, all through a simplified procedure). We work with partners who know how to do this quickly and without unnecessary paperwork.

• ADVISORY SERVICES

Cybersecurity

PARTNER

Cyber Security Audit

The proper security of web applications, IT infrastructure, and adequate procedures can play a key role in ensuring the cyber security of any company. To meet our clients’ needs, we have developed a comprehensive cyber threat assessment service, in which we combine advanced technologies and our years of experience in software development and security issues.

Ethical hacking services include vulnerability scans and penetration testing of web applications to identify security vulnerabilities, including those defined in the OWASP TOP 10 standard as well as flaws in application logic and session management flows. These tests can be complemented by an audit of the IT infrastructure and comprehensive offensive security testing, including social engineering attacks.

The type and scope of the audit is tailored each time to the needs of the organisation. We specialise in the following IT audits:
Web applications,
IT infrastructures,
Social engineering tests,
Analysis of data from public sources (OSINT).

Our security testing helps organisations to effectively manage their cyber security risks by identifying, verifying and helping them to fix vulnerabilities that could otherwise lead to sensitive data leaks or an attacker taking control of an IT system.

IT infrastructure audit

Properly securing the network infrastructure is crucial to data security and ensuring the continuity of modern business. A LAN security audit makes it possible to verify the current state of security of cable and wireless networks, identifies possible vulnerabilities and demonstrates how to secure the network.

 

Why conduct a network infrastructure audit? A LAN audit is an important part of an organisation’s digital security strategy and has many benefits, including:

Protecting assets – detecting security vulnerabilities minimises the likelihood of anyone outside the organisation gaining access to assets, systems or data.
Protecting the company’s sensitive and critical data – proper segregation and verification of access to data is important to protect it from unauthorised individuals.
Protecting the company’s business processes and their continuity – a properly functioning network infrastructure is crucial to the continuity of the organisation’s efforts. Preventing attacks on a computer network which may result in business processes being disrupted or stopped.
Protecting the company’s budget – restoring data and remediating the effects of attacks is usually associated with high costs.
Protecting the company’s image – a leak of sensitive data can significantly affect an organisation’s reputation.
What does an infrastructure audit cover?

The scope of the audit revolves around the following topics:
Analysis of the network topology
Analysis of the network equipment used (routers, switches, firewalls)
Verification of division into VLAN
Verification of access control to LAN and WAN
Verification of physical access control and workstation security policies
Verification of Internet access from the LAN and from the Internet to the LAN
Network communication analysis
Identification of potential additional security methods
How does a network infrastructure audit work?
The audit proceeds in a structured manner and includes the following stages:
Information gathering – obtaining the most important information about the audited network, checking its size and the number of workstations.
On this basis, together with the client, we define the objectives and scope of the audit.
Development of the audit methodology – on the basis of the collected information and the established scope of research, we detail the course of the planned process.
Testing – the main phase of the audit, during which the developed research methods are implemented. The outcome of these tests forms the basis for a detailed report.
Development of the report – the result of the audit is a report containing a detailed description of the identified threats along with a presentation of all recommendations.

Social engineering tests

Psychological manipulation is a popular tactic used by cybercriminals. By creating emails and websites that mimic well-known organisations and contacts, fraudsters try to get people to click on dangerous links, open malicious attachments and disclose credentials or personal information. In very many cases, it is much easier for an attacker to manipulate an employee of a particular company to gain access to an IT system than to carry out a sophisticated attack.
Our social engineering services enable us to assess the resilience of systems, procedures and personnel, to detect and respond to phishing attacks via email. During the audit, valuable company and employee information is identified using data collection techniques. Based on this, our experts carefully prepare a phishing test to ensure that it is as authentic as possible and has the best chance of achieving its objectives. Once the social engineering operation is complete, we document the results and make priority recommendations to help address any identified threats and improve security awareness training programmes.

What techniques are used during the testing?
During the audits based on social engineering, various techniques are used to enable manipulation to gain access to data or a system. Due to the domain of testing, it is particularly important to adapt the methods to the nature and processes of the organisation in question.
Phishing and speech-phishing are the most common types of social engineering attacks. They involve sending e-mails containing links to suitably crafted fake websites or infected files. The content of the messages sent is designed to manipulate the user into thinking they need to click on the link.

The crafted websites linked from the email are deceptively similar to the real websites the attacker wants to access. Spear-phishing is a more sophisticated form of phishing, targeting a smaller number of people, where the content of the message is highly personalised. The preparation of such an attack requires an in-depth environmental intelligence and OSINT analysis to get to know the victim as well as possible, so that the attack can be executed more precisely. Due to the prevalence of phishing attacks, this type of testing is the most common form of social engineering audit.

Vishing (voice-phishing)
Vishing is a telephonic form of phishing, where the attacker tries to manipulate the victim in such a way as to gain access to sensitive information, e.g. the password to a particular system. This type of attack requires the preparation of sufficiently credible scenarios and the collection of OSINT information to make the tactic seem plausible and help the attacker build rapport. An audit using this form of attack requires the preparation of analogous scenarios that could be used by real attackers.

Physical security audits
A physical security audit helps test the effectiveness of an organisation’s physical security controls and access procedures. During this type of testing, the possibilities of physically entering an organisation’s building (e.g. by posing as an external service provider) as well as gaining access to the internal computer network are verified. In addition, the possibilities of physical access to workstations and data carriers are verified.

How does the audit process work?
Social engineering audits are carried out in a structured manner and the whole process comprises several stages:
Identification of threats and the definition of audit objectives – together with the client, we identify potential threats related to the acquisition of sensitive data, access to IT systems, access to the organisation or compliance with existing security procedures. We also define the objectives of the audit and the conditions for its execution.
Gathering information, identifying potential vulnerabilities – we analyse the identified threats, gather information on the information processing processes and security procedures in force, in order to select vulnerabilities on this basis. This is the basis for preparing the audit methodology.
Development of the audit methodology – on the basis of the collected information, we prepare the audit methodology and plan the course of the entire process in detail. We then discuss the planned action scenarios and implementation deadline with the client in detail.
Conducting tests – the main phase of the audit, during which the developed test methods are implemented. The outcome of these tests forms the basis for a detailed report.
Report development – the result of the audit is a report containing a detailed description of the planned research, information on its course, precise test results with interpretation and recommendations.
Presentation of results – conducting a workshop with the client to discuss the report and conclusions from the audit.

OSINT data analysis
Analysis of data from public sources (‘open-source intelligence’) allows the acquisition of valuable information (e.g. about a company), which can be useful for reconnaissance in preparation for a hacking or social engineering attack. This type of analysis can also reveal data that should not be publicly available, but has been made public as a result of human error or a malfunctioning system.
It is important to remember that, in most cases, publicly available data is security-neutral, or should be public for various reasons. OSINT (open-source intelligence) analysis allows the collection of available information so that its confidentiality can be verified.

 

OSINT data analysis

Analysis of data from public sources (‘open-source intelligence’) allows the acquisition of valuable information (e.g. about a company), which can be useful for reconnaissance in preparation for a hacking or social engineering attack. This type of analysis can also reveal data that should not be publicly available, but has been made public as a result of human error or a malfunctioning system.
It is important to remember that, in most cases, publicly available data is security-neutral, or should be public for various reasons. OSINT (open-source intelligence) analysis allows the collection of available information so that its confidentiality can be verified.

Scope of the OSINT analysis:
searching for publicly available sensitive information,
searching for hidden sub-directories in accessible services,
listing of sub-domains (reverse DNS),
identifying publicly accessible web services,
analysing the possibility of unauthorised access to data (no password),
collecting information on available sub-domains,
identifying web software and its version.
In addition, we use OSINT analysis as part of application security audits and social engineering tests

• ADVISORY SERVICES

Introduction of companies to foreign markets

Since 2009, initially as MERIDIAN International and currently under our own brand INNOVEX Polska, we have been providing services involving the introduction of companies and their products or services to selected foreign markets. This applies to both the export activities of Polish companies and the entry of foreign companies into our market.

To date, we have been or are carrying out projects in the following sectors:
Construction (waterproofing, sanitary installations, steel and aluminium windows),
Fire protection (fire extinguishing spray and integrated fire extinguishing systems),
Chemical (rubber products, cosmetic ethanol),
Recycling (raw material waste, mainly plastics),
Renewable energy (wood briquettes, photovoltaic cells),
Food (bioactive food, dietary supplements, medical devices),
IT (managerial analyses, visual identification),
Industrial (packaging and unpacking machines, clean technologies).

We have representatives and permanent business partners in several European countries, including: Germany, Denmark, Sweden and England. Based on their experience and contacts, we are able to quickly verify the possibility of working in the selected market and preparing an export strategy for the Polish company. Of course, we are also very familiar with the Polish market, as we have been operating here for more than twenty years!

We belong to the North-South Transport and Logistics Cluster and the MERIDIAN Group, the leader of which is MERIDIAN Konsorcjum Doradcze. We are also a partner of the Swedish company, Kalex AB, and an international organisation, operating under the auspices of the European Commission, which promotes foreign cooperation, called Enterprise Europe Network.

We look forward to working with you!

• ADVISORY SERVICES

Project (company) management

We offer you the service of managing any business project from its earliest development phase: the idea. We participate in the evaluation of the business concept, research the market, create a business plan, develop marketing and sales tools, which we then implement.

For several years, we have been involved in searching for and creating interesting investment projects and their subsequent commercialisation. We are primarily interested in innovative projects, for which it is possible to obtain subsidies from EU funds or private investors.

Below are some examples of our projects:
car fire spray extinguisher (as a fire extinguishing spray),
magnetic ‘decanter’ for wine,
super hydrophobic waterproofing with antimicrobial and antifouling properties,
personalised website for monitoring changes in legislation,
waste recovery from products containing glass fibre,
chokeberry juice as a bioactive food,
wallpaper framing,
high-performance wind/water turbine,
leading-edge extension,
hydrogel pot (Vita Frame),
GotujZdrowo.pl website,
non-phthalate plasticiser (DEHT) produced partly from PET waste.

Hello from the Pomorskie Voivodeship! If you are planning to implement and certify a management system, but lack sufficient funds, do not worry. We can do everything so that you get 50% funding, for example, from the Pomorza Development Agency’s SPEKTRUM programme, or even from a bank loan (currently up to PLN 600,000 in a simplified procedure). We work with partners who know how to do this quickly and without unnecessary paperwork.