• ADVISORY SERVICES

Cybersecurity

PARTNER

Cyber Security Audit

The proper security of web applications, IT infrastructure, and adequate procedures can play a key role in ensuring the cyber security of any company. To meet our clients’ needs, we have developed a comprehensive cyber threat assessment service, in which we combine advanced technologies and our years of experience in software development and security issues.

Ethical hacking services include vulnerability scans and penetration testing of web applications to identify security vulnerabilities, including those defined in the OWASP TOP 10 standard as well as flaws in application logic and session management flows. These tests can be complemented by an audit of the IT infrastructure and comprehensive offensive security testing, including social engineering attacks.

The type and scope of the audit is tailored each time to the needs of the organisation. We specialise in the following IT audits:

  • Web applications,
  • IT infrastructures,
  • Social engineering tests,
  • Analysis of data from public sources (OSINT).

Our security testing helps organisations to effectively manage their cyber security risks by identifying, verifying and helping them to fix vulnerabilities that could otherwise lead to sensitive data leaks or an attacker taking control of an IT system.

IT infrastructure audit

Properly securing the network infrastructure is crucial to data security and ensuring the continuity of modern business. A LAN security audit makes it possible to verify the current state of security of cable and wireless networks, identifies possible vulnerabilities and demonstrates how to secure the network.

Why conduct a network infrastructure audit? A LAN audit is an important part of an organisation’s digital security strategy and has many benefits, including:

  • Protecting assets – detecting security vulnerabilities minimises the likelihood of anyone outside the organisation gaining access to assets, systems or data.
  • Protecting the company’s sensitive and critical data – proper segregation and verification of access to data is important to protect it from unauthorised individuals.
  • Protecting the company’s business processes and their continuity – a properly functioning network infrastructure is crucial to the continuity of the organisation’s efforts. Preventing attacks on a computer network which may result in business processes being disrupted or stopped.
  • Protecting the company’s budget – restoring data and remediating the effects of attacks is usually associated with high costs.
  • Protecting the company’s image – a leak of sensitive data can significantly affect an organisation’s reputation.

What does an infrastructure audit cover?

  • The scope of the audit revolves around the following topics:
  • Analysis of the network topology
  • Analysis of the network equipment used (routers, switches, firewalls)
  • Verification of division into VLAN
  • Verification of access control to LAN and WAN
  • Verification of physical access control and workstation security policies
  • Verification of Internet access from the LAN and from the Internet to the LAN
  • Network communication analysis
  • Identification of potential additional security methods

How does a network infrastructure audit work?
The audit proceeds in a structured manner and includes the following stages:
Information gathering – obtaining the most important information about the audited network, checking its size and the number of workstations.
On this basis, together with the client, we define the objectives and scope of the audit.
Development of the audit methodology – on the basis of the collected information and the established scope of research, we detail the course of the planned process.
Testing – the main phase of the audit, during which the developed research methods are implemented. The outcome of these tests forms the basis for a detailed report.
Development of the report – the result of the audit is a report containing a detailed description of the identified threats along with a presentation of all recommendations.

Social engineering tests

Psychological manipulation is a popular tactic used by cybercriminals. By creating emails and websites that mimic well-known organisations and contacts, fraudsters try to get people to click on dangerous links, open malicious attachments and disclose credentials or personal information. In very many cases, it is much easier for an attacker to manipulate an employee of a particular company to gain access to an IT system than to carry out a sophisticated attack.
Our social engineering services enable us to assess the resilience of systems, procedures and personnel, to detect and respond to phishing attacks via email. During the audit, valuable company and employee information is identified using data collection techniques. Based on this, our experts carefully prepare a phishing test to ensure that it is as authentic as possible and has the best chance of achieving its objectives. Once the social engineering operation is complete, we document the results and make priority recommendations to help address any identified threats and improve security awareness training programmes.

What techniques are used during the testing?
During the audits based on social engineering, various techniques are used to enable manipulation to gain access to data or a system. Due to the domain of testing, it is particularly important to adapt the methods to the nature and processes of the organisation in question.
Phishing and speech-phishing are the most common types of social engineering attacks. They involve sending e-mails containing links to suitably crafted fake websites or infected files. The content of the messages sent is designed to manipulate the user into thinking they need to click on the link.

The crafted websites linked from the email are deceptively similar to the real websites the attacker wants to access. Spear-phishing is a more sophisticated form of phishing, targeting a smaller number of people, where the content of the message is highly personalised. The preparation of such an attack requires an in-depth environmental intelligence and OSINT analysis to get to know the victim as well as possible, so that the attack can be executed more precisely. Due to the prevalence of phishing attacks, this type of testing is the most common form of social engineering audit.

Vishing (voice-phishing) Vishing is a telephonic form of phishing, where the attacker tries to manipulate the victim in such a way as to gain access to sensitive information, e.g. the password to a particular system. This type of attack requires the preparation of sufficiently credible scenarios and the collection of OSINT information to make the tactic seem plausible and help the attacker build rapport. An audit using this form of attack requires the preparation of analogous scenarios that could be used by real attackers.

Physical security audits A physical security audit helps test the effectiveness of an organisation’s physical security controls and access procedures. During this type of testing, the possibilities of physically entering an organisation’s building (e.g. by posing as an external service provider) as well as gaining access to the internal computer network are verified. In addition, the possibilities of physical access to workstations and data carriers are verified.

How does the audit process work?
Social engineering audits are carried out in a structured manner and the whole process comprises several stages:
Identification of threats and the definition of audit objectives – together with the client, we identify potential threats related to the acquisition of sensitive data, access to IT systems, access to the organisation or compliance with existing security procedures. We also define the objectives of the audit and the conditions for its execution.
Gathering information, identifying potential vulnerabilities – we analyse the identified threats, gather information on the information processing processes and security procedures in force, in order to select vulnerabilities on this basis. This is the basis for preparing the audit methodology.

Development of the audit methodology – on the basis of the collected information, we prepare the audit methodology and plan the course of the entire process in detail. We then discuss the planned action scenarios and implementation deadline with the client in detail.
Conducting tests – the main phase of the audit, during which the developed test methods are implemented. The outcome of these tests forms the basis for a detailed report.
Report development – the result of the audit is a report containing a detailed description of the planned research, information on its course, precise test results with interpretation and recommendations.
Presentation of results – conducting a workshop with the client to discuss the report and conclusions from the audit.

OSINT data analysis
Analysis of data from public sources (‘open-source intelligence’) allows the acquisition of valuable information (e.g. about a company), which can be useful for reconnaissance in preparation for a hacking or social engineering attack. This type of analysis can also reveal data that should not be publicly available, but has been made public as a result of human error or a malfunctioning system.
It is important to remember that, in most cases, publicly available data is security-neutral, or should be public for various reasons. OSINT (open-source intelligence) analysis allows the collection of available information so that its confidentiality can be verified.

OSINT data analysis

Analysis of data from public sources (‘open-source intelligence’) allows the acquisition of valuable information (e.g. about a company), which can be useful for reconnaissance in preparation for a hacking or social engineering attack. This type of analysis can also reveal data that should not be publicly available, but has been made public as a result of human error or a malfunctioning system.
It is important to remember that, in most cases, publicly available data is security-neutral, or should be public for various reasons. OSINT (open-source intelligence) analysis allows the collection of available information so that its confidentiality can be verified.

Scope of the OSINT analysis:

  • searching for publicly available sensitive information,
  • searching for hidden sub-directories in accessible services,
  • listing of sub-domains (reverse DNS),
  • identifying publicly accessible web services,
  • analysing the possibility of unauthorised access to data (no password),
  • collecting information on available sub-domains,
  • identifying web software and its version.

In addition, we use OSINT analysis as part of application security audits and social engineering tests