IT Security Consulting
Year by year we have seen the growing number but also increasing complexity of internet threats. Cyber criminals are using more and more sophisticated methods to compromise organizations in order to steal confidential data, sabotage or economically blackmail companies.
On the other hand, there are more and more IT systems that process sensitive data and become easy targets of attacks of various types. The more vulnerabilities a system has in its protection mechanisms, the better environment for successful attacks it becomes. It must be stressed that even the best ICT security solutions of world’s leading producers do not guarantee 100% resistance to cyber threats.
The consequences of attacks may seriously affect organizations. A cyber criminal may, for instance, lock all the computers in the company, sabotage the production process or steal personal data of the company’s customers.
A good market practice is to conduct regular penetration tests. Together with the knowledge and experience of independent ICT security specialists, the tests allow identification of gaps and vulnerabilities, which makes them an effective supplement of the entire ICT security system in every company or organization.
EXATEL SA offers professional penetration test services which verify resistance of the organization’s IT environment to security breach attempts, made both from the Internet and from the local network. By simulating real attacks we may identify areas that constitute threats to security and confidentiality of data and may disrupt business continuity.
EXATEL’s offer of penetration tests includes the following services:
- penetration tests of web and mobile applications,
- external and internal penetration tests of the network,
- reverse engineering,
- security audit of the wireless network,
- security audit of configurations of the operating system and SQL databases.
Penetration tests – types and methods
There are three types of penetration tests:
- black-box tests – penetration testers have little knowledge of the tested system or elements of the customer’s IT infrastructure.
- gray-box tests – testers have incomplete knowledge of the tested system or the customer’s IT infrastructure components.
- white-box tests – testers have full knowledge of the audited system or the customer’s IT infrastructure components.
Depending on the type of the audited system or the customer’s IT infrastructure component and the customer’s preferences, the penetration tests may be conducted either in the customer’s facility or remotely.
For penetration tests we use both test-automation and attack-simulation tools as well as manual verification. The proportion of automatic to manual tests varies, depending on the specificity of each project.
All the services are based on our in-house developed methodology using penetration test methodologies widely recognized within the IT world, such as OWASP ASVS (Application Security Verification Standard) or PTES (Penetration Testing Execution Standard).
When you should conduct penetration tests?
- when a web application processes significant data (e.g. personal data, medical data, payment card data),
- when a major part of the company’s operations is based on web applications available online,
- when the value of protected data significantly exceeds the cost of the audit and other relevant protection measures,
- when you suspect security of applications, infrastructure or data is or has been breached,
- when the organization wants to minimize the risk of attack on its IT resources,
- when the organization is obligated (by law, internal procedures etc.) to regularly conduct security audits or penetration tests.
Scope of the service
The service is composed of two elements:
- conducting penetration tests within the agreed scope;
- prepare a report consisting of three parts: general section – for the management board and managers (Executive Summary), detailed technical section for IT units (Technical Report) and Recommendations.
Benefits of the service
- obtaining information about the actual security of the network and systems,
- cost-effective way to strengthen the organization’s security,
- mitigation of risk and reduction of potential costs of systems’ and infrastructure’s outages caused by attacks from the outside or the inside of the corporate network,
- justification of investments in the security infrastructure,
- fulfillment of external (legal, procedural and other) requirements thanks to the obtained certificates,
- greater prestige and credibility in the eyes of Customers,
- updated information about hardware, software, licenses in place and financial benefits of reducing them.
Consulting services are provided by top-class specialists of Exatel SA, who have many years of experience in performing security audits and conducting penetration tests in various environments, which guarantees the best quality. Their competence has been confirmed by multiple well-known certificates, recognized all over the world.