Know your level of exposure to cyber threats!
An audit can be defined as a methodical, independent and documented process to gather evidence, and to assess this evidence objectively in order to determine the extent to which previously defined criteria are met. So defined, audits yield a review, an appraisal, an inventory.
When it comes to ISS (Information Systems Security), for any organization, security is, and must be, a key governance issue. Faced with the multiplication of cyber attacks and increasingly sophisticated and targeted threats, it is unfortunately a fact that some firms can still be particularly vulnerable on cybersecurity issues. Synetis, with an offensive and defensive approach, is able to support SMEs and large companies from design to implementation, right through to Maintenance Repair & Overhaul (MRO) for their security environments.
An IT security audit contributes to the overall confidence of the firm by identifying the firm’s IT weaknesses or by reassuring the firm where there are no problems.
Synetis’ SSI Auditing Team is composed of intrusion experts with several years of experience in cybersecurity auditing. Each team member brings their expertise to bear, and participates in the development of skills and knowledge bases. Our expertise is to provide a clear, comprehensible and detailed diagnosis of the security of an information system and/or process. As such, and thanks to its recognized experience in security audits, Synetis can offer “customized” auditing services with a focus on getting pragmatic, actionable results to prevent intrusion risks.
You can count on Synetis consultants to make winning proposals, giving concrete advice to clients in compliance with economic, methodological, organizational, regulatory and technological criteria. Moreover, thanks to the broad and deep expertise of Synetis consultants and our multiple partnerships with the main security software companies on the market, we contribute daily to the improvement of security solutions. Discovering software vulnerabilities on software products, be these renowned market leaders or open-source or partner companies, simply via intelligence gathering on the Internet, our auditors carry out their missions with an ethical approach coupled with ongoing technology watching. Our auditors develop and share their tools with the community.
They pay particular attention to the quality of the work produced, the deliverables as well as the support they deliver to the customer. The deliverables produced by Synetis auditors are:
- Rigorous, relevant, precise
- Methodical and pragmatic
- They deliver high added value and quality in the audited field.
Our areas of expertise.
- The objective of an architecture audit is to look for weaknesses in the design, in the choice of protocols used or non-compliance with recommended practices in terms of security.
An architecture audit is based on a documentation analysis followed by interviews with the people in charge of the design, implementation, administration, target IS supervision and target IS MRO (Maintenance Repair & Overhaul)
Moreover, additional analyses can be conducted on samples of network configuration (e.g. switches, firewalls) to complete this audit.
Specific security audits.
Synetis carries out “Redteam” missions This type of attack simulates the point of view of an external, motivated attacker, who wants to break into your organization’s network in order to carry sabotage operations, steal strategic data, install ransom software or even persistence software, etc. The Synetis methodology relies on three paths to access the organization’s IS: the computer path (logical intrusion), the cognitive path (social engineering) and the physical path (physical intrusion). These three paths can be used in parallel.
Mobile applications audit
Synetis offers an analysis of Android mobile applications. The objective is to verify:
- The security of user data
- The security of the servers to which the servers are connected
During these audits, a decompilation of the APK is done in order to perform a static analysis. In addition, a dynamic analysis is carried out to verify the proper functioning of security mechanisms specific to Android.
Statistical cryptanalysis of passwords.
The health of an Information System is very strongly linked to the passwords it contains. Employees, application accounts, service accounts, administration accounts… All these keywords are highly prized and targeted by external and internal attackers. In spite of protective measures, identity federation and strong authentication, what is really happening with the passwords in a given database? And, are they compliant with your internal password policy?
A statistical cryptanalysis mission enables these secrets to be tested, and to extract the knowledge and levers needed to strengthen the policies and building blocks of a company’s information system, while at the same time enabling contextualized and recurring awareness.
A SYNETIS cryptanalysis mission, once-off or recurring (every 3 or 6 months), provides concrete statistics, indicators and metrics to decision-makers:
- How many user
- accounts can be compromised in X hours?
- How can a password be broken, by what method and how long would this take?
- What is the distribution of accounts that comply with the password policy?
- What is the ratio of accounts “*adm*”, “*svc*”, “*app*”, etc. that have been broken?
- What is the Top 10 passwords used by employees?
- What are the most commonly used “basic words”?
- What is the distribution of password lengths?
- What are the templates / patterns / masks mainly used by users?
- What is the overall robustness index for employee passwords (Standards, ANSSI, etc.)?
- How does my company compare to other companies in the same sector?
- How many passwords have already been leaked on the Internet or DarkWeb?
- What are the password-renewal habits of employees?
- What is the distribution of password policies and compromised users by AD domain?
- What is the cryptographic robustness and password policy of a given repository?
Recurring: how does the general level of security of company passwords evolve?
Offensive training courses.
Nourished by R&D and feedback from its consultants, Synetis can train your employees on many topics related to the major theme of cybersecurity. The duration of the Offensive Training Courses varies (most of them take place over one day, although some last 3 to 5 days). During the courses, the Synetis consultant takes a thorough look at each salient topic, and gives the participants all the essential keys to the participants to understand and assimilate the training.
In terms of cybersecurity training, our Practice Audits catalog is composed of:
- API01 Training Course: Good practices and security in the context of API development
- AUTH01 Training Course: Setting up a secure authentication mechanism (test pattern)
- AUTH02 Training Course: Strong Authentication (MFA) – State of the Art, Diversity of Factors, Implementations and Benefits
- CLOUD01 Training Course: Access security on Cloud solutions (AWS S3, Google Cloud)
- CRYPTA01 Training Course: An offensive approach to cryptography
- FOR01 Training Course: Security Incident Response
- OWASP01 Training Course: Follow-up and Illustration of TOP Ten OWASP Recommendations
- SECOF01 Training Course: Attack is the best defense
- SECOF02 Training Course: How can you attack a website so to defend yourself better?
- TLS01 Training Course: Security, Configuration and Attacks on Protocol Overlay Encryption Layers
- WIN01 Training Course: Evaluating and reinforcing the security of workstations
- WIN02 Training Course: Understanding Weaknesses and Hardening Windows / Active Directory
Click here for complete list of training courses