ISS AUDIT
Know your level of exposure to cyber threats!
#AUDIT
An audit can be defined as a methodical, independent and documented process to gather evidence, and to assess this evidence objectively in order to determine the extent to which previously defined criteria are met. So defined, audits yield a review, an appraisal, an inventory.
When it comes to ISS (Information Systems Security), for any organization, security is, and must be, a key governance issue. Faced with the multiplication of cyber attacks and increasingly sophisticated and targeted threats, it is unfortunately a fact that some firms can still be particularly vulnerable on cybersecurity issues. Synetis, with an offensive and defensive approach, is able to support SMEs and large companies from design to implementation, right through to Maintenance Repair & Overhaul (MRO) for their security environments.
An IT security audit contributes to the overall confidence of the firm by identifying the firm’s IT weaknesses or by reassuring the firm where there are no problems.
Synetis’ SSI Auditing Team is composed of intrusion experts with several years of experience in cybersecurity auditing. Each team member brings their expertise to bear, and participates in the development of skills and knowledge bases. Our expertise is to provide a clear, comprehensible and detailed diagnosis of the security of an information system and/or process. As such, and thanks to its recognized experience in security audits, Synetis can offer “customized” auditing services with a focus on getting pragmatic, actionable results to prevent intrusion risks.
You can count on Synetis consultants to make winning proposals, giving concrete advice to clients in compliance with economic, methodological, organizational, regulatory and technological criteria. Moreover, thanks to the broad and deep expertise of Synetis consultants and our multiple partnerships with the main security software companies on the market, we contribute daily to the improvement of security solutions. Discovering software vulnerabilities on software products, be these renowned market leaders or open-source or partner companies, simply via intelligence gathering on the Internet, our auditors carry out their missions with an ethical approach coupled with ongoing technology watching. Our auditors develop and share their tools with the community.
They pay particular attention to the quality of the work produced, the deliverables as well as the support they deliver to the customer. The deliverables produced by Synetis auditors are:
- Rigorous, relevant, precise
- Methodical and pragmatic
- They deliver high added value and quality in the audited field.
Our areas of expertise.
Security audits.
Architecture audits
- The objective of an architecture audit is to look for weaknesses in the design, in the choice of protocols used or non-compliance with recommended practices in terms of security.
An architecture audit is based on a documentation analysis followed by interviews with the people in charge of the design, implementation, administration, target IS supervision and target IS MRO (Maintenance Repair & Overhaul)
Moreover, additional analyses can be conducted on samples of network configuration (e.g. switches, firewalls) to complete this audit.
Configuration audits
Synetis can run Configuration Audits of the software and hardware components of your IS.
The goal of such audits is to proactively identify configuration-related directives that could reduce security whilst ensuring that current configurations comply with the target architecture.
Intrusion tests
Synetis can run (non-destructive) intrusion tests on the various components of an IS. These tests simulate the behavior of a malicious individual (coming from inside or outside your company). Each of the identified vulnerabilities is qualified using the CVSS v3 methodology (the Common Vulnerability Scoring System is used to characterize and evaluate the impact of IT vulnerabilities). An action plan is proposed at the end of each audit.
The principle of penetration testing (also known as pentest) is to discover vulnerabilities on an audited system and to verify their exploitability and impact, under the real conditions of an attack on the system, in the place of a potential attacker.
Source code audits
- Use of consistent naming conventions so that the programmer easily understands the role of each function and parameter (maintenance and maintainability)
- Level of opacity of information (no disclosure of sensitive information)
- Ease of use (control of operation sequencing)
Organizational and physical audits
During organizational and physical audits, the Synetis auditor will carry out an analysis of the policies and procedures defined by your firm in order to verify their compliance with the security needs you express. Naturally, Synetis can help you define these needs. In a first phase, a document analysis is carried out, then completed by interviews with the employees concerned. Lastly, technical samples may be taken in order to obtain audit evidence.
Industrial system audits
The architectures of industrial systems have undergone major transformations in recent decades. They are now highly computerized and interconnected with traditional information systems (industry 3.0), and even with the Internet (industry 4.0). While functional security (or safety) is a well-documented issue, industrial systems are now exposed to the same cyber threats as traditional information systems.
Specific security audits.
RedTeam
Synetis carries out “Redteam” missions This type of attack simulates the point of view of an external, motivated attacker, who wants to break into your organization’s network in order to carry sabotage operations, steal strategic data, install ransom software or even persistence software, etc. The Synetis methodology relies on three paths to access the organization’s IS: the computer path (logical intrusion), the cognitive path (social engineering) and the physical path (physical intrusion). These three paths can be used in parallel.
Active Directory Audits
Microsoft Active Directory is a central brick of the information system of most companies. An Active Directory domain controller is a prime target for an attacker since, if successfully compromised, the attacker has access to corporate resources. Whether, as part of an audit or following a known compromise, it is essential that the Active Directory security be analyzed. Moreover, this must be applied on a recurring basis. Such analysis reduces the arena of attack and prevents the risk of abuse, including privilege escalation and the persistence of an attacker within the information system.
This specific audit includes a configuration audit combined with an offensive Active Directory audit.
Subcontractor compliance audits
Security is above all a question of means and processes, but also of clear and transparent information for customers. It is essential that you be very demanding as regards your subcontractor (hosting provider for example) in terms of security, availability and operating conditions.
Development environment audits
The objective is to audit the architecture of a development environment in search of weaknesses as regards Design, Choice of protocols used, Compliance (or not) with recommended practices in terms of security. The audit is based on an analysis of the documentation provided as well as on possible interviews with the people in charge of the design, implementation, administration and Maintenance Repair & Overhaul (MRO) of the target information system.
Cloud Audit (IAAS)
The current trend is for companies to outsource all or part of their information systems. Although often beneficial for the company, such outsourcing should not make us forget the security issues that are not all managed by the service provider.
Synetis can analyze the configuration of your resources in the cloud, including resource partitioning, access to administration consoles, access to services that are too highly exposed (e.g. an ElasticSearch server “forgotten” on the Internet). In addition, these audits are accompanied by architectural advice, particularly with regard to the interconnection(s) with your information system.
Other activities.
Mobile applications audit
Synetis offers an analysis of Android mobile applications. The objective is to verify:
- The security of user data
- The security of the servers to which the servers are connected
During these audits, a decompilation of the APK is done in order to perform a static analysis. In addition, a dynamic analysis is carried out to verify the proper functioning of security mechanisms specific to Android.
WiFi Audits
Often considered secure and robust, WiFi networks or implementations that revolve around its use have some weaknesses inherent to the wireless world. Despite this, attacks on the WiFi networks are not simple to implement because they often require cards capable of injecting frames, which is a necessary prerequisite for WiFi attacks and most PCs do not have this capability.
As part of its security audit work, Synetis has set up a dedicated methodology to audit a WiFi network. The latter includes a Black Box approach as well as a Gray Box approach.
Social Engineering
Social Engineering consists in bypassing the vigilance of an employee in order to obtain sensitive information or to carry out malicious actions (opening files, scamming the CEO, etc.). Synetis auditors can adopt an awareness-raising offensive approach by contextualizing their attacks (USB dropped, phoning, etc.).
360° audits
The 360° audit allows you to carry out a general review of your information system. This audit consists first of all of carrying out a documentation assessment based on, for example, Quality Assurance Plans, Security Assurance Plans, ISSPs, architecture diagrams, administration and operating procedures, Business Continuity Plan, Disaster Recovery Planning, strategy analysis, Maintenance Repair & Overhaul (MRO) and Security Maintenance.
Swift Compliance Audits
Synetis, thanks to its experience in the banking environment, can help you to verify your compliance with the Customer Security Programme (CSP). In addition, all the know-how of the audit team, in particular through intrusion tests, can be put at your service to validate the measures implemented on your SWIFT right-of-way and all the networks that access it.
Statistical cryptanalysis of passwords.
The health of an Information System is very strongly linked to the passwords it contains. Employees, application accounts, service accounts, administration accounts… All these keywords are highly prized and targeted by external and internal attackers. In spite of protective measures, identity federation and strong authentication, what is really happening with the passwords in a given database? And, are they compliant with your internal password policy?
A statistical cryptanalysis mission enables these secrets to be tested, and to extract the knowledge and levers needed to strengthen the policies and building blocks of a company’s information system, while at the same time enabling contextualized and recurring awareness.
A SYNETIS cryptanalysis mission, once-off or recurring (every 3 or 6 months), provides concrete statistics, indicators and metrics to decision-makers:
- How many user
- accounts can be compromised in X hours?
- How can a password be broken, by what method and how long would this take?
- What is the distribution of accounts that comply with the password policy?
- What is the ratio of accounts “*adm*”, “*svc*”, “*app*”, etc. that have been broken?
- What is the Top 10 passwords used by employees?
- What are the most commonly used “basic words”?
- What is the distribution of password lengths?
- What are the templates / patterns / masks mainly used by users?
- What is the overall robustness index for employee passwords (Standards, ANSSI, etc.)?
- How does my company compare to other companies in the same sector?
- How many passwords have already been leaked on the Internet or DarkWeb?
- What are the password-renewal habits of employees?
- What is the distribution of password policies and compromised users by AD domain?
- What is the cryptographic robustness and password policy of a given repository?
Recurring: how does the general level of security of company passwords evolve?
Offensive training courses.
Nourished by R&D and feedback from its consultants, Synetis can train your employees on many topics related to the major theme of cybersecurity. The duration of the Offensive Training Courses varies (most of them take place over one day, although some last 3 to 5 days). During the courses, the Synetis consultant takes a thorough look at each salient topic, and gives the participants all the essential keys to the participants to understand and assimilate the training.
In terms of cybersecurity training, our Practice Audits catalog is composed of:
- API01 Training Course: Good practices and security in the context of API development
- AUTH01 Training Course: Setting up a secure authentication mechanism (test pattern)
- AUTH02 Training Course: Strong Authentication (MFA) – State of the Art, Diversity of Factors, Implementations and Benefits
- CLOUD01 Training Course: Access security on Cloud solutions (AWS S3, Google Cloud)
- CRYPTA01 Training Course: An offensive approach to cryptography
- FOR01 Training Course: Security Incident Response
- OWASP01 Training Course: Follow-up and Illustration of TOP Ten OWASP Recommendations
- SECOF01 Training Course: Attack is the best defense
- SECOF02 Training Course: How can you attack a website so to defend yourself better?
- TLS01 Training Course: Security, Configuration and Attacks on Protocol Overlay Encryption Layers
- WIN01 Training Course: Evaluating and reinforcing the security of workstations
- WIN02 Training Course: Understanding Weaknesses and Hardening Windows / Active Directory
Click here for complete list of training courses
NEED ADVICE?
