AUDIT
Get evidence and evaluate it objectively!
An audit can be defined as a methodical, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which previously defined criteria are met. Thus, an audit establishes a review, an inventory, a state of affairs.
In terms of IS (Information Systems Security), for any organization, security must be a key governance issue. Faced with the multiplication of cyber attacks and increasingly sophisticated and targeted threats, it is unfortunately noted that some organizations may still be particularly vulnerable on cybersecurity issues. Synetis, with an offensive and defensive approach, is able to support SMEs and large companies from design to implementation and maintenance of their security environments.
The IT security audit contributes to the global confidence of an organization and allows to know the weaknesses of the latter and even to reassure itself.
The Synetis SSI Audit practice is made up ofintrusion experts with several years of experience in cybersecurity audits. Each member of the team brings his or her expertise and participates in the development of skills and knowledge bases. Our expertise is to provide a clear, understandable and detailed diagnosis of the security of an information system and/or process. As such, and thanks to its recognized experience in security audits, Synetis offers "tailor-made" audit services and guarantees pragmatic work, with the risk of intrusion as the main theme.
In their respective fields, Synetis consultants are able to make proposals and provide concrete advice to clients in accordance with economic, methodological, organizational, regulatory and technological criteria. In addition, thanks to the in-depth expertise of Synetis consultants and multiple partnerships with the main security publishers on the market, Synetis contributes daily to the improvement of security solutions. Whether they are discovering vulnerabilities in renowned security products, open-source and partner publishers, or simply browsing the Internet, Synetis auditors constantly carry out their missions with an ethical approach coupled with continuous technological monitoring. They develop and share their tools with the community.
Synetis auditors pay particular attention to the quality of the work produced, the deliverables and the support provided to the clients. The deliverables produced by Synetis auditors are :
- Rigorous, relevant, precise;
- Methodical and pragmatic;
- Sources of high added value and impeccable quality at the best of the state of the art in the relevant field of service.
Our fields of expertise.
Security audits
The objective of an architecture audit is to look for weaknesses in the design, in the choice of protocols used, or for non-compliance with recommended security practices. An architecture audit is based on a documentary analysis followed by interviews with the people in charge of the design, implementation, administration, supervision and maintenance of the target information system.
In addition, complementary analyses can be carried out on network configuration samples (e.g. switches, firewalls) in order to complete this audit.
Synetis can carry out a configuration audit of the various software and hardware components of your information system.
These audits aim to prevent the presence of configuration directives that could lead to a decrease in the level of security (with respect to the state of the art, reference systems) while ensuring that the configurations are in compliance with the targeted architecture.
Synetis carries out non-destructive penetration tests (internal, external, application) on various IS components. These tests simulate the behavior of a malicious individual, whether external or not to your organization. Each of the identified vulnerabilities is qualified according to the CVSS v3 methodology (the Common Vulnerability Scoring System is used to characterize and evaluate the impact of computer vulnerabilities). An action plan is then proposed at the end of each audit.
The principle of penetration testing (also known as pentesting) is to discover vulnerabilities on an audited system and to verify their exploitability and impact, under the real conditions of an attack on the system (or outside it), in the place of a potential attacker.
The code security audit is part of the set of security audits that allow to evaluate the security level of one or several components of an information system.
The review of the source code is thus a primordial step that allows to identify the implementations targeted by the analysis and to evaluate their conformity. The main objective is toevaluate the programming safety of the code to ensure that the rules of good practice in terms of specification and design have been respected:
- Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
- Level of opacity of information (no disclosure of sensitive information) ;
- Ease of use (control of operation sequencing).
During organizational and physical audits, the Synetis auditor will conduct an analysis of the policies and procedures (internal or external) defined by your organization in order to verify their compliance with the security needs you express. Synetis can of course help you define these needs. In the first phase, a documentary analysis is carried out, followed by interviews with the employees/directorates concerned. Finally, technical samples can be taken in order to obtain audit evidence.
Specific security audits
Industrial system architectures have undergone major transformations in recent decades. Today, they are highly computerized and interconnected with traditional information systems (industry 3.0), and even with the Internet (industry 4.0).
While functional security (or safety) is a well-established issue, industrial systems are now exposed to the same cyber threats as traditional information systems.
Synetis carries out so-called "RedTteam" missions. This type of attack aims to simulate the point of view of an external, motivated attacker, whosegoal is to break into your organization's network in order to carry out sabotage operations, steal strategic data, install ransomware or even persistence software, etc.
The Synetis methodology is based on three ways of accessing the organization's IS: the IT way (logical intrusion), the cognitive way (social engineering) and the physical way (physical intrusion). These three paths can be used in parallel according to an appropriate methodology.
Microsoft Active Directory is a central component of most companies' information systems. An Active Directory domain controller is a prime target for an attacker since its compromise will provide the attacker with access to the company's resources. Whether in an audit context or following a proven compromise, the analysis of the security of the AD is essential and must be applied on a recurring basis. It allows to reduce the attack surface and to prevent the risks of abuse, in particular privilege escalation and the persistence of an attacker within the information system.
This specific audit combines a configuration audit with an offensive audit of the Active Directory.
Security is above all a question of means and processes, but also of clear and transparent information for your customers. It is therefore essential that you are very demanding of your subcontractor (host for example) in terms of security, availability and operating conditions.
The current trend leads companies to outsource all or part of their information systems. The operation, which is often advantageous, should not make us forget the security issues that are not all managed by the service provider.
Synetis offers toanalyze the configuration of your resources in the cloud, including the partitioning of resources, access to administration consoles, and access to services that are too highly exposed (e.g., an ElasticSearch server "forgotten" on the Internet).
In addition, these audits are enhanced by architectural advice, particularly with regard to interconnections with your IS.
Other activities.
Synetis offers an analysis of Android mobile applications. The objective is to verify:
- The security of the user's data;
- The security of the servers to which the servers connect.
During these audits, the APK is decompiled in order to perform a static analysis. In addition, a dynamic analysis is performed in order to verify the proper functioning of the security mechanisms specific to Android.
Often considered secure and robust, WiFi networks or the implementations that revolve around its use still have some weaknesses inherent to the wireless world. Nevertheless, attacks on Wifi are not easy to implement because they often require cards capable of injecting frames, which is a necessary prerequisite for Wifi attacks, and most PCs do not have this capability.
As part of its security audit work, Synetis has set up a dedicated methodology for auditing a WiFi network. This methodology includes a black box approach as well as a grey box approach.
Social engineering" also called "social engineering" in French, consists in deceiving the vigilance of a collaborator in order to obtain sensitive information or to carry out malicious actions (opening files, scamming the president etc.).
Synetis auditors can adopt an offensive and awareness approach by contextualizing their attacks (USB dropping, phoning, vishing, smsing, whatsapping, etc.).
The 360° audit allows to realize a general inventory of your information system. This audit consists first of all in carrying out a documentary study based on, for example, the Quality Assurance Plan, the Security Assurance Plan, the PSSI, the architecture diagrams, the administration and operation procedures, the Business Continuity Plan, the Business Continuity Plan, the analysis of the strategies, the management of the Maintenance in Operational Conditions and of Security.
In a second step, an identification of the compromise highways against the organization's IS can also be organized in a constrained time.
Synetis, with its experience in the banking sector, can help you establish your compliance with the CSP. In addition, all the know-how of the audit team, in particular through intrusion tests, can be put at your service to validate the measures implemented on your SWIFT holdings as well as all the networks that access them.
Statistical cryptanalysis of passwords.
A statistical cryptanalysis allows you toevaluate the overall robustness of your employees' Active Directorypasswords (or other repository), the potential compromise rates and to deduce indicators and/or metrics.
One of the objectives of this service is also the reinforcement of passwords and user awareness as well as the determination of the levers necessary for the reinforcement of the policies and bricks composing the Information System (IS) while allowing a contextualized and recurring awareness.
- 1. Algorithmic discovery, frequency analysis and hash formatting
- 2. Dictionaries / worlist attacks (contextualized, common, leaks)
- 3. Hybrid attacks on rule bases
- 4. Frequency analysis attacks and rainbow-tables
- 5. Brute-force attacks on the basis of masks
- 6. Analysis of results and statistics
- 7. Restitution of the results
- A global percentage of successful breakage close to 80% for all areas, customers and sectors combined;
- Hundreds of thousands / millions of passwords analyzed;
- On average, 50% of passwords broken within 5 hours;
- Concrete and complete results within 2 weeks of analysis;
- A service realized with standard equipment, without supercomputer.
A statistical cryptanalysis mission results in a dedicated report, including all the results and indicators generated; including a list of recommendations, best practices and an action plan.
Dedicated offensive training.
Nourished by the R&D and feedback of its consultants, Synetis is able to provide training to your employees on many topics related to the major theme of cybersecurity.
The duration of offensive training courses varies. Most are held over one day, but some can extend to 3 to 5 days, allowing the Synetis consultant to address each theme in a comprehensive manner and to provide all the essential keys to the participants to understand and assimilate the training.
In terms of cybersecurity training, the Audit Practice's catalog consists of :
You will find by clicking here the complete link of the trainings
