AUDIT
Obtain evidence and evaluate it objectively!
An audit can be defined as a methodical, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which previously defined criteria are met. Thus, an audit makes it possible to establish a review, an inventory, an inventory of fixtures.
Information Systems Security (ISS), for any organization, safety must be a key governance issue. In the face of increasing cyber attacks and increasingly sophisticated and targeted threats, it is unfortunately noted that some organizations may still be particularly vulnerable on cybersecurity issues. Synetis, with a offensive and defensive approach, is able to support SMEs and large companies from design to implementation and maintenance in operational condition of their security environments.
The IT security audit contributes to the overall confidence of an organization and allows to know its weaknesses and even to reassure itself.
Synetis’ SSI Audit practice is made up ofintrusion experts with many years’ experience in cybersecurity auditing. Each member of the team contributes his or her expertise and participates in the development of skills and knowledge bases. Our expertise lies in providing a clear, comprehensive and detailed diagnosis of the security of an information system and/or process. As such, and thanks to its recognised experience in security audits, Synetis offers “tailor-made” audit services and guarantees pragmatic work, with the risk of intrusion as the guiding principle.
In their respective fields, Synetis consultants are a source of proposals and provide concrete advice to clients in compliance with economic, methodological, organizational, regulatory and technological criteria. What’s more, thanks to the in-depth expertise of Synetis consultants and multiple partnerships with the market’s leading security vendors, Synetis contributes daily to the improvement of security solutions. Discovery of vulnerabilities within renowned security products, open-source and partner editors, or simply while surfing on the Internet, Synetis auditors constantly carry out their missions with an ethical approach coupled with a continuous technological watch. They develop and share their tools with the community.
Synetis auditors pay particular attention to the quality of the work produced, the deliverables as well as the support of the clients. The deliverables produced by Synetis auditors are :
- Rigorous, relevant, precise;
- Methodical and pragmatic ;
- Sources of high added value and impeccable quality at the very best of the state of the art in the field concerned.
Our areas of expertise.
Safety audits
The aim of an architecture audit is to identify weaknesses in design, in the choice of protocols used, or non-compliance with recommended security practices. An architecture audit is based on a documentary analysis, followed by interviews with the people in charge of the design, implementation, administration, supervision and maintenance of the target information system.
In addition, additional analyses can be conducted on samples of network configuration (e.g. switches, firewalls) to complete this audit.
Synetis can carry out a configuration audit of different software and hardware components of your information system.
The aim of these audits is to prevent the presence of configuration directives that could lead to a reduction in the level of security (with regard to the state of the art, benchmarks), while ensuring that configurations comply with the targeted architecture.
Synetis carries out non-destructive penetration tests (internal, external, application) on various IS components. These tests allow you to simulate the behaviour of a malicious individual, whether or not external to your organization. Each of the identified vulnerabilities is qualified using the CVSS v3 methodology (the Common Vulnerability Scoring System enables the characterization and evaluation of the impact of computer vulnerabilities). An action plan is then proposed at the end of each audit.
The principle of penetration testing (also known as pentesting) is to discover vulnerabilities on an audited system and verify their exploitability and impact, under the real conditions of an attack on the system (or outside it), in the place of a potential attacker.
The code security audit is one of a series of security audits designed to assess the security level of one or more components of an information system.
Source code review is therefore an essential step in identifying the implementations targeted by the analysis and assessing their compliance. The main objective is to assess the programming safety of the code in order to ensure that the rules of good practice in terms of specification and design have been respected:
- Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
- Level of information opacity (no disclosure of sensitive information) ;
- Ease of use (control of operation sequencing).
During organizational and physical audits, the Synetis auditor will carry out an analysis of the policies and procedures (internal or external) defined by your organization in order to verify their compliance with the security requirements you have expressed. Synetis can of course help you define these needs. In the first phase, a literature review is carried out, followed by interviews with the relevant employees/directors. Finally, technical samples may be taken to obtain audit evidence.
Specific safety audits
Industrial system architectures have undergone major transformations in recent decades. Today, they are highly computerized and interconnected with conventional information systems (industry 3.0), and even with the Internet (industry 4.0).
While functional safety is a well-established issue, industrial systems are now exposed to the same cyber threats as conventional information systems.
Synetis carries out so-called “RedTteam” missions. This type of attack aims to simulate the point of view of an external, motivated attacker, whose goal is to break into your organization’s network in order to carry out sabotage operations, steal strategic data, install ransom or even persistence software, etc.
The Synetis methodology relies on three paths to access the organization’s IS: the computer path (logical intrusion), the cognitive path (social engineering) and the physical path (physical intrusion). These three paths can be used in parallel using a suitable methodology.
Microsoft Active Directory is a central component of most companies’ information systems. An Active Directory domain controller is a prime target for an attacker, since compromising it will provide access to corporate resources. Whether in an audit context or following a proven compromise, the DA security analysis is essential and must be applied on a recurring basis. It reduces the area of attack and prevents the risk of abuse, in particular the escalation of privilege and the persistence of an attacker within the information system.
This specific audit includes a configuration audit combined with an offensive Active Directory audit.
Safety is above all a question of resources and processes, but also of clear, transparent information for our customers. It is therefore essential that you are very demanding of your subcontractor (host, for example) in terms of security, availability and operating conditions.
The current trend is for companies to outsource all or part of their information systems. While this operation is often advantageous, it should not overshadow security issues, not all of which are managed by the service provider.
Synetis cananalyze the configuration of your cloud resources, including resource partitioning, access to administration consoles, and access to services that are too highly exposed (e.g. an ElasticSearch server “forgotten” on the Internet).
In addition, these audits are approved by architectural advice, particularly with regard to the interconnection(s) with your IS.
Other activities.
Synetis offers analysis of Android mobile applications. The objective is to verify:
– User data security ;
– The security of the servers to which the servers connect.
During these audits, a decompilation of the KPA is carried out in order to perform a static analysis. In addition, a dynamic analysis is carried out to check that Android’s own security mechanisms are working properly.
Often considered secure and robust, WiFi networks and the implementations that revolve around their use nevertheless present a number of weaknesses inherent to the wireless world. However, attacks on WiFi are not simple to implement as they often require cards capable of injecting frames which is a necessary prerequisite for WiFi attacks and most PCs do not have this capability.
As part of its security audit work, Synetis has set up a dedicated methodology for auditing a Wifi network. The latter includes a black box approach as well as a grey box approach.
Social engineering” is the practice of deceiving an employee’s vigilance in order to obtain sensitive information or carry out malicious actions (opening files, scamming the president, etc.).
Synetis auditors can adopt an offensive and awareness-raising approach by contextualizing their attacks (USB dropping, phoning, vishing, smsing, whatsapping, etc.).
The 360° audit provides an overview of your information system. This audit consists first of all in carrying out a documentary study based on, for example, Quality Assurance Plans, Security Assurance Plans, ISSP, architecture schemes, administration and operating procedures, Business Continuity Plan, Business Resumption Plan, analysis of strategies, management of Operational and Security Maintenance.
In a second phase, the identification of compromise routes against the organization’s IS can also be organized under time constraints.
Synetis, with its experience in the banking environment, can accompany you in establishing your compliance with the CSP. What’s more, we can put all our audit team’s know-how at your service, particularly through intrusion tests, to validate the measures implemented on your SWIFT footprint and all the networks accessing it.
Statistical cryptanalysis of passwords.
Statistical cryptanalysis enables you toassess the overall robustness of your employees’ Active Directory (or other)passwords, as well as potential compromise rates, and to deduce indicators and/or metrics.
One of the objectives of this service is also to reinforce passwords and raise user awareness, as well as to determine the levers needed to reinforce the policies and building blocks making up the Information System (IS), while enabling contextualized and recurring awareness-raising.
Password robustness tests will include the following aspects:
- 1. Algorithmic discovery, frequency analysis and hash formatting
- 2. Dictionary / worlist attacks (contextualized, common, leaks)
- 3. Hybrid attacks on rule bases
- 4. Frequency analysis attacks and rainbow-tables
- 5. Brute-force attacks based on masks
- 6. Analysis of results and statistics
- 7. Reporting results
Here are a few figures from the cryptanalyses carried out by Synetis:
- An overall percentage of successful breakage close to 80% for all areas, customers and sectors combined;
- Several hundred thousand / million passwords analyzed ;
- On average, 50% of passwords are broken in less than 5 hours;
- Concrete, comprehensive results within 2 weeks of analysis;
- A service provided using standard equipment, without supercomputers.
A statistical cryptanalysis mission gives rise to a dedicated report, comprising all the results and indicators generated; including a list of recommendations, best practices and an action plan.
Dedicated offensive training.
Synetis can provide training for your staff on a wide range of subjects linked to the major theme of cybersecurity, backed up by R&D and feedback from our consultants.
Offensive training courses vary in length. Most take place over one day, but some can extend to 3 or 5 days, enabling Synetis consultants to tackle each theme in full, and provide participants with all the keys they need to understand and assimilate the training.
In terms of cybersecurity training, the Practice Audit catalog includes :
Click here
click here
the complete training link