PENETRATION TESTING AND SECURITY REVIEWS

Penetration testing

PENETRATION TESTING

See your assets and vulnerabilities from the perspective of a skilled attacker

PCI Assessments

PCI DSS ASSESSMENTS

Friendly QSAs with practical implementation and risk management experience

Phishing

PHISHING & SOCIAL ENGINEERING

Understand the effectiveness of your organisation's security-awareness training

Organisational assessments

ORGANISATIONAL ASSESSMENTS

Holistic organisational security assessments, audits and security reviews

Cloud assessments

CLOUD SECURITY REVIEWS

Security assessments of cloud computing environments in AWS and Azure

PENETRATION TESTS

A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).  

Pen testing includes both automated and manual tools and techniques that allow the assessor to simulate an attack on asset(s) as defined within the scope of the assessment.

Standards such as the PCI DSS note that penetration tests must be conducted at least annually and after any significant infrastructure or application upgrade or modification.    

DotSec’s assessors have various certifications including both OSCP and OSWE, and perform penetration testing on targets including web applications, corporate networks, mobile applications, APIs and WiFi networks, to name but a few. 

Penetration tests and security reviews

PCI DSS ASSESSMENTS

DotSec is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) company. This means that DotSec is qualified to assess entities (including on-line merchants, payment processors and service providers) for compliance with the PCI Data Security Standard (DSS). 

We have built systems that are compliant with the PCI DSS and we can assist with the preparation of all your PCI DSS compliance and reporting requirements, from gap-analysis and remediation work, through to Attestations of Compliance (AOCs) and Reports on Compliance (ROCs). 

DotSec can also assist with the preparation of Self Assessment Questionnaires (SAQs). 

DotSec’s QSAs have many years of implementation experience, and so provide practical and reasonable advice.

Penetration tests and security reviews

ORGANISATIONAL REVIEWS

DotSec can conduct organisational reviews that are undertaken with reference to the control objectives listed in Annex A of the ISO/IEC 27001:2013 standard.

An organisation review will provide a range of benefits to the client and, in particular, will provide the organisation an overview of it’s current level of information security maturity.

The level of maturity will refer to one of five maturity stages, and will be measured qualitatively for each of the 14 clauses (which can be thought of as security domains) listed in Annex A of ISO/IEC 27001:2013.  

All reviews include practical recommendations as to how the organisation’s level of maturity can be improved.

Penetration tests and security reviews

CLOUD REVIEWS FOR AWS & AZURE

Responsibility for the security and compliance of any cloud environment (both infrastructure and controls) is shared between the cloud service provider, and the customer.

In general, the cloud service provider is responsible for the infrastructure and the customer is responsible for the services and applications that run on that infrastructure, but the lines can become blurred on occasion.

DotSec conducts security assessments of cloud computing environments including AWS and Azure. Once-off reviews or continuous assessment as part of our fully managed SIEM/SOAR service; the choice is yours.

Penetration tests and security reviews

PHISHING & SOCIAL ENGINEERING TESTS

Criminal groups (as well as others) use phishing as a means to infiltrate organisations, undertake ransomware attacks, gather credentials for subsequent impersonation attacks, or simply to destroy target assets.

DotSec conducts phishing (and more generally, social engineering) tests in order to demonstrate to your users how phishing attacks work, and how to reduce the associated risks.

Phishing tests are most effective when combined with security awareness training, providing both testing and improvement metrics. Ask about our packaged testing and education services to understand more.

Penetration tests and security reviews

CIS Essential Controls

The CIS Controls are a set of internationally-recognised, best-practice security recommendations developed by a community of information security experts. 

The controls are organised into 18 control categories, or security domains (listed in Annex A) and are ranked in terms of priority by their allocation to one of three implementation groups. Implementation groups (or IGs) provide a way for organisations to assess and improve on their security maturity over time. 

To help your organisation align with the CIS Controls, DotSec can provide you with specific, actionable recommendations that are practical to implement.

ASD/ACSC Essential 8

The Essential Eight is a set of eight controls developed by the ASD which are designed to protect (primarily) Microsoft Windows-based internet-connected networks. Organisations who want to protect themselves against various cyber threats should aim to meet a target maturity level that is suitable for their environment.

DotSec can conduct an assessment of your computing environment with reference to the requirements of an appropriate ASD Essential 8 maturity level. We can then help you to create and/or update and improve appropriate policy, procedure, standards and planning documentation to reflect the improvements that you have made while meeting your target ASD Essential 8 maturity level.

Two decades of penetration tests and security reviews

DotSec assessors have over 22 years of experience, not just in penetration tests and security reviews but also in secure-systems design, development, deployment and maintenance.  Our understanding of what it takes to develop and maintain secure systems allows our assessors to deliver unique and valuable results.

OPPORTUNITIES, NOT PROBLEMS

An assessment report that focusses on shortcomings and vulnerabilities is pointless!  DotSec has 20 years of experience in building secure systems so our assessment reports include detailed descriptions of how vulnerabilities and short-comings may be addressed, in a practical and reasonable manner.

INDEPENDENT & EXPERIENCED

When it comes to assessment and testing, DotSec works with you to understand your business processes, identify your assets, and assess and then manage your risks. You can be certain of receiving a complete and concise report that will provide you with clear and realistic risk-mitigation strategies and actions.

ASSESSMENTS BASED ON YOUR NEEDS

DotSec can provide a range of testing and assessment services including PCI DSS and IRAP security audits, Cloud (Azure and AWS) security reviews, CPS 234 audits, organisational reviews, blind and informed penetration pests (pen tests), social engineering (including phishing) tests, code reviews and design reviews.

Don't wait until it's too late!

Major compliance frameworks and guidelines (such as the PCI DSS, ISO 27001, CPS 234, and the ISM) recommend or demand that testing is done on a regular basis, and/or after a major system change.  New systems should be tested early in order to reduce risks and costs associated with late-stage system redevelopment.

We recently delivered a presso that described how DotSec has used Splunk for a number of interesting projects.  (In preparing the presso, I was a bit shocked to discover that we’ve actually been using Splunk now for over 12 years!  Fun times!)  Anyhow, our presentation was quite interactive, and it covered off four projects which pretty-well summarise work that we do at DotSec on a fairly regular basis:

  1. Splunk for compliance.  Lots of our customers have compliance requirements, especially regarding PCI DSS, IRAP and ISO 27001.  Other customers are keen to align their computing environment with accepted infosec best practice. Logging, monitoring, reporting and alerting is a big part of achieving compliance with almost any framework or best-practice guideline, and this part of the presso showed how easily DotSec has used Splunk to help in meeting our customers’ compliance goals.

  2. Splunk for due diligence.  As shown in at least one news article almost every week, attackers are often successful in their goal of compromising and misusing any organisation’s information systems.  When this worse case event happens, directors and C-level officers need to be able to show that the compromise was not as a result of negligence. O365 has been a key component in at least four recent incident-response jobs so it’s clear that O365 security needs to be included in any due diligence planning. Furthermore, insurance underwriters are increasingly including questions in their coverage applications that seek to understand how effectively an organisation manages and secures its corporate computing environment.   This part of the presso discusses Splunk in the context of insurance coverage and obligations.

  3. Splunk for incident prevention.  Anyone remember an incident at Equifax?  Of course we do, and we also remember that the attackers exfiltrated stolen information over a period of 76 days before they were detected.  It’s imperative that organisations use automated tools monitor all aspects of their computing environment, so that it’s possible to detect and respond quickly to anomalous and/or threatening activities. Without this kind of proactive approach, an organisation will only know that its been hosed once the damage has already been done.  And of course, this part of the presso shows how DotSec has used Splunk assist with this kind of incident prevention work.

  4. Splunk for incident response.  Knowing that something bad is about to happen (or has just happened) is useful, but it’s obviously also important to contain a security event once such an event has been identified.  The questions that are often asked is, “How many systems were hit; how much did we lose; are the attackers still in there?” This section of the presso describes how DotSec has used Splunk to analyse in-progress (or past) security incidents so that the most effective incident-reponse measure could be enacted.

All in all, it was good presso, and we received lots of interesting questions.   The slides from the presso are available here; please have a look through and let us know if you have any questions or comments.  

Until next time!