Penetration tests
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
Pen testing includes both automated and manual tools and techniques that allow the assessor to simulate an attack on asset(s) as defined within the scope of the assessment.
Standards such as the PCI DSS note that penetration tests must be conducted at least annually and after any significant infrastructure or application upgrade or modification.
Whether your organisation requires white, black or grey-box, and/or external or internal testing, DotSec’s assessors have various certifications and perform penetration testing on targets including web applications, corporate networks, mobile apps, APIs and WiFi networks, and more!
PCI DSS Assessments
All businesses that handle credit card (also known as cardholder) data must comply with the Payment Card Industry Data Security Standard (PCI DSS v4.0 or v3.2.1), a set of stringent guidelines that is maintained by the PCI Standards Security Council (SSC).
DotSec is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) company. This means that DotSec is qualified to assess entities (including on-line merchants, payment processors and service providers) for compliance with the PCI Data Security Standard (DSS). We can also assist with the preparation of Self Assessment Questionnaires (SAQs).
DotSec has built systems that are compliant with the PCI DSS and we can assist with the preparation of all your PCI DSS compliance and reporting requirements, from gap-analysis and remediation work, through to Attestations of Compliance (AOCs) and Reports on Compliance (ROCs).
ISO/IEC 27001:2022 Certification
DotSec can assist your organisation to meet your ISO/IEC 27001:2022 objectives by conducting organisational reviews with reference to the control objectives listed in Annex A.
ISO 27001 certification signals to customers, partners, and stakeholders that your organization takes data security seriously. It builds trust and can even give your organization a competitive edge. As more businesses and consumers become conscious of data security, being ISO 27001 certified could become a deciding factor for consumers when choosing between you and your competitors.
ISO 27001 is not just a certification; it’s a strategic investment that can lead to improved business processes, increased customer confidence, enhanced reputation, and overall business growth. Let DotSec deliver experienced, certified ISMS Lead Implementers and Lead Assessors to help your business realise the maximum return on your ISO 27001 investment.
Capability Maturity assessments
Assessments generally take the form of an informed review across the entire organisation, and will generally be conducted with reference to selected controls from the CIS Essential Controls, as well as selected controls from ISO/IEC 27002:2002 and the Australian Privacy Principles (APPs). More mature organisations may consider the NIST CSF (or one of the industry-specific profiles) for a more thorough assessment.
The CIS Essential Controls are a set of 18 cyber security Controls, each of which contain between 5 and 14 Safeguards or defensive actions. The CIS Essential Controls provide a good, technically-focussed control framework and maturity model, but they do not do a good job of addressing GRC considerations and so for this reason, DotSec will also refer to selected controls from the Australian Privacy Principles (APPs) and from ISO/IEC 27002:2002.
Phishing and social engineering
Criminal groups (as well as others) use phishing as a means to infiltrate organisations, undertake ransomware attacks, gather credentials for subsequent impersonation attacks, or simply to destroy target assets.
DotSec conducts phishing (and more generally, social engineering) tests in order to demonstrate to your users how phishing attacks work, highlight shortcomings in your organisation’s cyber-training program, and help to reduce the associated risks associated with phishing and social engineering.
Phishing tests are most effective when combined with security awareness training, providing both testing and improvement metrics. Ask about our packaged testing and education services to understand more.
Red team and adversary emulation
Mature organisations may find that penetration tests provide less benefit that they once did, and these organisations are more likely to benefit from various adversary emulation exercises.
In summary, red-teaming is the process of simulating an attack from an outside adversary, such as a hacker or a nation-state, to test an organization’s defenses. Blue-teaming, on the other hand, is the process of defending against simulated attacks, and Purple-teaming is (you guessed it!) a combination of red and blue teaming.
If your organisation has achieved a certainly level of security maturity and wants to develop a comprehensive understanding of their risk profile, then adversary emulation exercises are likely to provide good value for money.
CIS Essential controls
The CIS Controls are a set of internationally-recognised, best-practice security recommendations developed by a community of information security experts.
The controls are organised into 18 control categories, or security domains (listed in Annex A) and are ranked in terms of priority by their allocation to one of three implementation groups. Implementation groups (or IGs) provide a way for organisations to assess and improve on their security maturity over time.
To help your organisation align with the CIS Controls, DotSec can provide you with specific, actionable recommendations that are practical to implement.
ASD/ACSC Essential 8
The Essential Eight is a set of eight controls developed by the ASD which are designed to protect (primarily) Microsoft Windows-based internet-connected networks. Organisations who want to protect themselves against various cyber threats should aim to meet a target maturity level that is suitable for their environment.
DotSec can conduct an assessment of your computing environment with reference to the requirements of an appropriate ASD Essential 8 maturity level. We can then help you to create and/or update and improve appropriate policy, procedure, standards and planning documentation to reflect the improvements that you have made while meeting your target ASD Essential 8 maturity level.
Two decades of penetration tests and security reviews
DotSec assessors have over 23 years of experience, not just in penetration tests and security reviews but also in secure-systems design, development, deployment and maintenance. Our understanding of what it takes to develop and maintain secure systems allows our assessors to deliver unique and valuable results.
OPPORTUNITIES, NOT PROBLEMS
An assessment report that focusses on shortcomings and vulnerabilities is pointless! DotSec has 20 years of experience in building secure systems so our assessment reports include detailed descriptions of how vulnerabilities and short-comings may be addressed, in a practical and reasonable manner.
INDEPENDENT & EXPERIENCED
When it comes to assessment and testing, DotSec works with you to understand your business processes, identify your assets, and assess and then manage your risks. You can be certain of receiving a complete and concise report that will provide you with clear and realistic risk-mitigation strategies and actions.
ASSESSMENTS BASED ON YOUR NEEDS
DotSec can provide a range of testing and assessment services including PCI DSS and IRAP security audits, Cloud (Azure and AWS) security reviews, CPS 234 audits, organisational reviews, blind and informed penetration pests (pen tests), social engineering (including phishing) tests, code reviews and design reviews.