Some of our services include:
- Web Application and API Assessments
- External, Internal and Wireless Infrastructure Assessments
- Mobile Application Assessments
- Cloud Service Tenant (e.g., M365, AWS) Reviews
- Firewall and Remote Access Configuration Reviews
- Server and Workstation Build Reviews
- Social Engineering (Physical Access & Phishing)
- IT Health Checks
- Cyber Essentials (Basic & Plus)
- PCI DSS Requirement 11.3 Testing
And more…
Our security testing services are designed to help you safeguard your infrastructure, applications, systems and data from a broad range of malicious actors.
External and Internal Infrastructure Assessment
Our consultants will assess your organisation’s external and internal IT footprint. The assessment would typically begin from the perspective of an unauthenticated rogue user. Network reconnaissance is performed to identify active nodes and key/interesting targets. Port scanning is conducted to enumerate active services on each target. Furthermore, automated vulnerability scanning is also performed to detect any known network-level vulnerabilities. Once a list of potential vulnerabilities is collected, these are verified manually and security flaws that are deemed safe to exploit would be exploited to demonstrate the impact a real attack could have.
Web Application and API Assessment
Open Web Application Security Project (OWASP) is used as the base for our Web Application and API assessments. A typical assessment would include (but is not limited to) the following areas: configuration management, transport layer security, authentication, authorisation, session management, data validation and business logic. For any valid vulnerabilities a proof-of-concept exploit would be created to demonstrate impact.
Cloud Service Review
Many companies rely on Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) cloud solutions for their business needs. As these often form an integral part of the business, security assurance should be sought.
We use a combination of automated tools and manual review to evaluate the current tenant or deployment configuration against the National Cyber Security Centre (NCSC) Cloud Security Principles, Center for Internet Security (CIS) Benchmarks or the vendor’s security best practice guidelines to provide assurance.
Mobile Application Assessment
Open Web Application Security Project (OWASP) Mobile Testing Guide is used as the base for our mobile application security review. A typical assessment would include (but is not limited to) the following: improper platform usage, reverse engineering, weak server-side controls, insufficient cryptography, insecure communication, authentication, authorisation and data storage. The engagement would typically cover the security of the application binary and its interaction with the remote API endpoint.
Wireless Infrastructure Assessment
Wireless network testing can often be included as part of an internal assessment for little additional time. For a network that can often be easily accessed outside of your organisation’s walls, it is recommended to ensure the security controls implemented are robust.
Common vulnerabilities such as poorly configured Access Points, wireless signal bleed, the use of weak encryption standards, Pre-Shared Keys (PSK) or authentication methods would be checked. Furthermore, network segmentation would be verified where appropriate.
Server and Workstation Build Reviews
Servers and workstations are at the core of any large enterprise. Build reviews ensure your devices adhere to a defined set of best security and hardening practices. These could be based on the National Cyber Security Centre (NCSC) guidelines, Center for Internet Security (CIS) Benchmarks, Cyber Essentials Plus, vendor guidelines or your own internal policies. The main focus is on policy compliance.
Firewall Review
Firewall reviews could be performed to achieve different requirements ranging from a simple audit of the ruleset and device configuration against best practices to a more contextual review based upon your unique environment. The process typically includes reviewing the ruleset for legacy or “overly permissive” rules, and checking the firewall configuration for known weaknesses, vulnerabilities and adherence to best practices.
Social Engineering – Physical Access
Our security consultants don’t only hack IT systems, they are also highly skilled in exploiting the weaknesses in processes by leveraging human behaviour. We use social engineering techniques to ensure that your trusted gatekeepers are aware of the risks they face and are prepared.
Depending on requirements, typical steps would include: site surveillance, access controls bypass, “tailgating”, user or third-party contractor impersonation and planting a remote access device.
Social Engineering – Phishing / Vishing
Phishing is a Social Engineering technique, which involves trying to obtain sensitive information or trigger an action using deceptive e-mails and websites. With ever-changing techniques, malicious emails and attachments are becoming harder to spot. Do you know how effectively your staff could spot a potential suspicious email?
Our phishing assessments are tailored around each client’s individual requirements in a surprisingly short amount of time. Combining the assessments with user training provides a tangible way of measuring progress.
Cyber Essentials
Cyber Essentials is an effective, Government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. There are two levels of certification:
- Cyber Essentials Basic, consists of us validating your self-assessed questionnaire. This certification gives you peace of mind that you have suitable defences in place to protect your organisation against the vast majority of common cyber attacks.
- Cyber Essentials Plus, a Cyber Essentials Basic top-up, which also includes a technical audit of elements defined within the accreditation scope. As opposed to self-assessment, obtaining Cyber Essentials Plus demonstrates that your security controls have been validated by an independent auditor.
Why should you get Cyber Essentials?
- Reassure customers that you are working to secure your IT against cyber attack.
- Attract new business with the promise you have cyber security measures in place.
- To have a clear picture of your organisation’s cyber security level.
- Some Government contracts require Cyber Essentials certification.
External and Internal Infrastructure Assessment
Our consultants will assess your organisation’s external and internal IT footprint. The assessment would typically begin from the perspective of an unauthenticated rogue user. Network reconnaissance is performed to identify active nodes and key/interesting targets. Port scanning is conducted to enumerate active services on each target. Furthermore, automated vulnerability scanning is also performed to detect any known network-level vulnerabilities. Once a list of potential vulnerabilities is collected, these are verified manually and security flaws that are deemed safe to exploit would be exploited to demonstrate the impact a real attack could have.
Web Application and API Assessment
Open Web Application Security Project (OWASP) is used as the base for our Web Application and API assessments. A typical assessment would include (but is not limited to) the following areas: configuration management, transport layer security, authentication, authorisation, session management, data validation and business logic. For any valid vulnerabilities a proof-of-concept exploit would be created to demonstrate impact.
Cloud Service Review
Many companies rely on Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) cloud solutions for their business needs. As these often form an integral part of the business, security assurance should be sought.
We use a combination of automated tools and manual review to evaluate the current tenant or deployment configuration against the National Cyber Security Centre (NCSC) Cloud Security Principles, Center for Internet Security (CIS) Benchmarks or the vendor’s security best practice guidelines to provide assurance.
Mobile Application Assessment
Open Web Application Security Project (OWASP) Mobile Testing Guide is used as the base for our mobile application security review. A typical assessment would include (but is not limited to) the following: improper platform usage, reverse engineering, weak server-side controls, insufficient cryptography, insecure communication, authentication, authorisation and data storage. The engagement would typically cover the security of the application binary and its interaction with the remote API endpoint.
Wireless Infrastructure Assessment
Wireless network testing can often be included as part of an internal assessment for little additional time. For a network that can often be easily accessed outside of your organisation’s walls, it is recommended to ensure the security controls implemented are robust.
Common vulnerabilities such as poorly configured Access Points, wireless signal bleed, the use of weak encryption standards, Pre-Shared Keys (PSK) or authentication methods would be checked. Furthermore, network segmentation would be verified where appropriate.
Server and Workstation Build Review
Servers and workstations are at the core of any large enterprise. Build reviews ensure your devices adhere to a defined set of best security and hardening practices. These could be based on the National Cyber Security Centre (NCSC) guidelines, Center for Internet Security (CIS) Benchmarks, Cyber Essentials Plus, vendor guidelines or your own internal policies. The main focus is on policy compliance.
Firewall Review
Firewall reviews could be performed to achieve different requirements ranging from a simple audit of the ruleset and device configuration against best practices to a more contextual review based upon your unique environment. The process typically includes reviewing the ruleset for legacy or “overly permissive” rules, and checking the firewall configuration for known weaknesses, vulnerabilities and adherence to best practices.
Social Engineering – Phishing / Vishing
Phishing is a Social Engineering technique, which involves trying to obtain sensitive information or trigger an action using deceptive e-mails and websites. With ever-changing techniques, malicious emails and attachments are becoming harder to spot. Do you know how effectively your staff could spot a potential suspicious email?
Our phishing assessments are tailored around each client’s individual requirements in a surprisingly short amount of time. Combining the assessments with user training provides a tangible way of measuring progress.
Social Engineering – Physical Access
Our security consultants don’t only hack IT systems, they are also highly skilled in exploiting the weaknesses in processes by leveraging human behaviour. We use social engineering techniques to ensure that your trusted gatekeepers are aware of the risks they face and are prepared.
Depending on requirements, typical steps would include: site surveillance, access controls bypass, “tailgating”, user or third-party contractor impersonation and planting a remote access device.
Cyber Essentials
Cyber Essentials is an effective, Government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. There are two levels of certification:
- Cyber Essentials Basic, consists of us validating your self-assessed questionnaire. This certification gives you peace of mind that you have suitable defences in place to protect your organisation against the vast majority of common cyber attacks.
- Cyber Essentials Plus, a Cyber Essentials Basic top-up, which also includes a technical audit of elements defined within the accreditation scope. As opposed to self-assessment, obtaining Cyber Essentials Plus demonstrates that your security controls have been validated by an independent auditor.
Why should you get Cyber Essentials?
- Reassure customers that you are working to secure your IT against cyber attack.
- Attract new business with the promise you have cyber security measures in place.
- To have a clear picture of your organisation’s cyber security level.
- Some Government contracts require Cyber Essentials certification.