A penetration test allows us to establish an IT system security level by carrying out actual attacks. Penetration techniques used are identical to those used by malicious and experienced hackers. The penetration is usually performed with a minimal amount of information on the chosen targets.
The advantages of penetration tests:
- We focus on the weaknesses most likely to be identified and used by attackers.
- It allows us to carry out tests of a scope which cannot be fully analysed using “white-box” methodology.
- It highlights the risks and has an impact on the way-of-thinking concerning security inside the organisation, by demonstrating the attack scenarios and their results.
Penetration tests can be carried on different scopes:
- IP address ranges accessible from the Internet, to detect and assess the most vulnerable entry points.
- A selection of applications to target the efforts on the most sensitive assets.
- The workstations of targeted employees, by sending e-mail aimed at establishing a communication channel with the internal network. The technique is commonly used during targeted attacks.
- Internal network systems, to assess their reliability when attacked by someone having gained access to the network, or within the framework of a malicious employee scenario.
A security audit allows us to validate the security of an IT system by a systematic review of its implementation and configuration. The audit is carried out using a “white-box” approach where all the needed information is analysed to detect possible weaknesses. In addition, we can carry out a penetration test to validate the presence and the impact of weaknesses.
The advantages of a security audit:
- It allows us to discover complex weaknesses, which are not necessarily easy to identify, using a “black-box” approach penetration test in a short space of time.
- It lowers the probability of being unable to identify significant weaknesses.
- It allows us to validate that best practices are enforced (for example PCI-DSS, ARJEL or RGS).
The choice of perimeter depends on the budget and on the degree of coverage requested. Several types of audits exists:
- Configuration review: operating systems, databases, web servers, application servers
- Code source security review
- Network architecture review
- Security procedures review
Advisory, Consulting, Research and Development
Synacktiv assists certain clients with highly technological projects and has developed an expertise in different areas:
- Mobile phone security (Android, iOS, BlackBerry, Windows Phone, Symbian OS, etc.)
- Cloud-based applications (Google App Engine, Amazon Web Services)
- Embedded systems security (Set-Top Box, video-conference systems, etc.)
- Mainframes (AS/400, System i, z/OS, etc.)
- Reverse-engineering of communication protocols and software
- Design of specific security tools
- System configuration hardening
Synacktiv shares its IT expertise through made-to-measure training sessions adapted to each client's needs. The most frequently requested subjects are the following:
- Practical Penetration Testing
- Vulnerability research
- Secure Programming
- Secure Development Lifecyle