CYBER SECURITY SERVICES LONDON – BE CYBERSAFE!

Its not often a day passes without news of another firm being hit by a cyber crime or data breach. The really is no excuse for not taking steps to minimise the risk, same as you do on health and safety, first aid, etc.

Its not only the direct loss of funds that are at risk but brand damage and disruption to your business through possible and more and more likely planned attacks.

Cyber Security Bundles

  • Vulnerability Assessment
  • Penetration Testing
  • Cyber Security Program Development (typically for Enterprise Companies)

Certifications

Our security engineers are certified with: Offensive Security Certified Professional (OSCP) GIAC Web Application Penetration Tester (GWAPT) Certified Ethical Hacker (CEH) Certified Information Security Manager (CISM).

If on-site presence is preferred, the rates stay the same, we just add the travel and accommodation costs. You can order specific parts of the services below, the minimum is 1 day. All White-Box tests require some level of collaboration with the development team (user accounts, architecture diagrams, location of sensitive details, etc.). Black-Box tests do not require any additional details.

Vulnerability Assessment (starting package, one day)

Black-Box Pentest - Web and Network Pentesting - Attacks without authentication

  • tick20% manual investigation, 80% automated scanning tools
  • tickDiscovery of sensitive public information about the system
  • tickSQL Injection in authentication mechanism
  • tickDirect pages access without authentication
  • tickWebserver sensitive files access
  • tickBrute-force
  • tickAdmin account discovery and brute-force
  • tickServer side exploitation: services exploits, misconfigurations, brute-force
  • tickBusiness logic: reset password of other users, user enumeration
  • tickPublic exploits
  • tickUser registration process
  • tickScanning of ports
  • tickSSL test: weak ciphers usage, sensitive information sent unencrypted, SSL vulnerabilities: Sweet32, BEAST, Padding and others.
  • tickReview banners and exploitability for every service White-Box -Web and Network Pentesting
  • tickAuthorization checks
  • tickUnauthenticated users accessing and altering resources of simple and admin users
  • tickWeb Server configuration: error codes, stack traces with sensitive information, HTTP splitting, config files exposure
  • tickTesting segmentation (for network infrastructure)

Penetration Testing (starting package, two man-days)

Black-Box Pentest – Web and Network Pentesting – Attacks without authentication

  • 20 % automated tools , 80 % manual investigation and exploitation
  • Discovery of sensitive public information about the system
  • SQL Injection in authentication mechanism
  • Direct pages access without authentication
  • Webserver sensitive files access ? Brute-force
  • Admin account discovery and brute-force
  • Server side exploitation: services exploits, misconfigurations, brute-force
  • Business logic: reset password of other users, user enumeration
  • Public exploits
  • User registration process
  • and many more. White-Box -Web and Network Pentesting
  • Authorisation checks
  • Unauthenticated users accessing and altering resources of simple and admin users
  • Simple users accessing and altering resources of admin users
  • Users accessing resources of other users ( Horizontal attacks)
  • Path traversal: accessing server files in browser
  • Privilege escalation
  • Users provisioning for themselves admin permission
  • Local privilege escalation on server side: from local to root
  • Technology specific vulnerabilities
  • Programming language vulnerabilities
  • Framework vulnerabilities
  • Web server
  • Depending on technology type discovered, public vulnerabilities for that technologies are tested
  • Web Application & Server specific vulnerabilities
  • Injection Attacks: SQL injection, XSS, HTML, XXE, Code injection, Buffer Overflow, Server side command injection
  • Client Side: Open redirects, ClickJacking, CSS injection, Local storage
  • SSL test: weak ciphers usage, sensitive information sent unencrypted, SSL vulnerabilities: Sweet32, BEAST, Padding and others.
  • Business logic: payments, password change, application misuse scenarios, request forgery, hidden content, process timing (race condition)
  • File upload: malicious file upload, unexpected file upload, server side control using ASP webshells
  • Web Server configuration: error codes, stack traces with sensitive information, HTTP splitting, config files exposure

Cyber Security Program Development (long term planning and strategy)

A long term plan to develop the security posture of a company, based on the capability Maturity Model. At the end of this period the client will have confidence that his Risk Profile reaches the desired level.

  • on-site and off-site meetings with Consultant
  • complete Program Plan, with all the implied projects
  • coaching throughout the implementation Subjects Covered:
  • Security Basics: Social Engineering, Physical security, Desktop security, Wireless networks, Password security, Malware
  • Risk Management and Compliance (Risk Catalog; definition of desired certification for example ISO 27001, PCI-DSS, etc.; local and international laws)
  • Roles and Responsibilities (CSO; CISO; CEO)
  • IT Security Governance (Risk Profile; Industry requirements)
  • IT Security Process and Program Management (yearly plan: awareness training, penetration testing, audits)
  • Defining and Monitoring the Security Posture (KPIs)

GET IN TOUCH

For free specialist advice about your company's IT, telephony and overall support requirements, please fill in your details below and we'll respond to you shortly. If urgent please call 0203 759 5052.

  • This field is for validation purposes and should be left unchanged.