Identify vulnerabilities before they are exploited by attackers. The Offensive Audit team conducts daily monitoring (CERT) and research (zero day) to maintain a high level of expertise and knowledge of existing vulnerabilities
Our offers :
- Advanced recognition (OSINT)
- Network, wi-fi and infrastructure / Cloud penetration testing
- Application / mobile application penetration testing
- Code auditingAudit of workstations & terminals (camera, printer, IoT)
- Configuration audit
- Organisational and physical security audit
- Awareness campaign (phishing)
- Continuous testing of resources exposed on the Internet with a tool developed internally: MyCyberEyes
The objective of the code audit is to identify vulnerabilities in the source code of the application.
We will perform a security review of the sensitive parts of the developed code. The objective is not to review the entire source code, but to focus our attention on critical functions that may have an impact on the security of the entire application.
EvaBssi will adapt its analyses to the particularities of the language (sensitive functions, memory management, calls to external components, etc.).
This audit will be done in two stages:
- Static stage: The auditor combines a step-by-step reading of the code with code analysis tools to detect the use of insecure functions.
- In vivo stage: The auditor analyses the sensitive functions of the code while manually testing the application. Sensitive functions are those parts of the code related to the processing and control of user input. The hypotheses of specific vulnerabilities in the functional and logical aspects detected during the tests will thus be investigated.
During our analysis, the following areas are audited:
- Error handling
- Data validation
- Session management
- Event logging (traceability)
- These are part of the OWASP code review guide
Security audit of the architecture
- The objective of an architecture audit is to assess the security of the choice, positioning and implementation of the hardware and software components implemented in the Information System.
- The audit will verify that the audited architecture complies with the triptych: confidentiality, integrity and availability.
- A particular care will be given to the HDS requirements in order to assess the gap with the existing one.
The team will analyse all the components forming the architecture of the current IS.
- Documentary analysis (technical architecture)
- Interviews with IT managers & DC supplier
- Visit of the DC & a representative site
- Formalisation of the findings & associated risks
- A workshop to share and compare the findings
- A workshop to share recommendations and areas for further development
- A workshop to estimate the financial cost of the recommendations
- Drafting of the report
Maturité du modèle de sécurité :
Advanced recognition (OSINT)
The objective of the advanced recognition phase (OSINT - Open Source INTelligence) is to search for information about the company, the person, or any other data that can be used to expand the attack surface. We rely on publicly available data on the Internet.
The information gathering stage makes it possible to collect all the data needed to identify the organisation's attack surface.
We therefore search for data via various channels to facilitate attacks during penetration tests.
- WHOIS databases
- Analysis of DNS records and configuration
- Identification of sub-domains
- Identification of the nature and version of the underlying elements
- Disclosure of technical or confidential information
- Identification of the various administration interfaces
- LinkedIn profiling, in particular to identify the organisation's employees
Network and infrastructure penetration testing
The objective of system and infrastructure penetration tests is to evaluate the security of the components of your Information System publicly exposed on the Internet.
The information retrieval step (see advanced recognition section, above) allows the collection of all data related to a penetration test and to the components included in the scope of the audit.
Once the passive search for information has been carried out, we try to map the Information System as accurately as possible. We carry out these actions thanks to :
- Port scans (exposed services)
- Analysis of web applications
- Identification of underlying systems (banner grabbing and fingerprinting)
Application penetration testing
- The objective of application penetration testing is to assess the security of your entire web application through the detection of vulnerabilities.
- During the application penetration tests, EvaBssi consultants will use the OWASP and OSSTMM methodologies to manually detect vulnerabilities impacting the application: user parameters, administrative part, management of rights within the application, email or document management functionality, etc.
Two types of complementary tests exist:
- Black box" tests are carried out without any information on the operation of the application, just like an attacker.
- The "grey box" tests, carried out in a second phase, are carried out using additional information on the application (user accounts, rights/privileges matrix, technical documentation, etc.) to simulate the behaviour of a malicious user with minimal knowledge of the application being audited.
Flash audit of RGPD compliance
The objective of this flash RGPD compliance audit is to determine the existing gaps with the key points of the RGPD and to establish a roadmap for the implementation of compliance.
This service is carried out in 3 stages:
- Website review: The EvaBssi auditor goes through the website page by page and identifies compliance/non-compliance with the applicable regulations. Temporary access to authenticated areas will be necessary to explore the entire perimeter.
- Remote exchange with the data controller (DPO): A remote interview with the DPO or the data controller(s) allows to determine if the personal data processing processes related to the website are compliant.
- Drafting of deliverables: Construction of a roadmap in order to raise the adequacy of the Information System to the RGPD according to the compliance / non-compliance highlighted.
Penetration testing of mobile applications
- Assess the security of iOS and Android mobile applications and related web services.
- Identify vulnerabilities in mobile applications that could be exploited in the event of device theft/loss or the presence of a malicious application.
Android iOS application testing focus :
- Storage of sensitive information in clear text on the device
- Permission management, use of keychain (or keystore)
- Use of additional encryption solutions
- Analysis of logs / configuration files / databases
- Securing connections
- Study of authentication and authorisation mechanisms
- Use of vulnerable / obsolete third party libraries
Tests for web services :
- "Black Box": WSDL URLs or URLs identified during the dynamic analysis of the mobile application
- "Grey box" based on web services documentation
Illustration - web services
Internal penetration testing
The objective of internal penetration testing is to assess the security of the target network by an attacker located within it
Types of tests
- "Black box": performed without any information on the internal network. Simulates a passing user
- "Grey box": performed with additional perimeter information (user accounts) to simulate the behaviour of a malicious user within the internal network
Methodology (not exhaustive)
- Discovery and identification of the network topology
- Search and acquisition of information
- The objective of a printer audit is to assess the security of the printing components accessible on your corporate network
- The tests will identify vulnerabilities in the following areas
- Storage of sensitive information in the clear on the device
- Configuration analysis / event tracking
- Connection security (encrypted flow)
- Study of authentication and authorisation mechanisms
- Verification of firmware versions (vulnerable / obsolete)
Information and vulnerability research
- Port scanning
- Identification of the nature and version of the underlying components
- Identification of the different administration interfaces
Exploitation of vulnerabilities and intrusion
- Black box" tests without information
- Grey box testing by simulating a malicious employee
- White-box testing to audit the configuration set up for system administrators
Illustration - Attack scenario
The objective of a configuration audit is to assess the security level of the audited items with respect to security best practices (standards, internal company guidelines and requirements, configuration guides, etc.).
Step 1: Recovering the configuration
- Use of system configuration information collection scripts
Step 2: Static analysis: Consultation of all the elements collected, paying attention to the following elements
- Cryptographic mechanisms used (algorithms, etc.)
- Authentication mechanisms (robustness of devices, etc.)
- Network filtering rules, partitioning between different networks
- Hardening of operating systems, application server configurations and exposed subsidiary services
- Event logging
- Management of security patches
Organisational and physical security audit
The objective of an organisational audit is to assess the compliance of the procedures defined to ensure the proper operational and security functioning of the Information System
The organisational and physical audit must measure the compliance of the audited information system with the standards and identify the gaps that present the major vulnerabilities of the system. The audit will cover the following two areas:
- Administration, monitoring and operating procedures (security charter, security policy, backup/restore procedure, updating, incident management, staff awareness, etc.)
- Physical security of the company (physical access control - badges, guards, intrusive alarms/cameras, environmental disaster detection - floods, fires, etc.)
Audit of workstations
The purpose of a desktop audit is to assess the security of installed services and programs, as well as the configuration of GPOs (firewalls, restrictions, password policies, etc.) on your corporate desktop.
- Searching for information
- Mapping of all APs
- Analysis of authentication methods
- Identification of the network encryption protocols used
- Identification of the different administration interfaces of the access points
- Identification of the nature and version of the access points
- Attack scenario (not authenticated on the wi-fi network)
- set up a fake Wi-Fi access point with the same SSID. This was done in order to steal the shared password (PSK) allowing access to the internal Wi-Fi network
- Vulnerability scanning (authenticated on the wi-fi network)
The purpose of a password audit is to test the robustness of passwords, in order to assess the level of awareness of employees (and administrators) with regard to IT security in particular, but also to assess the attack surface exposed to external attackers.
- Recovery of files or directories containing password fingerprints
- Dynamic phase of breaking down the prints, then analysing the results:
- Fingerprinting of passwords
- Analysis of results
Example of audit result
Amazon Cloud AWS Audit
The objective of an Amazon Cloud AWS audit is to assess the security of services hosted on the Amazon Cloud. It ensures that all good practices are applied and that no sensitive data from the Information System ends up in the hands of attackers.
The audit guidelines can be summarised in the following audit points:
- Global infrastructure (consistency and business understanding)
- Network filtering rules (inbound, outbound, routing table, NAT, etc.)
- Partitioning between different networks (VLAN segmentation, etc.)
- Authentication mechanisms (robustness of devices, etc.)
- Users and groups
- Event logging (traces)
- Data encryption (encryption via SSE-C or KMS - Key Management Service)
- Server hardening independently (EC2, S3, ...)
Secure development training
- The objective is to present the best practices in terms of secure development. This awareness is achieved by discovering the attacks inherent in web applications, the risk they represent and the recommendations to be implemented.
- We have chosen to base our secure development training sessions on the OWASP (Open Web Application Security Project), whose work targets the main themes of web application development: session management, authentication, user input control, etc.
- Phase 1 - Preparation and customisation of the material according to the context
- Phase 2 - Conducting a training session with up to 10 employees:
- Three-day training session with two EvaBssi Consultants
- Theoretical training and practical case studies
OWASP Top 10 Vulnerabilities
User awareness: phishing campaign
- The objective of phishing campaigns is to raise awareness among users through real-life attacks that are often used by attackers to obtain sensitive information (passwords, logins, bank details, etc.).
- During these awareness campaigns, EvaBssi's objective is to persuade employees to click on or open specially crafted emails in order to access sensitive information
- Obtaining information about target users
- Name, first name, e-mail address
- Sending fraudulent emails. Depending on the scenario chosen, the emails sent to the various users may contain :
- A standard link
- A link to a malicious site
- A malicious attachment
- Analysis of the results
- Study on the robustness of passwords (if possible)
- Test the perimeter controlled by the Synergy Group's defensive teams (or sensitised employees)
- Check the security rules in real attack conditions
- Identify uncontrolled perimeters
The attack scenarios will be carried out as a unit based on the entry points usually identified. During the course of the audit, others may be identified and added in new scenarios.
To conduct RedTeam audits :
- Target identification meeting
- Formalisation of scenarios
- Validation of scenarios
- Realization of the scenarios on site
- Audit report (feeds into the overall report)
- Presentation of results
Exemples de scenarii
- Tentative de branchement physique sur l'infrastructure, afin d’essayer de prendre le contrôle de l'infrastructure
- Compromission maîtrisée du serveur comportant les données sensibles (NAS, imprimantes...), en vue de montrer la possibilité d’un scénario « ransomware » pouvant immobiliser le SI
- Setting up a system of data exfiltration in a permanent way within the company (cf. espionage by e-mail for example)
- Compromise of high-ranking users (or users with high privileges, e.g. admin) via Phishing / Smishing / Vishing attacks
- Stealing wi-fi access (or via social engineering)
- Access to CRM and retrieval of customer/employee data
Pour la réalisation de la RedTeam, un mandat d’autorisation mentionnant les scénarios de test incluant (les noms de domaine, adresses IP, etc.) devra être complété, signé et renvoyé à EvaBssi.
The objective of MyCyberEyes is to continuously test the security of your resources exposed to the Internet and your exposure to cyber risk.
- We detect and alert in real time to new vulnerabilities
- Our R&D team develops new tests and controls continuously, allowing us to adapt to the threat
- We enable our customers to know in real time the level of securitý of their digital platform exposed to the Internet
- We provide an MCE label to certify the security level of the platform towards third parties
Overview of offers
Our mission is to protect information assets
and to guarantee an efficient IS, serving our Clients' businesses.
We have designed our offers around three pillars with complementary and transversal missions.
Nous avons conçu nos offres autour de trois pilliers...
Mastering the cyber risks of organisations
Identify, protect, detect, respond and recover
Imagine, build and operate innovative and efficient IS
… trois piliers aux missions complémentaires et transversales :
IS and IT security strategy
Assisting CIOs, CISOs and CTOs in the digital transformation and security of companies. By accelerating traditional decision-making cycles, systematically integrating feedback from the field and combining functional, technical and security expertise.
- IT Transformation Strategy / roadmap and business case
- Market watch: state of the art / RFI / RFQ
- Conduct of consultation / Call for tenders (RFP)
- Architectural design and project scoping
- Audit and risk analysis
- Marketing of IT offers
- Identification of use case data / workshop
- Data Project Development
- Diagnostic cyber 360°
OPS Centre of Excellence
Ensuring performance and security in a world where the IS is an essential pillar of the business. We operate all or part of the information system by offering a high level of technical qualification and by adopting the best market practices.
Risk and Compliance Governance
Anticiper et maîtriser les risques cyber, de plus en plus nombreux, polymorphes et en perpétuelle évolution. En positionnant la GRC comme élément fondateur de la gestion globale de la cybersécurité. Et en prônant une approche proactive, permettant de s’adapter en permanence au changement .
- Audit de code
- Audit de sécurité de l’architecture
- Reconnaissance avancée (OSINT)
- Tests d’intrusion réseau et infrastructure
- Tests d’intrusion applicatifs
- Audit flash de conformité RGPD
- Tests d’intrusion d’applications mobiles
- Tests d’intrusion internes
- Audit des imprimantes
- Audit de configuration
- Audit de sécurité organisationnel et physique
- Audit de postes de travail
- Audit de mots de passe
- Audit Amazon Cloud AWS
- Formation au développement sécurisé
- Sensibilisation des utilisateurs : campagne de phishing
- RedTeam (1/2)
- RedTeam (2/2)