Offensive audit

Identify vulnerabilities before they are exploited by attackers. The Offensive Audit team conducts daily monitoring (CERT) and research (zero day) to maintain a high level of expertise and knowledge of existing vulnerabilities

Our offers :

  • Advanced recognition (OSINT)
  • Network, wi-fi and infrastructure / Cloud penetration testing
  • Application / mobile application penetration testing
  • Code auditingAudit of workstations & terminals (camera, printer, IoT)
  • Configuration audit
  • Organisational and physical security audit
  • Awareness campaign (phishing)
  • Continuous testing of resources exposed on the Internet with a tool developed internally: MyCyberEyes 

Les offres

Code audit

Objectives

The objective of the code audit is to identify vulnerabilities in the source code of the application.
We will perform a security review of the sensitive parts of the developed code. The objective is not to review the entire source code, but to focus our attention on critical functions that may have an impact on the security of the entire application.
EvaBssi will adapt its analyses to the particularities of the language (sensitive functions, memory management, calls to external components, etc.).

Realization

This audit will be done in two stages:

  • Static stage: The auditor combines a step-by-step reading of the code with code analysis tools to detect the use of insecure functions.
  • In vivo stage: The auditor analyses the sensitive functions of the code while manually testing the application. Sensitive functions are those parts of the code related to the processing and control of user input. The hypotheses of specific vulnerabilities in the functional and logical aspects detected during the tests will thus be investigated.

During our analysis, the following areas are audited:

  • Authentication
  • Authorization
  • Cryptography
  • Error handling
  • Data validation
  • Session management
  • Event logging (traceability)
  • These are part of the OWASP code review guide

Security audit of the architecture

Objectives

  • The objective of an architecture audit is to assess the security of the choice, positioning and implementation of the hardware and software components implemented in the Information System.
  • The audit will verify that the audited architecture complies with the triptych: confidentiality, integrity and availability.
  • A particular care will be given to the HDS requirements in order to assess the gap with the existing one.

Realization

The team will analyse all the components forming the architecture of the current IS.

  • Documentary analysis (technical architecture)
  • Interviews with IT managers & DC supplier
  • Visit of the DC & a representative site
  • Formalisation of the findings & associated risks
  • A workshop to share and compare the findings
  • A workshop to share recommendations and areas for further development
  • A workshop to estimate the financial cost of the recommendations
  • Drafting of the report
  • Presentation

Maturité du modèle de sécurité :

Maturité du modèle de sécurité

 

Advanced recognition (OSINT)

Objectives

The objective of the advanced recognition phase (OSINT - Open Source INTelligence) is to search for information about the company, the person, or any other data that can be used to expand the attack surface. We rely on publicly available data on the Internet.

Realization

The information gathering stage makes it possible to collect all the data needed to identify the organisation's attack surface.

We therefore search for data via various channels to facilitate attacks during penetration tests.

  • WHOIS databases
  • Analysis of DNS records and configuration
  • Identification of sub-domains
  • Identification of the nature and version of the underlying elements
  • Disclosure of technical or confidential information
  • Identification of the various administration interfaces
  • LinkedIn profiling, in particular to identify the organisation's employees

Network and infrastructure penetration testing

Objectives

The objective of system and infrastructure penetration tests is to evaluate the security of the components of your Information System publicly exposed on the Internet.

Realization

The information retrieval step (see advanced recognition section, above) allows the collection of all data related to a penetration test and to the components included in the scope of the audit.

Once the passive search for information has been carried out, we try to map the Information System as accurately as possible. We carry out these actions thanks to :

  • Port scans (exposed services)
  • Analysis of web applications
  • Identification of underlying systems (banner grabbing and fingerprinting)

Application penetration testing

Objectives

  • The objective of application penetration testing is to assess the security of your entire web application through the detection of vulnerabilities.
  • During the application penetration tests, EvaBssi consultants will use the OWASP and OSSTMM methodologies to manually detect vulnerabilities impacting the application: user parameters, administrative part, management of rights within the application, email or document management functionality, etc.

Realization

Two types of complementary tests exist:

  • Black box" tests are carried out without any information on the operation of the application, just like an attacker.
  • The "grey box" tests, carried out in a second phase, are carried out using additional information on the application (user accounts, rights/privileges matrix, technical documentation, etc.) to simulate the behaviour of a malicious user with minimal knowledge of the application being audited.

Flash audit of RGPD compliance

Objectives

The objective of this flash RGPD compliance audit is to determine the existing gaps with the key points of the RGPD and to establish a roadmap for the implementation of compliance.

Realization

This service is carried out in 3 stages:

  • Website review: The EvaBssi auditor goes through the website page by page and identifies compliance/non-compliance with the applicable regulations. Temporary access to authenticated areas will be necessary to explore the entire perimeter.
  • Remote exchange with the data controller (DPO): A remote interview with the DPO or the data controller(s) allows to determine if the personal data processing processes related to the website are compliant.
  • Drafting of deliverables: Construction of a roadmap in order to raise the adequacy of the Information System to the RGPD according to the compliance / non-compliance highlighted.

Penetration testing of mobile applications

Objectives

  • Assess the security of iOS and Android mobile applications and related web services.
  • Identify vulnerabilities in mobile applications that could be exploited in the event of device theft/loss or the presence of a malicious application.

Realization

Android iOS application testing focus :

  • Storage of sensitive information in clear text on the device
  • Permission management, use of keychain (or keystore)
  • Use of additional encryption solutions
  • Analysis of logs / configuration files / databases
  • Securing connections
  • Study of authentication and authorisation mechanisms
  • Use of vulnerable / obsolete third party libraries

Tests for web services :

  • "Black Box": WSDL URLs or URLs identified during the dynamic analysis of the mobile application
  • "Grey box" based on web services documentation

Illustration - web services

Illustration du Web Services

Internal penetration testing

Objectives

The objective of internal penetration testing is to assess the security of the target network by an attacker located within it

Realization

Types of tests

  • "Black box": performed without any information on the internal network. Simulates a passing user
  • "Grey box": performed with additional perimeter information (user accounts) to simulate the behaviour of a malicious user within the internal network

Methodology (not exhaustive)

  • Discovery and identification of the network topology
  • Search and acquisition of information
  • Exploitation

Printers audit

Objectives

  • The objective of a printer audit is to assess the security of the printing components accessible on your corporate network
  • The tests will identify vulnerabilities in the following areas
  • Storage of sensitive information in the clear on the device
  • Configuration analysis / event tracking
  • Connection security (encrypted flow)
  • Study of authentication and authorisation mechanisms
  • Verification of firmware versions (vulnerable / obsolete)

Realization

Information and vulnerability research

  • Port scanning
  • Identification of the nature and version of the underlying components
  • Identification of the different administration interfaces

Exploitation of vulnerabilities and intrusion

  • Black box" tests without information
  • Grey box testing by simulating a malicious employee
  • White-box testing to audit the configuration set up for system administrators

Illustration - Attack scenario

Illustration d'un scénario d’attaque Illustration d'un scénario d’attaque

Configuration audit

Objectives

The objective of a configuration audit is to assess the security level of the audited items with respect to security best practices (standards, internal company guidelines and requirements, configuration guides, etc.).

Realization

Step 1: Recovering the configuration

  • Use of system configuration information collection scripts

Step 2: Static analysis: Consultation of all the elements collected, paying attention to the following elements

  • Cryptographic mechanisms used (algorithms, etc.)
  • Authentication mechanisms (robustness of devices, etc.)
  • Network filtering rules, partitioning between different networks
  • Hardening of operating systems, application server configurations and exposed subsidiary services
  • Event logging
  • Management of security patches

Organisational and physical security audit

Objectives

The objective of an organisational audit is to assess the compliance of the procedures defined to ensure the proper operational and security functioning of the Information System

Realization

The organisational and physical audit must measure the compliance of the audited information system with the standards and identify the gaps that present the major vulnerabilities of the system. The audit will cover the following two areas:

  • Administration, monitoring and operating procedures (security charter, security policy, backup/restore procedure, updating, incident management, staff awareness, etc.)
  • Physical security of the company (physical access control - badges, guards, intrusive alarms/cameras, environmental disaster detection - floods, fires, etc.)

Audit of workstations

Objectives

The purpose of a desktop audit is to assess the security of installed services and programs, as well as the configuration of GPOs (firewalls, restrictions, password policies, etc.) on your corporate desktop.

Realization

  • Searching for information
    • Mapping of all APs
    • Analysis of authentication methods
    • Identification of the network encryption protocols used
    • Identification of the different administration interfaces of the access points
    • Identification of the nature and version of the access points
  • Attack scenario (not authenticated on the wi-fi network)
    • set up a fake Wi-Fi access point with the same SSID. This was done in order to steal the shared password (PSK) allowing access to the internal Wi-Fi network
  • Vulnerability scanning (authenticated on the wi-fi network)

Password auditing

Objectives

The purpose of a password audit is to test the robustness of passwords, in order to assess the level of awareness of employees (and administrators) with regard to IT security in particular, but also to assess the attack surface exposed to external attackers.

Realization

  • Recovery of files or directories containing password fingerprints
  • Dynamic phase of breaking down the prints, then analysing the results:
    • Fingerprinting of passwords
    • Analysis of results
    • Statistics

Example of audit result

Amazon Cloud AWS Audit

Objectives

The objective of an Amazon Cloud AWS audit is to assess the security of services hosted on the Amazon Cloud. It ensures that all good practices are applied and that no sensitive data from the Information System ends up in the hands of attackers.

Realization

The audit guidelines can be summarised in the following audit points:

  • Global infrastructure (consistency and business understanding)
  • Network filtering rules (inbound, outbound, routing table, NAT, etc.)
  • Partitioning between different networks (VLAN segmentation, etc.)
  • Authentication mechanisms (robustness of devices, etc.)
  • Users and groups
  • Event logging (traces)
  • Data encryption (encryption via SSE-C or KMS - Key Management Service)
  • Server hardening independently (EC2, S3, ...)

Secure development training

Objectives

  • The objective is to present the best practices in terms of secure development. This awareness is achieved by discovering the attacks inherent in web applications, the risk they represent and the recommendations to be implemented.
  • We have chosen to base our secure development training sessions on the OWASP (Open Web Application Security Project), whose work targets the main themes of web application development: session management, authentication, user input control, etc.

Realization

  • Phase 1 - Preparation and customisation of the material according to the context
  • Phase 2 - Conducting a training session with up to 10 employees:
    • Three-day training session with two EvaBssi Consultants
    • Theoretical training and practical case studies

OWASP Top 10 Vulnerabilities

Top 10 Vulnérabilités OWASP

User awareness: phishing campaign

Objectives

  • The objective of phishing campaigns is to raise awareness among users through real-life attacks that are often used by attackers to obtain sensitive information (passwords, logins, bank details, etc.).
  • During these awareness campaigns, EvaBssi's objective is to persuade employees to click on or open specially crafted emails in order to access sensitive information

Realization

  • Obtaining information about target users
    • Name, first name, e-mail address
  • Sending fraudulent emails. Depending on the scenario chosen, the emails sent to the various users may contain :
    • A standard link
    • A link to a malicious site
    • A malicious attachment
  • Analysis of the results
    • Study on the robustness of passwords (if possible)

RedTeam (1/2)

Objectives

  • Test the perimeter controlled by the Synergy Group's defensive teams (or sensitised employees)
  • Check the security rules in real attack conditions
  • Identify uncontrolled perimeters

The attack scenarios will be carried out as a unit based on the entry points usually identified. During the course of the audit, others may be identified and added in new scenarios.

Realization

To conduct RedTeam audits :

  • Target identification meeting
  • Formalisation of scenarios
  • Validation of scenarios
  • Realization of the scenarios on site
  • Audit report (feeds into the overall report)
  • Presentation of results

Controlled perimeter

RedTeam (2/2)

Exemples de scenarii

  • Tentative de branchement physique sur l'infrastructure, afin d’essayer de prendre le contrôle de l'infrastructure
  • Compromission maîtrisée du serveur comportant les données sensibles (NAS, imprimantes...), en vue de montrer la possibilité d’un scénario « ransomware » pouvant immobiliser le SI
  • Setting up a system of data exfiltration in a permanent way within the company (cf. espionage by e-mail for example)
  • Compromise of high-ranking users (or users with high privileges, e.g. admin) via Phishing / Smishing / Vishing attacks
  • Stealing wi-fi access (or via social engineering)
  • Access to CRM and retrieval of customer/employee data

Pour la réalisation de la RedTeam, un mandat d’autorisation mentionnant les scénarios de test incluant (les noms de domaine, adresses IP, etc.) devra être complété, signé et renvoyé à EvaBssi.

MyCyberEyes

Objectives

The objective of MyCyberEyes is to continuously test the security of your resources exposed to the Internet and your exposure to cyber risk.

Realization

  • We detect and alert in real time to new vulnerabilities
  • Our R&D team develops new tests and controls continuously, allowing us to adapt to the threat
  • We enable our customers to know in real time the level of securitý of their digital platform exposed to the Internet
  • We provide an MCE label to certify the security level of the platform towards third parties

MyCyberEyes

MyCyberEyes

Overview of offers

Our mission is to protect information assets
and to guarantee an efficient IS, serving our Clients' businesses.
We have designed our offers around three pillars with complementary and transversal missions.

Nous avons conçu nos offres autour de trois pilliers...

Mastering the cyber risks of organisations

Identify, protect, detect, respond and recover

Imagine, build and operate innovative and efficient IS

… trois piliers aux missions complémentaires et transversales :