Improving Your Security Posture
Vulnerability Assessment & Penetration Testing
A VAPT is the combination of VA (iterative cycle of Assessment, Identify Exposures, Address Exposures) and PT (Planning, Info Gathering Vulnerability Detection, Penetration, Report). A VAPT is the systemic process to test and penetrate an IT system, simulating and recreating the various attack vectors utilised by hackers and known exploits.
Why do I need it?
It helps you understand your security posture and what are the validated vulnerabilities in your system.
How do you to it?
Our team of security consultants follow the latest internationally recognised VAPT guidelines described in OWASP (and NIST). We use a combination of automated and manual tools in the process and all the vulnerabilities are tested and validated (with screenshots) to confirm that they are legitimate and reproduceable.
What will I get?
The final report will contain a ranked list of vulnerabilities, evidence of the findings, and we will also include our recommendations on how to fix the vulnerabilities that we have found. This would allow you to easily communicate this to your internal teams and fix the issues in a systematic manner.
VAPT + Secure Code Review (DevSecOps)
We combine VAPT & Secure Code Review to identify code which may cause a potential vulnerability in a later stage of the software development process, ultimately leading to an insecure application.
Why do I need it?
The code review (especially when conducted before the product launch, then known as DevSecOps) will identify security vulnerabilities not only from external attacks, but also via process gaps.
How do you do it?
Our researchers will use a combination of automated tools as well as manual review to determine each vulnerability and test its validity.
What will I get?
Similar to the VAPT report, the final report will contain a ranked list of vulnerabilities, evidence of the findings, and we will also include our recommendations on how to fix the vulnerabilities that we have found. This would allow you to easily communicate this to your internal teams and fix the issues in a systematic manner.
Red Teaming
Red Teaming or Adversarial Attack Simulation Exercises is used in cybersecurity to simulate real-world attacks. Red Team serves to complement other forms of security testing (e.g. penetration test, vulnerability assessment, code review) and should be incorporated into the security testing exercise of an organisation as it grows in its security maturity level.
Why do I need it?
The primary goal of the exercise is to assess the organisation’s ability to prevent, detect and respond to cyber-attacks and discover potential weaknesses that may not be identified through standard vulnerability and penetration testing exercises. The mission of the Red Team is to build stronger resistance against cybersecurity attacks for systems through proactive discovery of cybersecurity gaps in people, processes and technology.
How do you do it?
There are various forms of Red Teaming, namely Black Box, Grey Box and White Box engagements.
Black Box is where our attacking team has no (or minimal) assistance from the defending team. This simulates attackers with no inside information.
Grey Box is where the attackers get certain concessions from the defending team.
White Box is conducted where the defending team gets concessions for most attacks and carries out a broad range of attack vectors from a range of scenarios.
What will I get?
A full management report listing the various vulnerabilities in both the physical and digital space.
Customised Phishing Campaigns
Phishing attacks are the most common and possibly the easiest attack vectors open to hackers. While there are various automated tools in the market, there is still a pressing need to educate and train the humans behind the PC and laptop to recognise threats and suspicious emails and files they receive. The customised campaigns are specially designed to be targeted and identify personnel or departments who may require further training to improve your best cyber security defence. Your people.
Why do I need it?
A holistic security needs to cover People, Process and Technology. Technology is often the easiest and most secured, while the first two elements are often neglected, giving attackers a very simple and efficient way to bypass the technological defences in place. Phishing is by far the most common attack vector and till date the best way to prevent this is still via awareness training of People and implementing good security Processes to mitigate attacks.
How do you do it?
Our team will work with your team to design and craft phishing campaigns that are specific and relevant, so that are more realistic and representative of a true hacker attack.
What will I get?
The campaign will consist of one email and a landing page to capture the clicks. A final management report will be provided at the end of the campaign to determine if your People would need further training or is there any improvements in Processes required.
IT & Privacy Data Audit
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure.
The objective of a privacy data audit is to assess an organization’s privacy protection posture against any legislative/regulatory requirements or international best practices and to review compliance with the organization’s own privacy-related policies.
Why do I need it?
Both audits serve to determine how an organisation stands in terms of their management of information systems and privacy data. The organisation will be audited and benchmarked against international (and national or local standards if available). Organisations will need this to demonstrate to shareholders and external stakeholders that their processes are up to a certain standard and the results often form the backbone of any improvement roadmap in the future.
How do you do it?
Our team of internationally certified auditors will test against various standards like ISO, NIST, OWASP, GDPR, PDPA, PCI-DSS and many more to evaluate the company’s internal standards.
What will I get?
You will receive a management report on the health of the organisation vis-à-vis the controls in place, and the issues identified for future improvement.
IT Forensics
IT Forensics encompasses the recovery and investigation of material found in digital devices, often in the even of a computer crime, like ransomware attacks or digital theft.
Why do I need it?
If there is a computer crime or suspicion that one has occurred, an IT Forensics is required to firstly ensure that digital evidence that may be used in court is treated in the correct manner such that it is admissible. Secondly, the Forensics may be carried out to recover lost, deleted or encrypted (in the case of ransomware) data. In some cases, detailed sweep of the devices are carried out to analyse the attack vector and if the threat has been effectively eliminated.
How do you do it?
Our engineers will follow the digital forensic investigation process where there is an acquisition of imaging of devices, analysis and reporting. For legal clients, this would follow an eDiscovery process where the integrity and authenticity of the digital evidence is maintained and admissible in court. For unauthorised network intrusions, the team will establish the extent of any intrusion and also attempt to identify the attacker.
What will I get?
You will receive a forensic report of all the evidence acquired, findings and if necessary formatted to various legal requirements depending on each case.
A VAPT is the combination of VA (iterative cycle of Assessment, Identify Exposures, Address Exposures) and PT (Planning, Info Gathering, Vulnerability Detection, Penetration, Report). A VAPT is the systemic process to test and penetrate an IT system, simulating and recreating the various attack vectors utilised by hackers and known exploits.
It helps you understand your security posture and what are the validated vulnerabilities in your system.
Our team of security consultants follow the latest internationally recognised VAPT guidelines described in OWASP (and NIST). We use a combination of automated and manual tools in the process and all the vulnerabilities are tested and validated (with screenshots) to confirm that they are legitimate and reproduceable.
The final report will contain a ranked list of vulnerabilities, evidence of the findings, and we will also include our recommendations on how to fix the vulnerabilities that we have found. This would allow you to easily communicate this to your internal teams and fix the issues in a systematic manner.
We combine VAPT & Secure Code Review to identify code which may cause a potential vulnerability in a later stage of the software development process, ultimately leading to an insecure application.
The code review (especially when conducted before the product launch, then known as DevSecOps) will identify security vulnerabilities not only from external attacks, but also via process gaps.
Our researchers will use a combination of automated tools as well as manual review to determine each vulnerability and test its validity.
Similar to the VAPT report, the final report will contain a ranked list of vulnerabilities, evidence of the findings, and we will also include our recommendations on how to fix the vulnerabilities that we have found. This would allow you to easily communicate this to your internal teams and fix the issues in a systematic manner.
Red Teaming or Adversarial Attack Simulation Exercises is used in cybersecurity to simulate real-world attacks. Red Team serves to complement other forms of security testing (e.g. penetration test, vulnerability assessment, code review) and should be incorporated into the security testing exercise of an organisation as it grows in its security maturity level.
The primary goal of the exercise is to assess the organisation’s ability to prevent, detect and respond to cyber-attacks and discover potential weaknesses that may not be identified through standard vulnerability and penetration testing exercises. The mission of the Red Team is to build stronger resistance against cybersecurity attacks for systems through proactive discovery of cybersecurity gaps in people, processes and technology.
There are various forms of Red Teaming, namely Black Box, Grey Box and White Box engagements.
Black Box is where our attacking team has no (or minimal) assistance from the defending team. This simulates attackers with no inside information.
Grey Box is where the attackers get certain concessions from the defending team.
White Box is conducted where the defending team gets concessions for most attacks and carries out a broad range of attack vectors from a range of scenarios.
A full management report listing the various vulnerabilities in both the physical and digital space.
Phishing attacks are the most common and possibly the easiest attack vectors open to hackers. While there are various automated tools in the market, there is still a pressing need to educate and train the humans behind the PC and laptop to recognise threats and suspicious emails and files they receive. The customised campaigns are specially designed to be targeted and identify personnel or departments who may require further training to improve your best cyber security defence. Your people.
A holistic security needs to cover People, Process and Technology. Technology is often the easiest and most secured, while the first two elements are often neglected, giving attackers a very simple and efficient way to bypass the technological defences in place. Phishing is by far the most common attack vector and till date the best way to prevent this is still via awareness training of People and implementing good security Processes to mitigate attacks.
Our team will work with your team to design and craft phishing campaigns that are specific and relevant, so that are more realistic and representative of a true hacker attack.
The campaign will consist of one email and a landing page to capture the clicks. A final management report will be provided at the end of the campaign to determine if your People would need further training or is there any improvements in Processes required.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure
The objective of a privacy data audit is to assess an organization’s privacy protection posture against any legislative/regulatory requirements or international best practices and to review compliance with the organization’s own privacy-related policies.
The objective of a privacy data audit is to assess an organization’s privacy protection posture against any legislative/regulatory requirements or international best practices and to review compliance with the organization’s own privacy-related policies.
Both audits serve to determine how an organisation stands in terms of their management of information systems and privacy data. The organisation will be audited and benchmarked against international (and national or local standards if available). Organisations will need this to demonstrate to shareholders and external stakeholders that their processes are up to a certain standard and the results often form the backbone of any improvement roadmap in the future.
Our team of internationally certified auditors will test against various standards like ISO, NIST, OWASP, GDPR, PDPA, PCI-DSS and many more to evaluate the company’s internal standards.
You will receive a management report on the health of the organisation vis-à-vis the controls in place, and the issues identified for future improvement.
IT Forensics encompasses the recovery and investigation of material found in digital devices, often in the even of a computer crime, like ransomware attacks or digital theft.
If there is a computer crime or suspicion that one has occurred, an IT Forensics is required to firstly ensure that digital evidence that may be used in court is treated in the correct manner such that it is admissible. Secondly, the Forensics may be carried out to recover lost, deleted or encrypted (in the case of ransomware) data. In some cases, detailed sweep of the devices are carried out to analyse the attack vector and if the threat has been effectively eliminated.
Our engineers will follow the digital forensic investigation process where there is an acquisition of imaging of devices, analysis and reporting. For legal clients, this would follow an eDiscovery process where the integrity and authenticity of the digital evidence is maintained and admissible in court. For unauthorised network intrusions, the team will establish the extent of any intrusion and also attempt to identify the attacker.
You will receive a forensic report of all the evidence acquired, findings and if necessary formatted to various legal requirements depending on each case.