ADYTA’s methodologies in the Penetration Testing service can be divided in 3 distinct methods, listed below.
This method intends to test the vulnerabilities of the infrastructure, from the point of view of an external attacker, where no information is shared by the client, and Adyta has to find out every information using OSINT and Threat Intelligence tools.
This method, similar to Black Box, has the intent of testing the vulnerabilities of the infrastructure, from the point of view of an external attacker, but some information is shared by the client, allowing Adyta to have a work baseline. Nevertheless, given the access to information is limited, tools of Threat Intelligence and OSINT will be used.
This method has the purpose of testing the client’s infrastructure vulnerabilities, where Adyta has access to all the information available about it, allowing the work to be executed in a structured way. Furthermore, allows that more vulnerabilities could be found, that may not be so easily found by an attacker, but are present in the infrastructure.
Additionally, we offer to our clients 2 possible ways of executing the work:
With the use of state-of-the-art tools, we launch automated scans into the client’s exposed infrastructure. These tests exploit the client’s servers exposed ports and services, and allow to detect the vulnerabilities that are of public knowledge (ex: CVEs).
In the Web services, we look for vulnerabilities of used frameworks and any platforms that are in use, as well as XSS and SQL Injection possibilities.
This type of attack, even recurring to automated tools, always have the accompaniment of our specialists, manually validating any findings.
Manual Exploration Analysis
To the exposed infrastructure services, besides the use of automated tools, we perform manual vulnerability testing, from the perspective of external attacks, having in consideration the acquired or shared contextual information. We also look for lateral movements, in addition to the vertical movement that caracterizes the concept of the penetration testing.
This type of analysis has the possibility of detecting more complex attacks, that may require multiple steps, or a combination of weaknesses, to execute, taking advantage of the years of experience and qualifications or our technical team, to provide the best results, going beyond of what is offered by the market.
It has been through this type of analysis that we have found the most critical vulnerabilities in our clients assets.
A secure network is critical to your business.
Our specialists examine the current state of your infrastructure to assess the resilience of your security controls, to identify all the ways an attacker might use to gain unauthorized access.
Our reports detail the security vulnerabilities within your infrastructure that could potentially be exploited in an attack.
Our pen testers can test your infrastructure as authenticated or unauthenticated users.
The security of your apps can put your corporate information and systems at risk of compromise.
We guarantee a complete security analysis of your custom application deployment.
Our specialists will examine and assess all the key components of your app and supporting infrastructure.
Our tests are focused on how your application components are implemented and communicate with the user and the server.
We perform the analysis in several ways, depending on your goals, from source code review to interactive penetration tests.
Mobile devices are attractive targets for malicious attackers.
Having access to your corporate network via email, VPNs, and other remote access methods, a successful compromise can result in access to customer details, financial and other sensitive data.
Our mobile security testing services have been specifically designed to identify configuration and deployment flaws associated with integrating mobile solutions into a corporate environment and provide detailed mitigation advice.
Having extensive experience in remote access penetration testing, we can help you evaluate the security of all the components which comprise your flexible working environment, analyse your security architecture, configurations and implementations, test for vulnerabilities and recommend appropriate security policies to mitigate against an attack.
We ensure organisations are equipped to manage the security risks that arise from flexible working. Issues such as laptop security, VPN security, access to remote servers, modems and the usage of portable devices are considered.
Cybersecurity and its associated risks is one of the biggest threats to organisations worldwide.
Traditionally cyber security has focused on applications and infrastructure. However, the vectors used by attackers are becoming increasingly sophisticated and varied.
Attackers are no longer limiting themselves to just cyber assets but including physical and human assets. Therefore, organisations need to defend and protect their business using multiple attack scenarios.
A Full Spectrum Attack Simulation assessment is a bespoke engagement comprising simulated, targeted attack and response capabilities.
The uptake of virtualisation technologies both in public and private environments has increased concern over how to secure these systems against cyber attacks.
Attackers continually probe these environments for weak security controls, misconfigurations and vulnerabilities and yet there is the distinct possibility they do not have the same standards of cyber security hygiene as your internal systems.
We can help you secure your cloud environments with our detailed penetration tests and configuration reviews.
We perform Denial of Service attacks, not distributed, in order to assess the resilience of our clients servers.
The execution of phishing attacks simulations, to a group of collaborators, allows to assess the resistence and resilience of a company to these kind of threats.
To complement the phishing simulations, we have a specialised training service, where we can adapt and create specific contents for the client, allowing the organisation to have the trainings adjusted to their needs.
We send generic phishing campaigns, seeking to reach the maximum number os collaborators of the company, in an automated way and recurring to a set of pre-existing models. The results of the campaign is a set of statistics, which allow our client to have a general vision over the preparation of their collaborators to these threats.
To perform this type of phishing simulations, we collect the maximum information available about the company and some of their employes, using mechanisms and tools of Open Source Intelligence (OSINT).
Directed Phishing attacks, or Spear Phishing, have proved to be more efficient than the generic phishing attacks, by targeting the users more efficiently and collecting more useful information regarding the company readiness to them.
Assets inventory, risk analysis, mitigations measures identification, including, but not limited to:
- RJSC Normative Framework and other relevant regulations;
- Information Security Policy;
- Asset Inventory;
- Risk analysis;
- Measures to comply with security requirements;
- Security Plan;
- Incident notification;
- Metrics and indicators (KPIs);
- Cybersecurity Audit;
- Annual report;
- Awareness of cybersecurity to employees;
- Preparation of compliance deliverables to be sent to CNCS.
Permanent point of contact “as-a-service” (Artigo 4º do DL 65/2021) and Security responsible “as-a-service” (Artigo 5º do DL 65/2021) covered 24h/day;
The security officer will be responsible for acting as a permanent contact (24 hours a day) for the organisation, and with CNCS, in terms of cybersecurity, in addition to periodically monitoring the risk treatment plan, and preparing, when cybersecurity incidents occur, the respective report with the relevant structure and evidence. It will also liaise with the National Cybersecurity Center in terms of reporting cybersecurity incidents, preparing the necessary and sufficient documentation, and interacting in accordance with the cybersecurity incident response procedure. The main responsibilities are:
- Ensure the implementation of an information security strategy;
- Develop and implement information security policies, processes and procedures;
- Define and implement risk assessment and response strategies;
- Monitor and participate in the incident management process;
- Conduct and monitor security audits and implementation of improvement measures;
- Promote information security and cybersecurity awareness sessions;
- Updating the asset inventory;
- Monitoring the security plan;
- Incident notification;
- Preparation of the annual report and other compliance deliverables.
Development of security policies adapted to the client.