Intrusive audit
Penetration tests (or pen tests) consist in behaving like a hacker, trying to find potential failures of an information system and to make a real-time intrusion in a system.
Multiple options are available for a pen test. The first one is the kind of access our engineers will have on your infrastructure:
- External audit
It is a simulation of outside attackers that are trying to get access to our information system through the visible part of it (websites, remote access, mail servers, ...) - Internal audit
It is well known that 70% of the attacks are inside jobs. In internal pen tests our people will either have an access to one of your workstations or to your network with one of our laptops.
The second choice you will have to make is related to the level of knowledge that will be given to our engineers:
- Whitebox audit
Our people will have the same level of information as your IT staff - Blackbox audit
Our staff will have no prior knowledge of your infrastructure except the one publicly available - Greybox audit
Our engineers will start in blackbox but as they gain access, they will be provided with information in order to probe specifics targets
Thus, a pen test requires a very high level of technical skills in order to generate a credible result. The SCRT team feels comfortable with the latest hacking practices and has a strong experience in software and applications security audits.
The target of an intrusion test is, above all, to give you an advice aiming at improving your security level.
Semi-automated non-intrusive audit
This kind of audit is not done directly on the network of the customer but on its relevant functions, which the audit will have highlighted.
Advantages of this method:
- The network of the customer is undisturbed by the audit and remains 100% available
- The configuration changes are taken into account at once
- We can map on the simulation model (change of OS version, ...)
- We can change the source on the vulnerabilities side as well as on the setup dump side
- The modelling language stays equal, the audits are thus consistent.
Application audit and code audit
As 80% of safety failures happen because of errors (or lacks of memory) while applications are developed, it is very important to write strong and robust codes, especially when the applications work on Internet (Web sites, extranet, VPN, ...).
Thanks to our engineers, experts in most of the current languages, and to the tools we have developed, we are able to certify the code of most of the applications.
Many incidents also occur because of manipulation errors or breakdowns. Those points are also checked in the software tools approach.
SAP audit
With SAP tools (AIS) or with open source tools like Saphyto, SCRT conduct SAP audits. Here are some typical verification steps:
- Installed Hot Packages
- Password security policy
- Password forbidden words
- Users groups
Default, blocked, powerful profiles, with developement authorizations, … - Direct access to database tables
- RFC security
Suisse (HQ)
SCRT Information Security
Le Trési 6C
1028 Préverenges (Lausanne)
Plan d'accès
T +41 21 802 64 01
F +41 21 802 64 02
France
SCRT Information Security
20 bis, rue Louis Philippe
92200 Neuilly-sur-Seine
T +33 1 77 69 64 40