Don’t wait for the strike, anticipate it
With cyber-attacks on the rise, it’s more important than ever to make sure your services are properly protected. Our new Offensive Security entity consists of professionals with strong security experience. They will support you by performing penetration tests on your sensitive assets and uncover vulnerabilities that could be used in a successful attack path.
Our Approach
We base our approach on different well-known frameworks:
We decided to mix them together to capitalize on the best parts of each one and be able to cover our client’s attack surface as effectively as possible.
Our Methodology
To deliver the engagement, we apply the following methodology based on several years of experiences and “try & fail”:
-
Kick-off meeting,
-
Information gathering,
-
Identification of possible entry points,
-
Manual & Automated tests,
-
Attempts to break in,
-
Perform lateral movements,
-
Report the findings,
-
Optional retest.
Our type of tests
We can perform engagements in 3 different modes :
- Black box: we don’t have any information in advance about the targets in scope, except the targets’ address or domain names,
- Grey box: the client gives us minimum information to begin the engagement. Then, they can supply more information on-demand in order to go deeper and not remain blocked on a specific point,
- White box: the source code, full configuration information, architecture documents, etc. are available.
The main difficulty is to find the right balance between allocated time and information availability. The objective is to be as close as possible to a real attack, but in a limited amount of time,
despite a real attacker would have several months for the reconnaissance phase. This is why we recommend a grey / white box approach to improve the return on investment for the client.
Our Philosophy
The mindset of the team is to be fully transparent with the client by delivering a high-quality report composed of:
- A high-level executive summary where we move the vulnerability from a technical context into a business context to make management understand what the consequences in case of exploitation are,
- A technical section where vulnerabilities per domain are sorted by remediation order. To sort them, we use specific and easily understandable criteria, that take the business/technical context into account
- All scripts, command lines, software etc. used to uncover the vulnerability are described in the report, in case the client wants to replay himself the attack,
- A high-level conclusion in which we give our opinion and recommendations about the security of the targets in scope.
Our Added Value
Several added values can be identified with this type of engagement. Amongst others:
- Giving your team members real experience in dealing with a security breach,
- Uncovering security aspects that are lacking from a technological or process point of view,
- Uncovering the most-at-risk routes to your sensitive assets.
Trust means proximity
As trust and proximity are strongly linked together, our team can support you with a high availability all around Switzerland. We can also ensure management proximity, as ELCA Security is a real Swiss and independent actor.
Begin your Cybersecurity journey
Cybersecurity is an investment on a long-term perspective to anticipate future potential cyber-attacks and limit their impacts on daily business.
For most companies, it is not justified to invest substantial amounts in this domain. This is why ELCASecurity proposes several discovery assessments to allow you to make a first step into the Cybersecurity world.
These types of engagements are focused on SMEs, as they are missing resources in this domain. We can cover several advisory domains:
Flash Risk Assessment
Provide a high-level overview of your Cybersecurity maturity and deliver strategic recommendations.
Flash Compliance Assessment
Verify compliance with nLPD, GDPR, ISO27K
Flash Data Protection
Check if data processed could be compliant with the current data protection laws applied in the country.
Flash Cyberdefense readiness
Determine if your Defense-in-depth strategy is setup correctly and can detect & block advanced Cyber-attacks.
Flash Discovery Pentest
Provide a high-level overview of your Cybersecurity maturity and deliver strategic recommendations.