Don’t wait for the strike, anticipate it
HomeNews & EventsExpert NoteDon’t wait for the strike, anticipate it

Don’t wait for the strike, anticipate it

With cyber-attacks on the rise, it’s more important than ever to make sure your services are properly protected. Our new Offensive Security entity consists of professionals with strong security experience.

They will support you by performing penetration tests on your sensitive assets and uncover vulnerabilities that could be used in a successful attack path.

Our Approach

We base our approach on different well-known frameworks:

OWASP - Open Web Application Security Project

For all types of application security, the Open Web Application Security Project (OWASP) is one of the most recognized frameworks. This methodology, developed by a very well-versed community, has helped many organizations to uncover vulnerabilities.

 

This framework provides a methodology for web application pen tests that helps to uncover common web and mobile application vulnerabilities, but also complicated logic flaws that result from insecure development practices. The framework provides guidelines with many controls to assess, allowing pen testers to uncover vulnerabilities within a wide variety of functions found in modern applications.

 

PTES     - Penetration Testing Execution Standards

Penetration Testing Execution Standard is a pentest framework designed by a team of information security professionals. It highlights the most recommended step by step procedure to structure a security assessment. This standard explains the different steps of a pentest including the preparation, information gathering, as well as the threat modeling phases.

 

We decided to mix them together to capitalize on the best parts of each one and be able to cover our client’s attack surface as effectively as possible.

Our Methodology

To deliver the engagement, we apply the following methodology based on several years of experience and “try & fail”:

  • Kick-off meeting,
     
  • Information gathering,
     
  • Identification of possible entry points,
     
  • Manual & Automated tests,
     
  • Attempts to break in,
     
  • Perform lateral movements,
     
  • Report the findings,
     
  • Optional retest.

Our type of tests

We can perform engagements in 3 different modes :

  • Black box: we don’t have any information in advance about the targets in scope, except the targets’ address or domain names,
  • Grey box: the client gives us minimum information to begin the engagement. Then, they can supply more information on-demand in order to go deeper and not remain blocked on a specific point,
  • White box: the source code, full configuration information, architecture documents, etc. are available.

The main difficulty is to find the right balance between allocated time and information availability. The objective is to be as close as possible to a real attack, but in a limited amount of time,

despite a real attacker would have several months for the reconnaissance phase. This is why we recommend a grey / white box approach to improve the return on investment for the client.

Our Philosophy

The mindset of the team is to be fully transparent with the client by delivering a high-quality report composed of:

  • A high-level executive summary where we move the vulnerability from a technical context into a business context to make management understand what the consequences in case of exploitation are,
     
  • A technical section where vulnerabilities per domain are sorted by remediation order. To sort them, we use specific and easily understandable criteria, that take the business/technical context into account
     
  • All scripts, command lines, software etc. used to uncover the vulnerability are described in the report, in case the client wants to replay himself the attack,
     
  • A high-level conclusion in which we give our opinion and recommendations about the security of the targets in scope.

Our Added Value

Several added values can be identified with this type of engagement. Amongst others:

  • Giving your team members real experience in dealing with a security breach,
     
  • Uncovering security aspects that are lacking from a technological or process point of view,
     
  • Uncovering the most-at-risk routes to your sensitive assets.


 

Trust means proximity

As trust and proximity are strongly linked together, our team can support you with a high availability all around Switzerland. We can also ensure management proximity, as ELCA Security is a real Swiss and independent actor.

Begin your Cybersecurity journey

Cybersecurity is an investment on a long-term perspective to anticipate future potential cyber-attacks and limit their impacts on daily business.

For most companies, it is not justified to invest substantial amounts in this domain. This is why ELCASecurity proposes several discovery assessments to allow you to make a first step into the Cybersecurity world.

 

These types of engagements are focused on SMEs, as they are missing resources in this domain. We can cover several advisory domains:

Flash Risk Assessment

Provide a high-level overview of your Cybersecurity maturity and deliver strategic recommendations.

Flash Compliance Assessment

Verify compliance with nLPD, GDPR, ISO27K

Flash Data Protection

Check if data processed could be compliant with the current data protection laws applied in the country.

Flash Cyberdefense readiness

Determine if your Defense-in-depth strategy is setup correctly and can detect & block advanced Cyber-attacks.

Flash Discovery Pentest

Provide a high-level overview of your Cybersecurity maturity and deliver strategic recommendations.

Contact our expert

Fabrice GUYE

Head of Business Line at ELCA Security

Meet  Fabrice GUYE, our Head of Business Line at ELCA Security. Contact Fabrice to discuss how he can help propel your cybersecurity initiatives forward.