• +357 70002362

Services

Our Services


Vulnerability Assessment

Vulnerability Assessment

Vulnerabilities are the weaknesses/holes that allow threats to be realized/manifested. In other words, systems are compromised through weaknesses in their security. Vulnerability Assessment is a valuable first step in discovering the vulnerabilities in your network devices, servers and applications.It is a cheap way to quickly get a clear understanding of how vulnerable your systems are to attack.

In Vulnerability Assessment engagements, QSecure performs automated scans against a predefined number of hosts / IP addresses through the use of vulnerability assessment tools. The identified weaknesses / vulnerabilities are grouped in a report that is delivered to the client. No verification of results or manual testing techniques are performed.

Penetration Testing

Penetration Testing

Penetration Testing provides the most thorough test of security defenses. Security professionals will scrutinize all hosts in scope for any weakness or piece of information that could be used by an attacker to compromise a system and disrupt data confidentiality, integrity and availability. They will go the extra mile and actually exploit identified vulnerabilities in order to assess the true impact of a potential attack.

In Penetration Testing engagements, QSecure conducts an assessment of the organization's perimeter network and internet facing systems in order to identify potential security weaknesses / vulnerabilities that could be exploited by unauthorized individuals to compromise data integrity, confidentiality and availability.

The assessment may simulate attacks from ''Informed'' attackers who have knowledge of the organization's infrastructure and security systems or from ''Uninformed'' ones who have no prior knowledge of the organization's security posture.

The tests include automated tests using commercial and open source tools combined with manual testing techniques. This combined method allows for the detection of complicated / hard to find vulnerabilities that cannot be detected by automated means alone. Furthermore, manual tests aid in the process of vulnerability verification which aims to minimize the number of false-positives, thus saving the client precious time during the remediation process.

The final report is comprised of a summary section for senior management and a technical section for IT professionals. It lists the identified vulnerabilities by severity level followed by the associated impact to the organization and the proposed risk mitigation strategies. A final onsite presentation is performed which marks the completion of the engagement.

Internal Security Assessment

Internal Security Assessment

When protecting the confidentiality, integrity and availability of organizational information it is important to realize that a potential attack can come from inside the network as well as from outside.An Internal Security Assessment focuses on the strength of servers, the controls provided by firewalls and the potential vulnerabilities on the internal network.

This does not only help to identify the risk that rogue internal users present, but also to determine the amount of damage an external attacker who has breached the perimeter can cause.

QSecure's Internal Security Assessment follows a similar methodology to external/penetration testing but with a small difference, as it provides a complete view of the internal network's security. Testing is typically performed from a number of network access points, representing different logical and physical segments, and targets the organization's servers, workstations, network systems, access control devices, application services and overall internal network security practices.

Upon test completion a final report is composed which contains a summary section for senior management and a technical section for IT professionals. It lists the identified vulnerabilities by severity level followed by the associated impact to the organization and the proposed risk mitigation strategies. A final onsite presentation is performed which marks the completion of the engagement.

Web Application Security Assessment

Web Application Security Assessment

Web applications are complex pieces of software that contain numerous vulnerabilities and provide a logical tunnel from the Internet to the back-end databases. A Web Application Security Assessment helps organizations identify weaknesses that may allow attackers to compromise the security of their web application and ultimately their network.

In recent years, web applications have grown dramatically popular, with organizations converting legacy mainframe and database systems into dynamic web applications. These applications allow customers/users to directly access personal and confidential information, encouraging a self-driven model which in turn leads to a decrease in business costs.

On the other hand, the new trend caused an exponential increase in the vulnerabilities found in web applications, putting a significant financial impact to the enterprise and to the privacy of the end users. Recent studies show that hackers are moving towards web application based attacks with 75% of total attacks now occurring on web applications.

Furthermore, whereas strong operating system hardening/patching procedures coupled with well managed firewalls provide sufficient security at the network/infrastructure level; this is not yet true for web applications. Web applications are complex pieces of software that contain numerous vulnerabilities and provide a logical tunnel from the Internet to the back-end databases inside the corporate network. Recent studies have shown that more than 95% of web applications have some sort of vulnerability.

In Web Application Security Assessments, QSecure follows the OWASP Testing Framework and performs all required tests as an unauthorized user (without a valid account on the system) as well as an authorized one. As all web applications are unique, testing inevitably varies; therefore each engagement is tailored to the nature of the site.

The final report is comprised of a summary section for senior management and a technical section for IT professionals. It lists the identified vulnerabilities by severity level followed by the associated impact to the organization and the proposed risk mitigation strategies. A final onsite presentation is performed which marks the completion of the engagement.

Social Engineering Attack

Social Engineering Attack

Social engineering is the act of manipulating people into performing actions or disclosing confidential information that will allow hackers to gain access to information systems. Social engineering attacks can come in many forms such as email messages masqueraded as breaking news, innocent telephone conversations, CDs or USB Flash drives left in public areas, Facebook messages and many more.

QSecure's methodology begins with target identification and information gathering, followed by the definition of the test scenarios and the customization of the exploitation attempts. Each scenario is tailored to test specific controls, policies and procedures within the organization and assess the security awareness level of its personnel.

It is often argued that the weakest link in security is not technology, but the people who use it.

Incident Handling

Incident Handling

An IT security incident is an adverse event in a computer system or network caused by the failure of a security mechanism or an attempted or threatened breach of these mechanisms. Organizations must react to potential information security breaches quickly and in an orderly manner.

Efficient incident handling procedures and investigative techniques are necessary to determine if a breach has occurred, to identify the vulnerability exploited, to constrain the breach, to identify the source of the attack and to gather critical evidence that can be used in legal proceeding. Incident-handling capability should be available 24 hours per day, 7 days a week.

QSecure can help organizations develop, maintain, test and update incident response procedures so as to increase their incident handling capabilities and react to security breaches in an orderly manner. Furthermore, QSecure's Forensic Investigation services can help organizations investigate breaches in security, gather evidence, recover any compromised systems and resolve the issues that caused the incident.

IT General Controls Review

IT General Controls Review

For some organizations, information and the technology that supports it may be considered their most valuable assets. Safeguarding these assets while supporting the organization's business objectives, represents a very complex and critical undertaking.

IT General Controls are the fundamental controls that apply to the people, processes and technology of an organization. They depend heavily on the risk appetite of the organization and the risk treatment options available. Once implemented, controls must be monitored, reviewed, and improved regularly so as to help the organization accomplish its business objectives whilst keeping its information assets secure.

The purpose of an IT General Controls Review is to evaluate the organization's internal control system's design and effectiveness as it pertains to information security. This includes but is not limited to IT operations, security, change management, development processes, and IT governance or oversight. The goal is to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties.

Using a methodology that is based on industry best practices and IT audit frameworks such as COBIT, QSecure helps clients get a clear understanding of the key controls that are present in their environment and develop a sound IT internal control system. The IT General Controls Review service offered by QSecure includes testing in the following domains:

  • Planning and Organisation (PO)
  • Acquisition and Implementation (AI)
  • Delivery and Support (DS)
  • Monitoring and Evaluation (ME)
IT Security Policy Development

IT Security Policy Development

Written information security policy documents are a formal declaration of management's intent to protect information. They are documents that outline specific requirements or rules that must be met and lay down the foundation upon which all information security related activities are based.

Sound corporate security policies compliant with accepted standards and tailored to corporate needs are essential to good governance and a secure corporate environment.

QSecure will help ensure that you have addressed the appropriate Corporate Security Policies to protect your organization from both internal and external threats. QSecure's experienced consultants will utilize their knowledge in order to help you develop and enforce a comprehensive, customized IT security policy that measures up against industry standards and best practices.

IT Security Architecture Services

IT Security Architecture Services

Many organizations today are focused in implementing network architecture based upon their business needs rather than security. Furthermore, organizations have the delusion that implementing state of the art equipment will improve their security posture. While there are many products that can help, they can only be effective when they are part of a carefully planned process.

Security architecture refers to the strategic planning and development of an IT infrastructure that supports the organization's mission and security objectives. It is a process that is developed during the security design phase after a security requirements analysis has been conducted to support it.

QSecure will comprehensively review your organization's wired and wireless network, Internet and intranet architectures and identify methods to enhance and improve on the security infrastructure while addressing the organization's business needs.

Security Awareness Training

Security Awareness Training

Information security technologies have greatly improved in the last decade. But what dangers did this change bring? Has the weakest link of the security chain also been strengthened? The reality is that whilst security software and hardware devices are becoming more ''intelligent'', computer users are not educated on information security risks and are hence becoming targets of social engineering attacks.

This kind of threat cannot be stopped by security devices alone. End users must be educated.

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of its physical and information assets. Being security aware means that a person understands that some people may deliberately steal or damage the information which is stored within the organization's computer systems. As a result, he/she understands that it would be prudent to support the assets of the organization by trying to stop that from happening.

QSecure offers a variety of security awareness training programs which focus on achieving a long term shift in the attitude of your employees towards security, whilst promoting a cultural and behavioral change within your organization.

For more information regarding our services, please do not hesitate to contact us.