Penetration tests, fuzzing, phishing: IT infrastructure security solutions

Penetration tests, fuzzing, phishing: IT infrastructure security solutions
By EBRC 10/06/2022
Finance, FinTechs & RegTechs
Health & Life Sciences
International Institutions
Security, Defense, Space
Online Services
OES - Operators of Essential Services

Simulating attacks to better defend yourself

In an increasingly connected environment, the security of corporate networks and data is under daily threat. To face this permanent challenge, POST Telecom and EBRC have pooled their strengths and skills to create CyberForce. This entity gathers about fifty experts divided into five teams. Jean-Marie Bourbon heads one of them, CyberForce Offensive Security.

Cyberforce - POST Luxembourg et EBRC

 

Securing your IT infrastructure with Offensive Security

Jean-Marie Bourbon, Head of CyberForce Offensive Security, POST Luxembourg
Jean-Marie Bourbon, Head of CyberForce Offensive Security, POST Luxembourg

Our main task is to check that our clients' IT infrastructure is secure. We offer a series of controlled attack services. The best known are pentests (penetration tests).

Penetration tests: anticipating for better protection

The penetration tests aim to identify and exploit weaknesses and thus anticipate risks thanks to the offensive approach used on a given perimeter.

This is a real test of the IT system’s security, highlighting exploitable vulnerabilities to refine the system’s security.

To secure your IT infrastructure, go beyond penetration testing

This range of services is very broad. It touches on all the layers of cybersecurity: from classic web applications to internal pentesting, via physical intrusion, the mobile environment, network infrastructures and social engineering (or psychological hacking).

In addition to computer penetration tests, what other services do you offer to protect the IT system?

In addition to computer penetration tests, what other services do you offer to protect the IT system?

Checking infrastructure security prior to launching applications

First of all, there is the search for vulnerabilities in so-called 'closed' applications. Before an application is launched, we will test its security level using techniques such as reverse engineering or fuzzing. The aim of this technique is to study software without having its source code available in order to discover its vulnerabilities and thus enable the publisher to issue a patch.

Simulating threats to strengthen your preparation for cyber attacks

Next comes adversary simulation. With this more realistic approach, we define one or more attack vectors with the client and, on this basis, we define objectives adapted to the risks. In other words, we act exactly as a group of professional hackers would. These simulations allow us to test not only the technical side but also the human and organisational side of the infrastructure and go far beyond what is done with standard penetration tests. Were the decisions taken following the attacks the right ones? If not, how can they be prevented from happening again in the future?

Testing the current process for dealing with phishing attempts

We also offer our clients approaches designed to test their response capabilities and processes for dealing with phishing attempts. These approaches focus on practices such as credential theft or custom malware execution.

Business resilience in-depth analysis

We can also organise Red Team exercises for resilience testing against targeted attacks such as those proposed through the TIBER -LU framework jointly adopted by the Central Bank of Luxembourg (CBL) and the Commission de surveillance du secteur financier (CSSF) in November 2021. This framework, which follows the publication in 2018 of TIBER-EU by the European Central Bank (ECB), aims to test the resilience of financial sector entities (although it can be applied to other contexts) in Luxembourg. The advantage of these exercises is that they are spread over time - from six months to one year - and allow for an in-depth analysis of the effectiveness of the people, processes and technologies used by the company to defend itself.

Securing IT infrastructure by understanding how hackers operate 

We can combine our resources with those of the Blue Team – which is in charge of defensive security - and offer Purple Team exercises. These allow our clients to better understand the tactics, techniques and procedures used by hackers and to improve their intrusion detection capabilities by adapting their scenarios (use-cases).

Active listening: the cornerstone of our IT infrastructure security support services.

We do more than just provide the client with what they want. We listen carefully and ask questions in order to fully understand their expectations. Then, based on these discussions, we provide appropriate, practical and concrete advice. This advisory role - to which we contribute our highly specialised technical skills - is particularly appreciated by our clients. Our transparency is also appreciated: we have often advised a client against a particular solution because it was not suitable for their particular case.

Is infrastructure security under threat from the rise in teleworking

At the time of the lockdown, yes, because many companies implemented teleworking arrangements without taking into account the security aspect. Personally, I think that the main danger today is mobile phones. They contain critical information, do not have antivirus protection and are increasingly being targeted by hackers.

For example, at a client’s site, we carried out a penetration test via the mobile phone of one of his employees and managed to take control of his entire infrastructure in just three days!At the time of the confinement, yes, because many companies implemented teleworking arrangements without taking into account the security aspect. Personally, I think that the main danger today is mobile phones. They contain critical information, do not have antivirus protection and are increasingly being targeted by hackers. For example, at a client’s site, we carried out a penetration test via the mobile phone of one of his employees and managed to take control of his entire infrastructure in just three days!

What are your ambitions for the future?

POST-CyberForce is currently one of the only eligible companies in Luxembourg to offer Red Team exercises within the framework of TIBER-LU, thanks to our OSEP (Offensive Security Experienced Penetration Tester) and OSCE (Offensive Security Certified Expert) certifications as well as our various research projects. We will therefore develop this service over time. With this know-how, we have the ambition to develop our activities internationally. Our team has all the assets to achieve this.

Penetration tests, organisation, expertise: 5 recommendations to ensure the security of your IT infrastructure

  1. Make the right choice. Pentesting is ONE of many approaches to dealing with cyber threats and does not cover all risks.
  2. Compliance does not mean unnecessary testing. Use this lever to increase maturity instead of creating more projects to that end.
  3. Open up new perspectives. Make your choice not based on risk but on introspection, alerting, incident response, etc.
  4. Do not focus solely on detection. Detection is only the starting point and you must be prepared. Otherwise, you will fail in combating malicious parties.
  5. Everyone has different expertise. Trust your Offensive Security team.

1  Threat Intelligence-based Ethical Red Team

BACK TO BLOG