< Back to Cyber Security

Assessment & Compliance

Assessment & Penetration Testing

Penetration testing (also called pen testing, ethical hacking or blue teaming) is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Internal & External Testing

A true penetration test does not rely on just tools or vulnerability scanning. The next stage involves taking these scans and adding human intelligence-led testing to build a reliable and thorough picture of an organisation’s security and exploitable vulnerabilities.

An internal penetration test assumes that through some means the hacker has gained access to your network, perhaps through malware in an email, social engineering or through a vulnerability on your externally facing systems.

Application Testing

Web application penetration testing is the practice of using a methodical process of searching for and detecting vulnerabilities in your web applications. It’s crucial for all businesses, with web applications at the heart of 73% of breaches, according to Kaspersky.

Similar to an infrastructure penetration test, this aims to break into a web application using any penetration attacks or threats. Elements of a test can include, but are not limited to:

  • Testing user authentication to verify that accounts cannot compromise data
  • Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) SQL Injection
  • Checking the secure configuration of web browsers and identifying features that cause vulnerabilities
  • Testing the effectiveness of your Web Application Firewall

Our Web Application Testing includes:

  • Web application penetration testing
  • Mobile application penetration testing
  • Secure code review

Wireless Testing

We can help protect your wireless networks by helping you remove vulnerabilities and misconfigurations.

Whilst wireless hacking is less common than remote hacking, as the hacker would need to be within physical reach of the signal, there has been an increase in the number of breaches initiated through wireless networks.

Wi-Fi testing is the most common of wireless testing, which is covered in a full penetration test or an IT Health Check, and our network testing includes testing for:

  • Rogue access points
  • Brute force
  • Packet injection weaknesses
  • Access key vulnerabilities
  • Misconfiguration
  • Poor or no encryption algorithms
  • Default or hidden router setups
  • Guest Wi-Fi weaknesses or misconfiguration

Our wireless testing also covers technologies including GPRS/GSM/EDGE, LTE, Bluetooth, Wi-Fi, RFID and NFC.

Stolen Device Testing

With a laptop stolen every 53 seconds, your devices can find their way into the hands of hackers or rogue users. With stolen device testing, we emulate what a hacker would do if they found or stole the device. This includes a simulated attempt at breaching your security and gaining unauthorised access using the device, and what data they could gain access to. As a result, you can fully understand and evaluate the risks and potential consequences.

Stolen device tests can be conducted onsite at your organisation or at our secure testing laboratory in West Yorkshire, UK.

An IT Health Check, which is part of the Public Services Network (PSN) Code of Conduct compliance, aims to provide a level of assurance that networks containing PSN devices are secure.

Unlike fixed price IT Health Checks which can cause issues when audited, we visit and scope the work required followed by a Lead CREST tester approving the scope of work before a proposal is sent. This is one of the most important aspects in ensuring that it’s a worthwhile exercise that provides you with the correct level of assurance.

Our IT Health Checks undertake an analysis of your chosen scope, with guidance from our testing team leader to identify vulnerabilities which may compromise the Confidentiality, Integrity or Availability.

Social Engineering

Social engineering is an increasing and dangerous type of attack that involves tricking someone into divulging confidential or personal information, usually through technology. This data can then be used by or sold on to criminals to commit fraudulent activity. It’s become so commonplace, that it’s actually overtaking the amount of technical hacks.

Criminals use social engineering to take advantage of the victim’s natural tendencies and emotional reactions; assuming you have a strong password, it would be much easier to fool someone to give you this rather than hacking the passwords.

Some elements of social engineering are now an essential part of a full penetration test, adding in elements to test the human weaknesses often referred to as the “Human Network”.

We have designed 3 testing elements which can be run as stand-alone tests or added to your next penetration test:

  • Targeted phishing attack
  • Onsite access test
  • Black box test

Cyber Security Audit

Do you know how effective your organisation’s level of cyber security is? Is your strategy as watertight as you think? Many directors and chief executives often receive mixed messages from heads of department about their own levels of cyber security, with little integration, awareness or understanding about how each individual strategy is working as a whole.

Our audit reviews your entire cyber security position with a prioritised approach to reduce risks.

The outcomes of employing us to carry out a Cyber Security Audit are:

  • Cyber Security Maturity Matrix
  • Prioritised approach guide
  • Clear and concise non-technical Executive Summary
  • Current Cyber Security Posture Review
  • Vulnerability Review
  • Policy and Process Review
  • Internal Staff Training Review
  • Technology Review
  • IT Expertise Review
  • 3rd Party Support Expertise
  • 3rd Party Risks
  • Milestone Development
  • Report Presentation and Feedback

ISO 27001 Consultancy

ISO 27001 is the international information security standard that’s accepted as best practice worldwide. Achieving this certification enables your company to show your customers, stakeholders or suppliers your commitment to managing information safely and securely.

But one of the common mistakes companies make is to assume this accreditation only needs work from the IT team alone. In reality this is rarely the case, as the standard works across most, if not all departments; some which may be out of scope of the certification.

We can help you meet this accreditation through our consultancy service.

ISO 27001 services offered:

  • Scoping of the certification
  • ISO 27001/2 Gap analysis
  • Business risk assessment
  • Development plan development
  • Security policy development
  • Staff awareness training
  • Technical design review
  • Incident response plan review, development and management
  • Internal Audit support, training and managed service
  • Pre-assessment

Payment Card Industry Data Security Standard Compliance Support

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle branded credit and debit cards from the major card schemes.

Validation of compliance is performed at regular intervals either by an external Qualified Security Assessor (QSA), a firm specific Internal Security Assessor (ISA), or by Self-Assessment Questionnaire (SAQ). Finding a QSA with experience of both service providers and merchants can be hard but this experience is essential to ensure they can not only give advice on your compliance but guidance on the options available to you and how they work in real life scenarios.

Our remote support service allows you to pay for support in advance and spend as much time as you need asking questions to your QSA when needed. The service is designed to support your ongoing projects when you need specialist advice. We provide support from ad-hoc remote support and to end-to-end management of your PCI project, through to ROC (Report on Compliance).

Authorised Economic Operator

AEO (Authorised Economic Operator) or Trusted Trader is rapidly becoming part of the post-Brexit landscape. This is an accreditation achieved by businesses that meet strict customs criteria by demonstrating quality, compliance and trustworthiness in the international supply chain.

With a review or penetration test of your IT systems a requirement of the accreditation, we have specifically designed a new IT health check (AEOTest) to meet the requirements of AEO accreditation. Our consultants will perform the AEOTest IT health check and report on any issues and supply you with associated fixes. Once fixed we will re-test these systems and, once remediated supply, a Pass Certificate you can supply with your submission.

You can apply for AEO status for either Customs Simplifications (AEOC), Security and Safety (AEOS) or for both.

Key Partners

  • Censornet
  • F5
  • Crowdstrike
  • Palo alto
  • Macmon
  • Osirium
  • Fortinet
  • Checkpoint
  • AlienVault

86,000

Passwords discovered monthly to prevent breaches

350,000

Security events analysed per hour

7 mins

Average detection time for spotting a breach and alerting the client

Speak to our engineers and experts.