In the increasing reliance on computer systems, cyber security testing has become more important in helping to determine if security controls are operating as intended and how well the organization’s information is protected.

Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in — either virtually or for real — and reporting back the findings.

The main objective of penetration testing is to identify security weaknesses. Penetration testing can also be used to test an organization’s security policy, its adherence to compliance requirements, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Typically, the information about security weaknesses that are identified or exploited through pen testing is aggregated and provided to the organization’s IT and network system managers, enabling them to make strategic decisions and prioritize remediation efforts.

Penetration tests are also sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

In the increasing reliance on mobile applications, cyber security testing has become more important in helping to determine if security controls are operating as intended and how well the information assets, including intellectual property, is protected. To this end, BDO has created a mobile testing methodology that leans on guidelines from the OWASP Application Security Verification Standard, that includes the following testing:

• Mobile platform internals
• Security testing in the mobile app development life-cycle
• Basic static and dynamic security testing
• Mobile app reverse engineering and tampering
• Assessing software protections
• Detailed test cases that map to the requirements in the MASVS.
• Business logic Bypass
• Authentication and Authorization mechanism bypass
• Session Management
• Access Control
• Malicious Input Handling
• Cryptography at Rest
• Error Handling and Logging
• Data Protection
• Communications Security
• Business Logic

Network controls can effectively protect your critical assets and increase the likelihood of detecting unauthorized activity or a breach.

These areas are typically appropriate for review by our technical security assessors and engineers:

• Perimeter design
• Segmentation of critical systems
• Choke points
• Inbound remote access mechanisms
• Wireless networks
• Log aggregation
• Monitoring and attack detection capability
• Firewall rules
• Threat intelligence
• Maintenance processes

Security code review is required by some regulations and is a common stage in Secure Software Development Life-cycle (S-SDLC), in today’s trendy threat landscape where every laptop or smartphone has access to company sensitive data, any developed application or website that allows others to access company held sensitive data, requires assessment of the security weakness, derived from the usage and implementation of a programming language.  BDO will perform a set of detailed security testing methodologies including: automated static analysis and manual inspection of code, for the process of auditing the source code for an application to verify that the proper security controls are present. The resulting report will present the development team with detailed security issues that may cause the application to be hack-able, the report will include recommendations for fixing such issues.

BDO Cyber Security Consulting is well versed in nearly all programming languages in use today, including: Java, C#, ASP, C / C++, Objective C, Visual Basic, Perl, Python, TCL and assembly language on various platforms.

Wireless networks, by their very nature, are often exposed beyond the physical confines of your facility or offices. In addition, rogue access points may target your users’ mobile devices.

BDO assesses wireless networks by performing testing at multiple locations and monitoring for weaknesses in the networks present.  We will perform brute force attacks on networks to confirm the ease or difficulty of attackers to gain access.  Scanning will be performed for rogue networks and weak algorithms.

The objectives of the wireless network assessment will be to:

• Perform a wireless network survey to identify the exposure of your networks beyond your user community;
• Search for rogue access points setup by users or attackers
• Test security protocols to confirm the likelihood of a brute force attack;
• Search unprotected networks for gateways or vulnerable systems;
• Capture wireless traffic to assess replay attacks or dictionary cracking; and,
• Recommend countermeasures to high risk vulnerabilities.

SOC TESTING SERVICES

WHY EXERCISE YOUR SOC?

The Security Operations Center [SOC] lies at the heart of any capability to defend an organization from cyber attack, and establish a base-line level of cyber resilience.

Investment in SOC capabilities is significant, and that investment in technology, intelligence, and staff, needs to be regularly justified against a hierarchy of security risk priorities, and proven against ‘real-world’ threats.

SOC testing will invariably identify multiple potential points of failure in your ability to combat a cyber attack, whether technical, or human, or procedural.

It will check your situational awareness & assessment capabilities, and give a broad base for evaluating the effectiveness in monitoring, detection, prevention, & response.

BDO’s SOC testing provides a unique service, in which multiple attack vectors are launched against the organization, both external and internal, in order to assess the actual capabilities of the SOC.

The SOC testing evaluates how and will your SOC protect the organization from a possible breach. After few years of working for leading international enterprises, BDO’s experts have great history of success.

The SOC testing, which can be modified to suit the customer’s needs, include the following:

• Technical exploitation of the organization’s external online assets (external, web applications, etc.)
• Infiltrating internal networks
• (elevating privileges to gain internal or physical access)
• Gateway of traffic from the Internet to the Intranet and vice versa (phishing emails, malwares etc.)

Attackers use a broad spectrum of tools and tactics to compromise networks;  BDO’s SOC testing team not only uses today’s tools, but tomorrow’s as well. If you need to assess all the functions of your SOC we apply the latest hacker techniques as part of a unique ‘war games’ methodology to simulate a real cyber crisis. This process evaluates how your SOC Operators, Analysts, and Managers perform when faced with different scenarios from basic triage and first response, to a low-frequency, high-impact event.