FAQ

FAQ

WHAT IS APPLICATION FUZZING?

The term fuzzing (fault injector) refers to activities aimed at detecting vulnerabilities in an application being tested. Fuzzing is a fully or partially automated process of repeated manipulation of input data fed to the application and observing its reaction to that data. A vulnerability is considered to be detected if an exception takes place while processing the mutated data.

WHAT ARE AND HOW TO PERFORM PENETRATION TESTS?

WHAT TYPES OF PENETRATION TESTS ARE THERE?

WHAT ARE PROFILED TESTS?

WHAT DO WIRELESS WLAN NETWORK TESTS CONSIST IN?

WHAT IS CHARACTERISTIC OF NETWORK TESTS?

WHAT DO PENETRATION TEST OF WEB APPLICATION AND MOBILE APPS CONSIST IN?

The term refers to tests whose goal is to detect vulnerabilities in an IT system which may lead to losing control over the confidentiality, integrity or availability of the processed data.

Penetration tests allow to verify the immunity of an organization's IT environment to attempts at breaching its protections. They may be performed both from the internet and from a private network. By simulating an actual attack, it is possible to identify areas posing a threat to data security or confidentiality, or at risk of interrupting the continuity of service. The scope of penetration test depends on the structure of an organization and the system it works on.

Typically, security tests are classified into three levels depending on the level of knowledge the attacker has.

BLACK-BOX - in which the testing team has no prior knowledge on the entity being targeted. Their only knowledge is what the target is. In this model, tests begin with reconnaissance, i.e. gathering information on the target. Then, based on the findings, the goal is to make a fluent transition to the second phase of testing which is scanning and breaking the protections.

GRAY-BOX - in which the testing team has limited knowledge on the attack target. These may include addressing data, protection systems in use, operating systems, active components of the computer network, or an initial set of permissions in the system. Depending on the completeness of the information, the reconnaissance phase is either scaled down or skipped altogether.

WHITE-BOX - in which the testers have access to full knowledge on the target, which makes the reconnaissance phase redundant. All the possible data, which in other models are obtained in the reconnaissance phase, are delivered by the client. Further work follows the same pattern as in the previous test models

Profiled tests consist in developing, preparing and conducting a customised attack on an organisation using all the available methods, including social engineering attacks, breaking physical protections and specialized technical attacks. Such an attack is to be as close as possible to an authentic attempt at breaching the organisation's security. Tested areas include IT systems, security procedures, as well as employee awareness in terms of ways of defending against an attack. Goals are selected for the test so that realising them would pose a significant threat to the organisation.

In some cases it is the client who defined the goal to be achieved, for instance:

  • Obtaining HR or salary-related data

  • Obtaining domain administrator certificates

  • Maintaining access

  • Compromising mail of strategic employees

  • Obtaining access to an industrial network (SCADA)

  • Stealing critical documents

Profiled tests combine all the available methods of performing an attack. The number of people within the tested organisation who are aware of the test taking place is kept to a necessary minimum. Such an approach is crucial to make the test conditions as realistic as possible and to study the reactions and behaviour of both the staff and the security systems and procedures during the simulated attack.

Wireless networks have become commonplace both at home and at work. Moreover, in recent years their capacity has grown manyfold. As a result, wireless networks are not only convenient but also fast. The character of gaining access to wireless networks, namely the lack of physical access to the transmission medium, their security requires special attention. The very nature of electromagnetic waves makes it incredibly problematic to limit their range to protected zones. As a result, in terms of security, Wi-Fi networks constitute a crucial and demanding area of the infrastructure. No wonder, therefore, that attackers frequently pick wireless networks as one of the first areas in which to attempt to gain access to an organization. A number of different forms of protection are used in Wi-Fi networks. It is worth noting that at times cryptographic mechanisms commonly regarded as secure, such as WPA3, WPA2 PSK, WPA Enterprise does not provide organizations with an effective protection against attacks. Several factors impact the security of Wi-Fi networks is affected by several factors, including the configuration of employee workstations or employee training.

In the process of conducting Wi-Fi testing, as well as other tests requiring significant calculation powers (for instance for password cracking), STM Cyber relies solely on its own resources, which guarantees the client may trust their passwords will not leak out. Many other IT security companies performing such work rely on cloud-based calculation powers, which creates an opportunity for the passwords to be intercepted by unauthorized entities. Moreover, such companies often do not verify the strength of passwords in Wi-Fi networks, wrongly considering them to be safe. Therefore, before the test gets underway, it is highly recommended vetting the company and its testing methodology.

In case of networks, penetration tests consist in conducting controlled attacks from various locations within the client's network infrastructure, such as:

  • Attacks on client's servers available from the internet level

  • Attacks on client's network from a connection made available to visitors to conference rooms

  • Attacks on client's network from the level of the network used for internal VoIP calls

One of the most important tasks an attacker is faced with when attempting to compromise a company's security is gaining access to its internal network. Frequently, this objective is realized via online services which are run on machines operating within the company's internal network. At times, however, the attacker resorts to unorthodox methods, such as leaving his own computer in the conference room.

STM Cyber advises its clients on which areas to audit in order to ensure optimum penetration test results. Once the audit is complete, clients receives a report containing detailed and reliable information on the detected threats and identified vulnerabilities which may be exploited in a cyberattack on the IT infrastructure in their organisation.

Applications:

  • Process critical company data - information on its customers, contracts, mail, transactions

  • Enable the company to operate - mail, IMs for employees, applications controlling the production process.

  • Constitute the commercial services for customers - portals, customer panels.

STM Cyber offers penetration tests for dedicated and web applications performed following three different methodologies: black-box, grey-box, and white-box.

WHAT ARE SOCIAL ENGINEERING TESTS

A large proportion of successful hacking attacks were based on the weaknesses of the human factor and not of the IT systems. Complete elimination of human interference from any process is very hard to achieve. Businesses keep increasing the amounts they invest in upgrading their protections, however, people will remain people and when an attack takes place, they may be in a hurry, busy or simply having a worse day.

In some cases, people turn out to be overly trusting, helpful or unaware of the threat. It is these positive traits of our character which makes social-engineering attacks so effective. STM Cyber offers tests of the human factor that consist in physically checking the safety procedures of the client's staff. Our tests verify whether a potential attacker will be able to cause staff to perform a desired action or obtain access to places or information which should be unavailable to him or her.

Once the test is over, STM Cyber presents a report listing the areas where employees require training in order to raise their awareness on the threats to IT infrastructure and on how to use it safely.

WHAT IS AN INCIDENT MANAGEMENT PROCESS?

The promptness of reacting to a security incident may have a critical impact on an organisation's safety. STM Cyber offers an IT incident management service, also available in the form of reserving exclusive rights to given resources, allowing to take immediate action aimed at minimizing the negative consequences in the wake of an attack.

Handling an incident may comprise the following tasks:

  • Identification of what caused the incident

  • Analysis of the vulnerability - if it has been identified

  • Developing recommendation in order to eliminate or minimize the risk of such an incident reoccurring.

WHAT IS THE PROCESS OF SOFTWARE IMPLEMENTATION AND CONFIGURATION?

WHAT IS INCLUDED IN A POST-INCIDENT ANALYSIS?

WHAT ARE THE BENEFITS OF IMPLEMENTING A INFORMATION SECURITY MANAGEMENT SYSTEM IN CONSISTENT WITH ISO/IEC 27001?

Security of IT systems in any organization plays a key role in ensuring the continuity of running business processes.

STM Cyber offers a multi-layered approach to safety, comprising protection of the lowest layer (the network), through the system level, to the layer of presenting the data (apps). Such an approach provides protection of IT resources on every level so that if anyone fails, another layer takes over in order not to allow for the resources to become exposed. In order to pick the right solutions, matching the client's particular needs and providing appropriate protection in every layer, requires performing a detailed and comprehensive analysis of the existing security infrastructure.

In the next stage, an advanced security audit is performed using black, white and greybox methodology to verify the devices, IT infrastructure (including the operating systems), as well as applications.

Its findings will enable crafting a highly customized solution to guarantee optimum protection to the relevant resources. Our primary criterion for proposing a particular solution is how well it matches our client's needs. Additionally, we offer specialist advice and support for a range of products from numerous suppliers, including leading hardware manufacturers, ensuring protection against threats to IT infrastructure.

Post-incident analysis recreates the actions taken by the attacker, including manual and automatic analysis of malicious software, identification of tools and methods, detecting rootkits, backdoors, keyloggers,, and trojan horses used to perform the attack, as well as securing the evidence so that it is undisputed in possible future proceedings.

The term also covers the negative consequences of a security breach which characterize each unlawful, unauthorized or unacceptable action taken within a computer system or network.

The analysis incorporates the following phases:

  • Incident detection - identification of a potential breach of a security policy

  • Preliminary phase - performing tasks related to initial investigation, such as for instance collecting logs, recording activity, assembling the response team, notifying the relevant persons of the incident and the investigation

  • Defining the response strategy - preparing subsequent steps of the investigation based on the gathered information.

  • Incident analysis - preparation and collection of all the secured data, its analysis aimed at determining consecutive stages of the incident (who, when and how)

  • Reporting - preparing a report together with recommendations as to how similar incidents can be prevented in the future

  • Implementation of guidelines - the process during which the existing security policies are modified in order to prevent such incident

Implementation of an information security management system is a solution developed in accordance with the requirements of the international ISO/IEC 27001 standard.

If properly executed, implementing an ISMS enables effective and comprehensive management of information security in any organization. Information is a valuable resource which may make or break any business. In general terms, appropriate information management allows the business to operate confidently, develop, broaden its horizons, and modernize its activity.

HOW TO IMPLEMENT A BUISNESS CONTINUITY MANAGAMENT SYSTEM (BCMS) CONSISTENT WITH THE ISO 22301 STANDARD?

STM Cyber offers implementation of a Business Continuity Management System based on the international standard ISO 22301, released in 2012. BCMS is a comprehensive approach to managing processes occurring in an organization. The primary benefit of implementing a BCMS is that it either protects the business continuity of an organization from being interrupted in the wake of incidents involving resource availability or minimize their impact.

HOW DOES SANDBOX WORK?

The term sandbox refers to an isolated, safe environment designed to monitor or analyse the behaviour of the tested software or other binary files. The methods used in a sandbox analysis are both static and dynamic. Such an analysis may be run locally, in which case it may take manual or automated format. Sandbox may also constitute a component of another system within which relevant files are sent for automatic analysis, for instance, in the cloud.

A sandbox analysis allows monitoring a software's behaviour in the following areas:

  • Activity on file level - what files were created, modified or deleted while the program was running

  • Activity on mutex level, where we check how many processes are related to the same resource

  • Activity in the file register, where changes to the OS register are being traced

  • Network activity - studying the software's network activity which may be an indication of attempts to connect with the C&C server or of a stager-type software.

HOW TO DEFEND AGAINST DDOS ATTACKS?

The terms is used to refer to solutions aimed at counteracting Distributed Denial of Services attacks.

DoS/DDoS attacks may target both the network layer (UDP flood, TCP SYN, TCP SYN-ACK) and the application layer (session flooding, request flooding, slow request/response).

The aim of a DDoS attack is to interrupt the continuity of IT systems' operation by placing excessive burden on the resources or saturating the connection. AntiDDoS systems may be a component of other security systems safeguarding resources interfacing with the internet. What provides optimum protection against DDoS? An example may be syncookie technology implemented in firewall devices. Another effective way to achieve this end is building an independent specialized solution composed of a sensor and a filtering unit, included in the so-called scrubbing centre. Unlike the traditional inspection systems, it does not feature a state table and therefore remains invulnerable to attacks targeting the web layer. Such an approach ensures advanced traffic monitoring (TopTalkers analysis, peering analysis), possibility to stem attacks at its source (BGP Offramp, FlowSpec), as well as high efficiency and reliability (specialized filters and mechanisms for additional authentication to eliminate spoofed IP)

MALWARE AT THE WEB LEVEL USING NAV?

NAV (Network Anti Virus) systems implemented at the point interfacing with the internet serve as a network system for malware detection. Its method of implementation makes for a simplified corporate network environment. No antivirus software installed at the terminals translates to their enhanced efficiency and reduces the risk of potential software compatibility issues.

These types of systems frequently complement other systems installed on hosts. NAV systems use well-known detection methods based on behavioural analysis signatures as well as sandbox. They may be incorporated into other security systems, such as firewalls or data loss protection systems, or function as a stand-alone solution.

WHAT DOES VULNERABILITY SCANNING CONSIST IN?

Vulnerability scanning is a term referring to an automatic proactive process of identifying shortcomings in IT security systems in order to find out if and in what circumstanced a given vulnerability may be used to breach security or destabilize the system (DoS). The scan may finish with a report listing the detected vulnerabilities or be followed with a manual verification of identified issues.