Contact Us: +90 216 386 6888 (Tr) / +971 (4) 401 8553 (UAE) info@sibertis.com.tr

INFORMATION SECURITY CONSULTANCY SERVICES

Services > Consultancy Services > Information Security Consultancy Services

INFORMATION SECURITY CONSULTANCY SERVICES

With the development of technology, it is not always possible to keep up with the attackers who are able to regulate even more complex attacks every day and that can even penetrate into the place where there is hardly any deficit. For a good security infrastructure, we can help you to choose the appropriate products according to your budget and commissioning them. Most of the time, it is more accurate to apply risk analysis and management, infiltration tests before the product selection.

 

As Sibertis, we can provide information security consultancy services by our expert teams in the following areas:

PENETRATION TESTS AND VULNERABILITY ASSESSMENT

As Sibertis, we can perform both automatic scanning operations and manual penetration tests according to international standards. The automatic scan test is a periodic scan of the network across a suitable solution to be installed in your system. The scan is IP-based and can be determined in advance when scanning is required. The higher the scanning frequency, the larger the servers that need to be positioned. Automatic scanning solution can be implemented at customer’s location and therefore, it would be much safer solution for the company. Sibertis is the Value Added Distributor of Positive Technologies Company across Middle East and Turkey Regions. Please contact us for further information.

In the manual penetration tests, the standards we use are as follows;

  • PTES Technical Guidelines
  • NIST (The National Institute of Standards and Technology )
  • New PCI DSS guidance
  • OWASP Testing Guide

We carry out the tests with our expert teams and we comply with mandatory national and international standards such as KVKK, GDPR, HIPAA, PCI-DSS and non-mandatory standards such as ISO/IEC 27001:2013, NIST SP 800-53, HITRUST.

In our tests we are working in 4 different layers. Out of these 4 layers, we carry out the ATM network and SS7 signaling infrastructure safety tests with ‘Positive Technologies’ as our business partner.

 

The four layers we tested are as follows:

External infiltration (Blackbox)

In this type of tests, the person performing the pentest process has no knowledge of the organization. Information is collected from outside the company, back doors are identified and infiltration takes place. The margin of error is high and requires a long time.

External Infiltration (White Box / Gray Box)

In this type of test, the pentest operator acts as a client or business partner with limited knowledge of the business. Pentest targets are often predetermined. The share of accuracy is higher and the results report is prepared in a relatively short time.

Internal Infiltration

In this model, the pentest expert acts as the own staff of the enterprise. This method is very effective in identifying unauthorized usages and the deficiencies of the systems. Password breaking, access to the network is done in this layer. Internal leakage testing is usually carried out to identify and repair security vulnerabilities.

Firewalls, Security Systems testing

The security policies, the performance of firewall devices, the evaluation of operating systems, the analysis of business processes and the adequacy and analysis of all security systems are performed in this layer.

Here are the types of safety tests we have performed as Sibertis:

Network penetration tests

  • External and Internal
  • Black Box, White Box or Gray Box
  • Perimeter Infrastructure
  • Wireless networks, WEP/WPA/WPA2 breaking
  • Cloud penetration tests
  • Telephone systems, VOIP

Application Penetration Tests

  • Web applications – asp.NET, PHP, Java, XML, APIs, web
  • Company’s inhouse applications
  • Mobile Applications – Android, IOS
  • Industrial Control Systems – SCADA
  • Databases – SQL, MySQL, Oracle

WEB Application Security Tests

  • SQL injection and cross-site vulnerabilities
  • Server configuration problems
  • WEB-Site infiltration to retrieve credit card information
  • Use the pre-attacked WEB Server for distribution and network penetration

Physical Penetration Tests

  • Surpassing physical security in the enterprise
  • Fake ID, entries in place of someone else
  • Release of removable memory for in-house information

Social Engineering Tests

  • Communicating with employees
  • Phishing attacks
  • Obtaining passwords
  • Obtain company information from posts on social media
  • Business partners, customers
  • Obtaining Facebook and Linkedin accounts

Security Test Planning

The planning of penetration tests evaluated within the scope of safety tests is extremely important in terms of results. After the determination of the vulnerabilities, the report should be carefully evaluated and relevant actions should be taken.

Within the scope of the planning, the following issues should be agreed:

  • The scope of Penetration Tests (Blackbox/Whitebox/Graybox)
  • External or internal penetration tests
  • How often the tests are performed
  • How to close any vulnerabilities that may arise during the test
  • Whether or not to perform DDoS tests
  • How many kinds of result reports to be prepared (dedicated to IT team, specific to company managers, for all employees)

RISK MANAGEMENT

Risk Management is the process of measuring the extent to which threats and vulnerabilities will affect your assets. As Sibertis, we can identify your risks and provide you with a detailed report and then identify the ways to be remedied.

The results of our analysis include the following:

  • Summary
    • Safety monitoring throughout the company
    • Identified weaknesses and risks
    • Possibilities of vulnerabilities attacked
  • Graphical Representation of the Results
    • Detailed road map
    • Infographics related to risks
    • Diagrams and ratings
  • Detailed Recommendations
    • Recommendations for eliminating each weakness
    • Recommendations for correcting the company’s overall safety posture
  • Performing demonstrations about the problems that may be caused by important weaknesses

 

In general, we follow the following path for Corporate Risk Management  

Risk Assessment and Determination of Needs

  • Identification of assets with important information
  • Evaluation with the relevant department responsible
  • Continuity of Risk Management

Conducting Management Meetings

  • Appointment of responsible people for serious incidents
  • Ensuring independent access to top-level managers
  • Determination of budget and resources
  • Regular measurement and improvement of technical levels of teams

Determination of Company Policies

  • Linking policies to the risks
  • Preparing policies and guidelines
  • Supporting company policies by a centralized group of decision makers

Increasing Cyber Awareness and Trainings

  • Informing users about potential risks
  • Increasing interest in a user-friendly way

Policy Review and Improvements

  • Viewing the risks and factors affecting productivity
  • Measures to be taken in the future to avoid problems
  • Examination and implementation of new technologies

INDUSTRY SPECIFIC SAFETY EVALUATIONS

Telecom Infrastructure Security Assessment

Since telecom infrastructures are complex and directly related to users, security testing should be done by experts who are specialized in Telecom Security and aware of International Telecom Standards. As Sibertis, we offer the following Telekom Infrastructure Security tests together with Positive Technologies;

  • SS7 Signaling Layer Security Assessment
  • Security Assessment of Radio Access Networks
  • Diameter Network Security Assessment

Some of the major threats to Telecom Infrastructures are as follows:

  • Invoicing / bypassing billing system
  • Obtaining of subscriber information
  • Possible DDoS attacks on subscribers and equipment
  • Penetration of user conversations and messaging

The topics we focused during the tests are as follows:

  • Reduction of fraud and loss of income
  • Acquiring trust with customers and partners, preventing churns
  • Maintain the confidentiality of the core network and its subscribers
  • Ensuring compliance with laws and regulations
  • Preventing possible DDoS attacks and improving customer experience

 

Critical Infrastructure Security Assessment

Security Assessments of Industrial Control Systems, such as telecom infrastructures, should also be handled by experts as they directly affect production. Togerther with Positive Technologies as our business partner, we provide the following services:

  • Industrial Control Systems (ICS) inspection
  • External and internal penetration tests to IT organizations

Some of the major threats to Industrial Control Systems (ICS) Infrastructures are as follows:

  • Possible accidents and life losses caused by attackers
  • Capturing the ICS infrastructure
  • Unauthorized and unauthorized access to ICS infrastructure
  • System failures

The topics we focused during the tests are as follows:

  • Analysis of application source code with static, dynamic and interactive security tests
  • Detailed analysis of software, embedded software and unified protocols
  • Detailed examination of the architecture of the embedded services
  • Testing access to ICS infrastructure and testing of external connections
  • ICS compatibility review
  • Analysis of network architecture, network services and access

 

Online Banking System and ATM Network Security Assessment

Today, one of the sectors with the highest number of attacks is the financial sector and most of the attacks are done to online banking systems and ATM networks. Together with our business partner Positive Technologies, we offer the following services:

  • Performing internal and external penetration tests to the Online Banking System (OLS)
  • Analysis of automatic control and server-side configuration
  • Remediation Verification
  • Implementation of Blackbox and Whitebox infiltration methods in ATM networks

Some of the major threats and vulnerabilities that can occur in Online Banking Systems are as follows:

  • Weaknesses in protection mechanisms
    • Identification
    • Authorization
    • don’t allow
    • Transaction security
  • Logical errors in operation
  • Vulnerabilities in application code
  • Insufficient user protection on side
  • Vulnerabilities in servers

Some of the major threats and weaknesses in ATM Networks are as follows:

  • Poor user authentication and access control
  • Vulnerabilities in network communication
  • Vulnerabilities in network services for software and ATMs
  • Vulnerabilities in security software
  • BIOS security vulnerabilities
  • Inadequate security in ATM components (PIN input, cash dispenser, card reader, etc.

The topics we focus on during testing are as follows:

  • Detection of zero days and weaknesses
  • Analysis of application source code with static, dynamic and interactive security tests
  • Detailed analysis of software, embedded software and unified protocols
  • Detailed review of the architecture of embedded services
  • Detailed analysis of ATM components

WEB & MOBILE APPLICATION SECURITY ASSESSMENTS

WEB Application Security Assessment

Today, WEB Technologies are often used to manage business processes. Corporate Websites, corporate portals, online stores, service portals, electronic commerce platforms, social media platforms are just a few of the web services used by millions of people every day. Public web sites are not just images of businesses, but they are quite convenient for the sale of their products. Potential vulnerabilities, vulnerabilities, and attacks on websites may result in significant financial loss and image damage for businesses.

According to a study carried out by the Positive Technologies Company in 2016, 58% of WEB applications have a critical vulnerability. Although this figure has dropped to 52% in 2017, even a single weakness can cause the entire server to collapse completely. You can contact us to review reports.

The purpose of the safety assessment to be carried out in WEB applications is to reveal such vulnerabilities and to improve the safety quality with an independent party. Safety assessment is very important in order to improve the safety quality of applications. This reduces the risk of operational, financial and image damage.

As Sibertis, we evaluate your WEB Applications in detail with our expert staff and our business partner Positive Technologies and analyze and report possible vulnerabilities and offer solutions.

You can view common vulnerabilities in WEB Applications as follows:

Users

  • Password Management
  • Social Engineering
  • Phishing Attacks
  • Update Management
  • Web sites that users frequently log in
  • Data Management
  • Authorized Entries

Application

  • Cross-site Scripting
  • Weak Input Verification
  • Brute Force Attacks
  • Phishing Attacks
  • Update Management
  • Web sites that users frequently log in
  • Data Management
  • Authorized Entries

Browser

  • Phishing Attacks
  • Running a Cross Frame
  • Trap links (Clickjacking)
  • Obtaining the User Information in the Browser (Man in the Browser)
  • Buffer Overflow Attacks
  • Data Caching

Back-End

WEB Server

  • Platform Vulnerabilities
  • Incorrect Server Configuration
  • Cross-Code Run
  • Weak Input Verification
  • Capture Password

Database

  • SQL injection
  • Privilege Descriptions
  • Data Dumping
  • OD Command Definitions

Mobile App Security Assessment

Nowadays, mobile applications have become a popular alternative to WEB applications as they are more user friendly. The mobile application market is growing rapidly with the development of Internet Technologies. This leads to an increase in both digital and quality services. Mobile banking, social networks, online shopping, reservation systems, service portals and business applications are the most commonly used mobile services. The frequent use of applications is causing attacks to increase.

According to a study carried by the Positive Technologies Company in 2015, 75% of Android-based mobile banking applications and 33% of iOS-based applications found a critical weakness. This may cause an attacker to capture payment information in a possible attack. You can contact us to review the report.

The purpose of the safety assessment in Mobile Applications is to expose such vulnerabilities and improve the safety quality with an independent eye. Safety assessment is very important in order to improve the safety quality of applications. This reduces the risk of operational, financial and image damage.

As Sibertis, we evaluate your Mobile Applications in detail with our expert staff and our business partner, Positive Technologies.

 

You can view common vulnerabilities in Mobile Applications below:

Users

Browser

  • Oltalama Atakları
  • Framing
  • Crashed Links
  • Obtaining User Information
  • Buffer Overrun
  • Data Caching

Applications

  • Storage of Sensitive Data
  • Weak Encryption
  • Incorrect SSL Verification
  • Configuration Manupulation
  • Working Time Injection
  • Privilege Descriptions
  • Device Access

Call /Text

  • Band Attacks
  • Short Message Order

System

Operating System

  • Encryption Management
  • Jailbreak Operations
  • OS Data Caching
  • Data Access
  • Operator-Based Software
  • Zero Day Attacks

Network

Communication Channels

  • Weak Wi-Fi encryption
  • Wireless Access Points on the network (Rouge Access Point)
  • Packet Sniffing
  • Playing the Information in the Network
  • Session Hijacking
  • DNS Poisoning (DNS Poisoning)
  • Fake SSL Certificate

Back-End

WEB Server

  • Platform Vulnerabilities
  • Incorrect Server Configuration
  • Cross-Code Run
  • Weak Input Verification
  • Capture Password

Database

  • SQL injection
  • Privilege Descriptions
  • Data Dumping
  • Web sites that users frequently log in
  • Data Management
  • Authorized Entries

Contact Us

4 + 12 =

 

Istanbul Headquarters

Saray Mah Dr Adnan Büyükdeniz Cad , Cessas Plaza 2. Blok Kapı No 4/21, İstanbul, Umraniye 34768, Turkey

Tel: +90 216 386 6888

Ataşehir Operation Center

Vedat Günyol Cad. Flora Plaza 23. Kat Ofis No: 2302 Ataşehir/İstanbul

Tel: +90 216 359 7943

MEA Region Office – Dubai

Boulaverd Plaza Tower 1 Sheikh Mohammed Bin Rashid Boulevard, Downtown, Dubai, Dubai United Arab Emirates

Tel: +971 (4) 401 8553

info@sibertis.com.tr