Bize Ulaşın: +90 212 371 8668 info@sibertis.com.tr

This post is also available in: Türkçe

INFORMATION SECURITY CONSULTANCY SERVICES

Services > Consultancy Services > Information Security Consultancy Services

INFORMATION SECURITY CONSULTANCY SERVICES

    With the development of technology, it is not always possible to keep up with the attackers who are able to regulate even more complex attacks every day and that can even penetrate into the place where there is hardly any deficit. For a good security infrastructure, we can help you to choose the appropriate products according to your budget and commissioning them. Most of the time, it is more accurate to apply risk analysis and management, infiltration tests before the product selection.

     

    As Sibertis, we can provide information security consultancy services by our expert teams in the following areas:

    PENETRATION TESTS AND VULNERABILITY ASSESSMENT

    As Sibertis, we can perform both automatic scanning operations and manual penetration tests according to international standards. The automatic scan test is a periodic scan of the network across a suitable solution to be installed in your system. The scan is IP-based and can be determined in advance when scanning is required. The higher the scanning frequency, the larger the servers that need to be positioned. Automatic scanning solution can be implemented at customer’s location and therefore, it would be much safer solution for the company. Sibertis is the Value Added Distributor of Positive Technologies Company across Middle East and Turkey Regions. Please contact us for further information.

    In the manual penetration tests, the standards we use are as follows;

    • PTES Technical Guidelines
    • NIST (The National Institute of Standards and Technology )
    • New PCI DSS guidance
    • OWASP Testing Guide

    We carry out the tests with our expert teams and we comply with mandatory national and international standards such as KVKK, GDPR, HIPAA, PCI-DSS and non-mandatory standards such as ISO/IEC 27001:2013, NIST SP 800-53, HITRUST.

    In our tests we are working in 4 different layers. Out of these 4 layers, we carry out the ATM network and SS7 signaling infrastructure safety tests with ‘Positive Technologies’ as our business partner.

     

    The four layers we tested are as follows:

    External infiltration (Blackbox)

    In this type of tests, the person performing the pentest process has no knowledge of the organization. Information is collected from outside the company, back doors are identified and infiltration takes place. The margin of error is high and requires a long time.

    External Infiltration (White Box / Gray Box)

    In this type of test, the pentest operator acts as a client or business partner with limited knowledge of the business. Pentest targets are often predetermined. The share of accuracy is higher and the results report is prepared in a relatively short time.

    Internal Infiltration

    In this model, the pentest expert acts as the own staff of the enterprise. This method is very effective in identifying unauthorized usages and the deficiencies of the systems. Password breaking, access to the network is done in this layer. Internal leakage testing is usually carried out to identify and repair security vulnerabilities.

    Firewalls, Security Systems testing

    The security policies, the performance of firewall devices, the evaluation of operating systems, the analysis of business processes and the adequacy and analysis of all security systems are performed in this layer.

    Here are the types of safety tests we have performed as Sibertis:

    Network penetration tests

    • External and Internal
    • Black Box, White Box or Gray Box
    • Perimeter Infrastructure
    • Wireless networks, WEP/WPA/WPA2 breaking
    • Cloud penetration tests
    • Telephone systems, VOIP

    Application Penetration Tests

    • Web applications – asp.NET, PHP, Java, XML, APIs, web
    • Company’s inhouse applications
    • Mobile Applications – Android, IOS
    • Industrial Control Systems – SCADA
    • Databases – SQL, MySQL, Oracle

    WEB Application Security Tests

    • SQL injection and cross-site vulnerabilities
    • Server configuration problems
    • WEB-Site infiltration to retrieve credit card information
    • Use the pre-attacked WEB Server for distribution and network penetration

    Physical Penetration Tests

    • Surpassing physical security in the enterprise
    • Fake ID, entries in place of someone else
    • Release of removable memory for in-house information

    Social Engineering Tests

    • Communicating with employees
    • Phishing attacks
    • Obtaining passwords
    • Obtain company information from posts on social media
    • Business partners, customers
    • Obtaining Facebook and Linkedin accounts

    Security Test Planning

    The planning of penetration tests evaluated within the scope of safety tests is extremely important in terms of results. After the determination of the vulnerabilities, the report should be carefully evaluated and relevant actions should be taken.

    Within the scope of the planning, the following issues should be agreed:

    • The scope of Penetration Tests (Blackbox/Whitebox/Graybox)
    • External or internal penetration tests
    • How often the tests are performed
    • How to close any vulnerabilities that may arise during the test
    • Whether or not to perform DDoS tests
    • How many kinds of result reports to be prepared (dedicated to IT team, specific to company managers, for all employees)

    RISK MANAGEMENT

    Risk Management is the process of measuring the extent to which threats and vulnerabilities will affect your assets. As Sibertis, we can identify your risks and provide you with a detailed report and then identify the ways to be remedied.

    The results of our analysis include the following:

    • Summary
      • Safety monitoring throughout the company
      • Identified weaknesses and risks
      • Possibilities of vulnerabilities attacked
    • Graphical Representation of the Results
      • Detailed road map
      • Infographics related to risks
      • Diagrams and ratings
    • Detailed Recommendations
      • Recommendations for eliminating each weakness
      • Recommendations for correcting the company’s overall safety posture
    • Performing demonstrations about the problems that may be caused by important weaknesses

     

    In general, we follow the following path for Corporate Risk Management  

    Risk Assessment and Determination of Needs

    • Identification of assets with important information
    • Evaluation with the relevant department responsible
    • Continuity of Risk Management

    Conducting Management Meetings

    • Appointment of responsible people for serious incidents
    • Ensuring independent access to top-level managers
    • Determination of budget and resources
    • Regular measurement and improvement of technical levels of teams

    Determination of Company Policies

    • Linking policies to the risks
    • Preparing policies and guidelines
    • Supporting company policies by a centralized group of decision makers

    Increasing Cyber Awareness and Trainings

    • Informing users about potential risks
    • Increasing interest in a user-friendly way

    Policy Review and Improvements

    • Viewing the risks and factors affecting productivity
    • Measures to be taken in the future to avoid problems
    • Examination and implementation of new technologies

    INDUSTRY SPECIFIC SAFETY EVALUATIONS

    Telecom Infrastructure Security Assessment

    Since telecom infrastructures are complex and directly related to users, security testing should be done by experts who are specialized in Telecom Security and aware of International Telecom Standards. As Sibertis, we offer the following Telekom Infrastructure Security tests together with Positive Technologies;

    • SS7 Signaling Layer Security Assessment
    • Security Assessment of Radio Access Networks
    • Diameter Network Security Assessment

    Some of the major threats to Telecom Infrastructures are as follows:

    • Invoicing / bypassing billing system
    • Obtaining of subscriber information
    • Possible DDoS attacks on subscribers and equipment
    • Penetration of user conversations and messaging

    The topics we focused during the tests are as follows:

    • Reduction of fraud and loss of income
    • Acquiring trust with customers and partners, preventing churns
    • Maintain the confidentiality of the core network and its subscribers
    • Ensuring compliance with laws and regulations
    • Preventing possible DDoS attacks and improving customer experience

     

    Critical Infrastructure Security Assessment

    Security Assessments of Industrial Control Systems, such as telecom infrastructures, should also be handled by experts as they directly affect production. Togerther with Positive Technologies as our business partner, we provide the following services:

    • Industrial Control Systems (ICS) inspection
    • External and internal penetration tests to IT organizations

    Some of the major threats to Industrial Control Systems (ICS) Infrastructures are as follows:

    • Possible accidents and life losses caused by attackers
    • Capturing the ICS infrastructure
    • Unauthorized and unauthorized access to ICS infrastructure
    • System failures

    The topics we focused during the tests are as follows:

    • Analysis of application source code with static, dynamic and interactive security tests
    • Detailed analysis of software, embedded software and unified protocols
    • Detailed examination of the architecture of the embedded services
    • Testing access to ICS infrastructure and testing of external connections
    • ICS compatibility review
    • Analysis of network architecture, network services and access

     

    Online Banking System and ATM Network Security Assessment

    Today, one of the sectors with the highest number of attacks is the financial sector and most of the attacks are done to online banking systems and ATM networks. Together with our business partner Positive Technologies, we offer the following services:

    • Performing internal and external penetration tests to the Online Banking System (OLS)
    • Analysis of automatic control and server-side configuration
    • Remediation Verification
    • Implementation of Blackbox and Whitebox infiltration methods in ATM networks

    Some of the major threats and vulnerabilities that can occur in Online Banking Systems are as follows:

    • Weaknesses in protection mechanisms
      • Identification
      • Authorization
      • don’t allow
      • Transaction security
    • Logical errors in operation
    • Vulnerabilities in application code
    • Insufficient user protection on side
    • Vulnerabilities in servers

    Some of the major threats and weaknesses in ATM Networks are as follows:

    • Poor user authentication and access control
    • Vulnerabilities in network communication
    • Vulnerabilities in network services for software and ATMs
    • Vulnerabilities in security software
    • BIOS security vulnerabilities
    • Inadequate security in ATM components (PIN input, cash dispenser, card reader, etc.

    The topics we focus on during testing are as follows:

    • Detection of zero days and weaknesses
    • Analysis of application source code with static, dynamic and interactive security tests
    • Detailed analysis of software, embedded software and unified protocols
    • Detailed review of the architecture of embedded services
    • Detailed analysis of ATM components

    WEB & MOBILE APPLICATION SECURITY ASSESSMENTS

    WEB Application Security Assessment

    Today, WEB Technologies are often used to manage business processes. Corporate Websites, corporate portals, online stores, service portals, electronic commerce platforms, social media platforms are just a few of the web services used by millions of people every day. Public web sites are not just images of businesses, but they are quite convenient for the sale of their products. Potential vulnerabilities, vulnerabilities, and attacks on websites may result in significant financial loss and image damage for businesses.

    According to a study carried out by the Positive Technologies Company in 2016, 58% of WEB applications have a critical vulnerability. Although this figure has dropped to 52% in 2017, even a single weakness can cause the entire server to collapse completely. You can contact us to review reports.

    The purpose of the safety assessment to be carried out in WEB applications is to reveal such vulnerabilities and to improve the safety quality with an independent party. Safety assessment is very important in order to improve the safety quality of applications. This reduces the risk of operational, financial and image damage.

    As Sibertis, we evaluate your WEB Applications in detail with our expert staff and our business partner Positive Technologies and analyze and report possible vulnerabilities and offer solutions.

    You can view common vulnerabilities in WEB Applications as follows:

    Users

    • Password Management
    • Social Engineering
    • Phishing Attacks
    • Update Management
    • Web sites that users frequently log in
    • Data Management
    • Authorized Entries

    Application

    • Cross-site Scripting
    • Weak Input Verification
    • Brute Force Attacks
    • Phishing Attacks
    • Update Management
    • Web sites that users frequently log in
    • Data Management
    • Authorized Entries

    Browser

    • Phishing Attacks
    • Running a Cross Frame
    • Trap links (Clickjacking)
    • Obtaining the User Information in the Browser (Man in the Browser)
    • Buffer Overflow Attacks
    • Data Caching

    Back-End

    WEB Server

    • Platform Vulnerabilities
    • Incorrect Server Configuration
    • Cross-Code Run
    • Weak Input Verification
    • Capture Password

    Database

    • SQL injection
    • Privilege Descriptions
    • Data Dumping
    • OD Command Definitions

    Mobile App Security Assessment

    Nowadays, mobile applications have become a popular alternative to WEB applications as they are more user friendly. The mobile application market is growing rapidly with the development of Internet Technologies. This leads to an increase in both digital and quality services. Mobile banking, social networks, online shopping, reservation systems, service portals and business applications are the most commonly used mobile services. The frequent use of applications is causing attacks to increase.

    According to a study carried by the Positive Technologies Company in 2015, 75% of Android-based mobile banking applications and 33% of iOS-based applications found a critical weakness. This may cause an attacker to capture payment information in a possible attack. You can contact us to review the report.

    The purpose of the safety assessment in Mobile Applications is to expose such vulnerabilities and improve the safety quality with an independent eye. Safety assessment is very important in order to improve the safety quality of applications. This reduces the risk of operational, financial and image damage.

    As Sibertis, we evaluate your Mobile Applications in detail with our expert staff and our business partner, Positive Technologies.

     

    You can view common vulnerabilities in Mobile Applications below:

    Users

    Browser

    • Oltalama Atakları
    • Framing
    • Crashed Links
    • Obtaining User Information
    • Buffer Overrun
    • Data Caching

    Applications

    • Storage of Sensitive Data
    • Weak Encryption
    • Incorrect SSL Verification
    • Configuration Manupulation
    • Working Time Injection
    • Privilege Descriptions
    • Device Access

    Call /Text

    • Band Attacks
    • Short Message Order

    System

    Operating System

    • Encryption Management
    • Jailbreak Operations
    • OS Data Caching
    • Data Access
    • Operator-Based Software
    • Zero Day Attacks

    Network

    Communication Channels

    • Weak Wi-Fi encryption
    • Wireless Access Points on the network (Rouge Access Point)
    • Packet Sniffing
    • Playing the Information in the Network
    • Session Hijacking
    • DNS Poisoning (DNS Poisoning)
    • Fake SSL Certificate

    Back-End

    WEB Server

    • Platform Vulnerabilities
    • Incorrect Server Configuration
    • Cross-Code Run
    • Weak Input Verification
    • Capture Password

    Database

    • SQL injection
    • Privilege Descriptions
    • Data Dumping
    • Web sites that users frequently log in
    • Data Management
    • Authorized Entries

    Contact Us

    11 + 3 =

    Istanbul Headquarters

    Esentepe Mah. Büyükdere Cad. Tekfen Kulesi 8. Kat Levent 34394 Şişli/İstanbul

    Tel: 0 212 371 8668

    Ataşehir Operation Center

    Vedat Günyol Cad. Flora Plaza 23. Kat Ofis No: 2302 Ataşehir/İstanbul

    MEA Region Office – Dubai

    Emirates Towers, Sheikh Zayed Road, Level 41, PO Box: 31303 Dubai/UAE

    Tel: +971 4 319 7359

    info@sibertis.com.tr