Security Audits

Best practices in security management recommend the periodical revision of systems and, in particular, the carrying out of specialised audits that can evaluate the real risk of experiencing security incidents that can negatively affect the organisation in question.
As a general rule, auditors aim to review and reduce risks by analysing:

  • Improvements in security to be applied to system architecture.
  • Vulnerabilities in information systems.
  • Non-authorised access to confidential information.
  • The possible non-authorised modification of confidential information.

Auditing services are usually carried out remotely, based mainly on:

  • Analysing the information that is visible on the internet relating to both system information and the type of information that may attract the attention of a possible attacker.
  • Analysing the system vulnerabilities detected taking into account the penetration and intrusion techniques used in attacks on information systems.
  • Carrying out real evaluation tests on information systems from the internet.

Vulnerability Assessment

Due to the continual emergence of vulnerabilities, best practices call for periodical reviews of the vulnerabilities of a system.

A vulnerability assessment aims to identify, prioritise and resolve potential vulnerabilities and configuration errors in information systems.

Ackcent employs the best technical analysis tools in the market. The results obtained are meticulously reviewed, filtred and categorised by the experts in Ackcent’s Red Team .
Ackcent’s vulnerability assessment includes the analysis of vulnerabilities at the following levels:

  • Web applications
  • Mobile applications
  • Communications networks
  • DMZ network elements
  • Cloud infrastructure

Pentesting

Penetration tests aim to review the effectiveness of an organization’s defences, including their defence and detection technology, their processes and their coordination of people, through a simulation that recreates the actions of a potential hacking attack, which is known in the industry as a kill chain.

This service reveals to what extent a possible hacker could obtain confidential information or carry out an attack by exploiting a system’s weaknesses.

Concretely, the provision of these services includes the following phases:

  • Collecting information on the digital assets included in the scope of the assessment.
  • Analysing services that are visible on internet or on an internal network.
  • Analysing external and internal vulnerabilities.
  • Exploiting the vulnerabilities and compiling proof of penetration.
  • Post-exploitation actions.

Mail

From the security perspective, mail is considered to be one of the first vectors to be targeted by hackers when attempting to create security incidents. Due to the nature of its accessibility by all types of users, it is the ideal channel through which to propagate harmful software – known as malware – through the internet.

That means that it is of utmost important to ensure its security and especially to undergo audits that analyse this function in depth, checking for configuration errors and vulnerabilities at different levels.

Security audits performed by Ackcent include security tests at different levels:

  • At the level of architecture, we check that mail transport and delivery systems are located in the correct area of the network.
  • The hardening of mail servers and applications in line with corporate policies.
  • We review the security of the administration of the service.
  • Mail security tests.
  • Security tests at the user level.
Background Contact

Mobile Applications

The development of mobile communication and devices and of wireless technology in the last few years has revolutionised our way of working and communicating. The growing use of these technologies makes mobile communication devices one of the prime target of cyberthreats.
The aim of security audits is to provide a series of recommendations based on the following types of tests:

  • A security analysis that includes a general evaluation of the security of the client’s applications.
  • External analyses from the internet.
  • Recognition tests from the internet of the network (internal network, remote nodes and external nodes that are visible from the internet).
  • Permissions analysis of mobile applications.
  • Communications analysis of mobile applications.
  • Identification of vulnerabilities at the applications level through a statistical analysis of binary code and dynamic analyses through code injection.
  • Analysis of the source code of the application.

Code analysis

The aim of this service is to prevent, detect and correct secuity weaknesses a the code level. These could include coding errors, logic errors, incomplete requirements and unusual or unexpected running errors.

Code analyses can be carried out on applications developed by both internal development teams and by external providers.

The code reviews carried out by Ackcent include different types of analysis and use the best tools available on the market:

  • Statistical analysis (STA): the analysis of the source code at the binary level and at the level of bytes in order to detect possible vulnerabilities.
  • Dynamic analysis (DAST): analysing applications in a dynamic working environment.
  • Interactive analyses (IAST) combining SAST and DAST analyses.

Systems

System audits consist of security systems designed to analyse the degree of exposure of systems, and the weaknesses and vulnerabilities that are visible and exploitable from the internet.
Generally speaking, system audits include the following measures:

  • Tests to identify hosts, network topology, operating systems, services provided, mechanisms of access control, access services and the interaction between these systems.
  • Attempts to access the information stored in database systems.
  • Intrusion testing: attempts to reach files, file permissions and authentication parameters.
  • Testing configuration reliability.
  • An analysis of security protocols: E-mail (SMTP, POP3, IMAP), File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP).
  • A review of perimeter security (Firewalls).
  • IP Spoofing.
  • Scanning of TCP and UDP ports.
  • SQL Injection: infiltrating malicious SQL code into databases and/or applications.
  • Testing for the presence of “backdoors” through their detection and exploitation.

Infrastructure

The manufacturers and integrators of infrastructure sets tend to configure the elements of infrastructure in a way that makes them easy to implement.
That is why it is recommendable to carry out security analyses at the infrastructure level in order to detect security weaknesses such as:

  • Ports and services that are open by default.
  • Accounts and credentials configured by default.
  • Vulnerable protocols.
  • Unnecessary installed software.

Service and system configuration reviews and hardening is a good way to prevent those attacks that take advantage of the known configurations and vulnerabilities of infrastructure sets.
Infrastructure audits include an exhaustive review of the configurations of firewalls, routers and switches based on secure configurations at the infrastructure level.

Networks

Auditing the elements of a network involves testing the security of the ports, protocols and services of an organisation’s internal and external networks with the aim of minimizing possible windows of exposure to attacks.
Generally speaking, network security audits include the following analyses:

  • An analysis of the vulnerabilities of communications sets and tests of visibility from different sections of the network.
  • Security tests of WAN, LAN, FW, VPN, Wifi and SCADA networks.
  • A review of the global configuration of the network and its visibility.
  • A review of the configuration of the LAN network and its visibility.
  • An analysis of the configuration of firewalls and, in particular, their rules and active policies and the degree of security they provide.
  • A analysis of the configuration of VPN services, unaccredited attacks and VPN service intrusion tests.
  • A review of logs at the network level.

Cloud

The security audits carried out by Ackcent are based on our experience in the design, management and continuous operation of critical systems and applications on Cloud platforms.

Our designs and architectures are based on market leading security products and the best practices currently available.

The use of cloud technologies offers advantages in scalability and flexibility that make the implementation of applications easier, including for their developers. However, due to their characteristics, they complicate the model of governance and the implementation of the security mechanisms typically found in on-premise infrastructures.

For that reason, Ackcent works to make your architecture secure from the earliest phases of its design, while offering continuous service analyses to make sure that you have all of the known security controls for your cloud environment.

The assessments carried out by Ackcent include different types of analysis:

  • The analysis and design of the architecture from the security perspective.
  • The analysis of authentication and authorization controls of cloud-based resources.
  • The inventory and control of implemented resources.
  • A security assessment of the control mechanisms and configurations used.

SAP

The team at Ackcent carries out SAP server audits at the level of infrastructure, software components and configuration in order to detect software vulnerabilities and erroneous configurations.

The team also performs assessments to ensure compliance with current regulations and best practices, including SAP ISACA, DSAG and OWASP-EAS.

Configuration analyses and assessments focus mainly on:

  • Security-related system parameters.
  • External accesses.
  • Communications coding.
  • Database level assessments.
  • SAP component review: config, critical access to RFC procedures, tables…
  • Code review using a SAST (Source Code Analysis Tool) developed specifically for ABAP. – ABAP Code Review Tool.
  • Generic code vulnerabilities.
  • Specific SAP vulnerabilities.
  • A review of users, roles and privileges.

(IoT) Internet of Things

The amount of information transmitted at the IoT level continues to grow, and with it the degree of security risks, making it another of the “attack surface” of infrastructures.

Ackcent has at its disposal a team of IoT security specialists who assess us in the analysis and management of risks in IoT networks, reviewing the security of IoT infrastructures and networks from end to end.

In particular, our audits focus on the security review of the following aspects:

  • Identifying assets:
    • An analysis of the visibility of IoT devices on business networks.
    • The review and configuration of an IoT “active database”.
  • Device management:
    • The provision and management of secure encrypted passwords.
    • Accessibility management, access to identities and rapid and secure scalability.
    • Policies for the secure periodical downloading of software, patches, updates and other data.
  • Endpoint and data security:
    • Endpoint protection.
    • Anti-tampering functions.

Medical Devices

The continuous development of new technologies and standards for providers of medical devices is creating new operation management paradigms and models that are focused on the patients and health monitoring systems.

In January 2016, the United States Food and Drug Agency (FDA) published new directives on cybersecurity that aim to keep patients safe and provide better protection for public health in the field of medical devices.

The services provided by Ackcent are in line with FDA recommendations to implement an integrated, structured, systematic management program for cybersecurity risks that allows for the effective management of the vulnerabilities identified in devices.

Car hacking

The emergence of new developments in intelligent mobility and connected vehicles is a great opportunity for the automotive industry.
What these new opportunities share is that the design of new motor vehicles incorporates an ever greater number of components based on software and connected technologies.
Ackcent has at its disposal a security team to contribute to the development of the secure intelligent vehicle sector by incorporating security in the design of intelligent vehicles.
The security services known internally as Car Hacking services are focused on the review of security risks associated with innovation the sector.

Industry 4.0 (SCADA)

It is sometimes necessary to carry out technical audits in environments that are uncommon or inherently difficult to test, such as the networks of industrial systems.

Ackcent has extensive experience in this type of environment, in which the use of proprietary management tools and the use of historic communication protocols, such as SCADA systems, requires highly specialised methodologies, tools and procedures.

SCADA audits allow for the detailed analysis of the attack surface in industrial control systems based on the analysis and detection of vulnerabilities in the systems that they are composed of.