Security assessment
We help organizations of all sizes and from all sectors identify vulnerabilities in their information systems and offer pragmatic recommendations to help them correct them.
Penetration test
Penetration testing makes it possible to assess the security level of a perimeter using the same tools and methods as a real attacker. The following scenarios may be implemented:
“Black box”
The auditor only has the URL of the web application.
Objective: Evaluate the robustness of the application in relation to an unknown attacker who does not have any information or authorization (e.g.: tightness of customer information).
“Gray box”
The auditor has user accounts that represent real uses.
Objective: Identify vulnerabilities that a user with an account could be able to exploit (inter-user segmentation for example).
OWN carries out its penetration tests using the OWASP and OSSTMM methodologies. Possible areas: web and mobile applications, heavy customers, internal networks, embedded systems, IOT,...
RED TEAM support for DORA regulations
Are you a financial entity or a service provider to a financial entity?
DORA regulations require you to conduct: Threat-Led Penetration Tests (TLPT).
The Red Team is based on the work carried out by the Threat Intelligence team, and draws on the scenarios proposed.
This exercise targets the processes, systems in production and personnel of the audited entity.
The Red Team complies with DORA regulations.
Cyber audit for SMEs and mid-sized companies
This service may be eligible for subsidies (cybersecurity diagnostics, Cyber PME).
We carry out global assessments of a structure's level of risk, based on a technical and organizational review of the information system.
Based on our experience, we have developed a range of services and a specific support methodology tailored to today's security issues.
Red Team
The objective of a redteam exercise is to simulate a group of attackers wishing to compromise an information system using advanced means (lateralization, privilege escalation,...).
Information retrieval: The first phase consists in retrieving a large amount of information concerning the organization and the information system of the company.
It is a question of analyzing the digital footprint of the target, through its publicly accessible technical selectors
After obtaining information, tools dedicated to the service may be developed in order to obtain and maintain access to the internal network or to SaaS applications (Google workspace, Microsoft 365,...)
This includes developing fake authentication pages (phishing) and malicious tools that can be executed during phase 3.
Attempts to access confidential resources can be made using user accounts retrieved during targeted phishing campaigns.
In addition, physical intrusion attempts can be made by manipulating reception agents and copying access badges. Finally, access to the WiFi network from outside the building can also be tested.
Various actions simulating an attacker wishing to maintain access to the network will be carried out. This will include creating a user account, opening flows to the outside world, deleting traces, etc.
All our services
Our services are PASSI-RGS qualified across all audit ranges.
Analysis of the construction of an infrastructure in relation to its security needs and best practices
- Study of the technical architecture file and network diagrams.
- Interview with operational staff in charge of the perimeter.
- Operational checks and configuration reports of critical elements of the architecture.
Study of the technical architecture file and network diagrams
2 Phases
Complete source code analysis with an automated tool.
Manual inspection of sensitive code portions, adding a logical business perspective that is not accessible to a machine. Areas such as the authentication system, session management, access rights, and form processing are particularly examined.
Analysis of compliance of the security configuration of an equipment with respect to a reference of good practices.
Based on a configuration extraction, performed manually by the administrator or automatically with a script.
Determine whether the level of tightening currently in place is consistent with the state of the art or with company policy.
OWN carries out its configuration reviews based on the CIS, ANSSI, NIST or internal to the audited standards. The choice of the frame of reference is validated jointly during the launch meeting.
The objective of an organizational audit is to identify differences with respect to a reference framework.
Our organizational and physical audits are generally based on the international standard ISO/IEC 27002 Information Security - Code of Good Practice for Information Security Management.
This standard presents a repository of 114 security measures spread over several themes (see list below) intended to preserve the confidentiality, integrity and availability of an information system within a company.