Generally, the team will start with an initial connection to the cloud services over the Internet or via an authorised VPN connection, and explore further as they gain more understanding of the client’s specific service provision.
The specific steps will depend on the cloud service type, the features used by the client, and the degree to which features are exposed to the Internet or internal users.Learn More
Generally, the team will start with a connection to the internal network, a low-privileged user account, and a typical workstation provided by the client. Depending on the scenario, the team may also have the ability to use a dedicated suite of tools to more rapidly assess the internal network, and may be provided with a limited amount of privileged information, such as a network diagram.Learn More
The specific approach taken will depend on the app and the client’s specific requirements, but will generally be based on the OWASP Mobile Security Testing Guide.Learn More
The objective is to test the effectiveness of an organisation’s security posture across the full spectrum of their defensive cyber security portfolio, and will typically require close interaction with internal security or incident response teams to ensure that scenarios are carefully planned and executed.
Due to the entirely custom nature of these engagements, it is not possible to provide further details here, rather a specific engagement will be devised on request for each client.Learn More
Typical exercises include email-based and telephone-based phishing, attempted physical intrusion through deception and masquerading, and use of public information to elicit exposure of private or commercially sensitive information.
Where permitted as part of the engagement, crafted attachments or spoof websites may be used to obtain internal access or user credentials, and fake social media profiles may be generated to support an assumed identity.
This exercise will often be most effective when combined with Internet and social media profiling.Learn More
Generally, the team will start with an initial connection to the website over the Internet. Depending on the scenario, the team may have accounts provisioned for them by the client, which they can use to test the website(s), or they may register accounts themselves.
It is common for this type of testing to be performed against a dedicated copy of the website(s), however, the consultant teams are also experienced in testing against live, production environments.Learn More