Information pack

Page 1


Xyone Cyber Security provides a comprehensive range of penetration testing services as well as consultancy and awareness training in cyber security. We work with SME’s, public sector organisations and larger corporates looking to protect their business and enhance overall security of their web applications and internal IT systems. Our qualified team will help you to identify and manage risks around your various data assets to give you, your employees and your customers much greater peace of mind.

Xyone have an in-house team of qualified security professionals including Certified Ethical Hackers who undertake the majority of our pen testing services. In addition to this, we have a network of partners and associates who work with Xyone to assist in the delivery of our large-scale or more specialist projects. Our extended team allow Xyone to offer a joined up approach in the provision of cyber security services, allowing us to offer an enhanced response to the requirements of our clients. Xyone Cyber Security has secured a strong working relationship with Security Lancaster at Lancaster University, one of eight Cyber Security Centres of Excellence in the UK. This relationship allows Xyone to contribute to research projects at Security Lancaster through providing real market testing and examples, as well as allowing Security Lancaster to better respond to the needs of the market. The extent of the relationship will be to co-host events and training, the development of cutting edge cyber security tools and a skills transfer in the form of assisting PhD student interns to develop their industry skills in a working business whilst undertaking their Doctorates.

Xyone Cyber Security operates a professional and transparent approach with its clients, providing extensive services that test against all types of sophisticated hacking methods. This provides a platform that determines the stages and levels of investment each client should consider in order to increase their security best practice. We pride ourselves both on customer service and the energy, flexibility and commitment we place in each client relationship. We believe such relationships are imperative in order to understand both the initial and changing business needs of our clients.


Xyone has a strong emphasis on production and delivery of sustainable quality services and is currently working towards achieving ISO27001 certification. We are proud to present a team of qualified professionals with a number of accreditations across the cyber security service provision. Namely, these accreditations include CEH (Certified Ethical Hackers), CISSP (Certified Information Systems Security Professionals) and CCIE (Cisco Certified Internet Expert). We are currently undergoing assessment to become CREST (Council for Registered Ethical Security Testers) accredited and to be placed on the CESG Governmental listed adviser scheme.

Xyone's assessment methodology includes structured review processes based on recognised “best-inclass” practices as defined by such methodologies as the ISECOM's Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP) and ISO 27001 Information Security Standard. The objective of the analysis is to simulate an attack to assess Company’s immunity level, discover weak links and provide recommendations and guidelines to vulnerable entities discovered. The report contains sub-sections; each sub-section discusses in detail all relevant issues and avenues that can be used by attackers to compromise and gain unauthorised access to sensitive information. Every issue includes an overview, details as to what was found and security guidelines, which, if followed correctly, will ensure the confidentiality and integrity of the systems and applications.


Web Application Penetration Testing: Xyone used the Open Web Application Security Project (OWASP) Testing guide V3.0 for conducting Penetration Test of the web-based applications. The active testis split into 9 Sub-categories for a total of 66 controls - Configuration management testing, Business Logic testing, Authentication testing, Authorisation testing, Session management testing, Data validation testing, Denial of service testing, Web service testing and Ajax testing. The information obtained from the information gathering phase allowed us to search for vulnerabilities or exploits that might not be part of the above controls but can be used to penetrate the system. Network Penetration Testing: Network Penetration Testing (Pen Testing) goes beyond just vulnerability scanning and evaluates the security of a system and attempts to expose and exploit the vulnerabilities and weaknesses. Through bypassing known security weaknesses, the CEH Certified manual penetration testing will attempt to branch out and gain further access to other applications, databases and resources, without causing any disruption or damage to systems and processes. Once testing has been conducted, all weaknesses and vulnerabilities will be validated and appropriate recommendations will be made. VOIP (Voice Over IP) Penetration Testing: Threats posed include the capturing of inbound and outbound calls through network manipulation, the recording or listening in on calls, gaining access to internal network through the voice VLANS, use of your network to make outbound calls at a cost to you (Toll Fraud). Often VoIP services are operated outside of normal network security controls to facilitate the correct operation of the device. Xyone have experience in securing SIP and H.323 endpoints to facilitate operation whilst at the same time affording peace of mind against toll fraud. Using a variety of techniques our consultants will assess and evaluate your VOIP and provide a detailed feedback report on your security, plus recommendations handling any issues and vulnerabilities. Mobile Penetration Testing: The mobile infrastructure of an increasing number of organisations, continue to grow in sophistication through the implementation of new platforms and proliferation of new mobile applications. With many of these applications enabling users to access valuable and critical data and interact with your organisations IT systems, protecting your assets through effective security is critical. Providing employees with the mobile


computing solutions, new smartphone technology and everything they need to carry out work at home or on the go wherever they are, presents a number of security challenges in the process. Identifying, evaluating and covering off the risks and vulnerabilities of your mobile applications should be an essential part of your security coverage. Cloud Penetration Testing: Your company’s reputation, customer trust, intellectual property, sensitive data, and compliance status can depend on the security of your cloud-based infrastructure just as much as they do on your in-house IT environment; therefore it’s important that security is paramount when choosing a cloud services provider. Xyone are able to perform penetration testing services on data hosted in the cloud, however permission is required from the service provider for this to go ahead. The penetration test is undertaken against the same principles of the web application and network penetration test against relevant infrastructure and software, however makes allowances for the data being housed in a shared environment and the potential compromises that this brings about. With this in mind, it is the responsibility of the user to ensure that you continuously maintain and test the security of your operating systems and applications which you run through on a cloud hosting service. Database Penetration Testing: Database servers often hold your most valuable assets such as sensitive customer data, card details, product and pricing data, employee records, blueprints, intellectual property and supplier information. Should this data end up on the wrong hands or be compromised in other ways, then the cost financially and to an organisations reputation can be very high. Ideally this form of testing should be done on a regular basis and not just at the point of going live with a new database. Xyone’s qualified consultants will be able to highlight how good your security is and if any and what type of vulnerabilities exist using a range of best practice methodologies and our own additional techniques. Retest: It is vital that our clients undertake a retest as part of their penetration test service. This is to ensure that all vulnerabilities have had the necessary controls applied and are no longer at risk of exploitation. A retest will be quoted within our proposal documentation and will scan all of the areas we originally identified as risks from the original penetration test report. A retest will be conducted at an agreed date after the wash-up meeting has occurred to allow time for issues to be remedied, and will usually take up to one day to run the scan and prepare the report of findings.


The process for how we scope a project is as follows:

On completion of the work, we will present our findings in a report, to be delivered alongside a meeting or teleconference. We provide two reports to ensure the information is easily digested by all personnel. The findings of the report are presented through the categorisation of the threats found, into high, medium and low priority.

High Level Management Report The first document, which is aimed at a management audience, will provide a high level review of the Web Application. This document will detail all of the vulnerabilities found, along with a brief description of any exposures that exist in the infrastructure. Xyone will pay particular attention at describing the business risks so as to help in the qualification process of deciding how to prioritise any fixes. Xyone will conclude the document by making recommendations on how the overall web application could be improved to make it as secure as possible.

Technical Reports A second document will contain more in-depth technical detail of the vulnerabilities that exist within the Web Application. This document will be aimed at a more technical audience and will provide details on how to implement all recommended fixes. This may include configuration recommendations and information on secure coding techniques and input validation control.


Services

Day Rate

Average days*

Retest ( x1 day)

Example Total

£750

3 days

£750

£3,000

5 days

£750

£4,500

3 days

£750

£3,000

3 days

£1,000

£4,000

3 days

£750

£3,000

5 days

£1,000

£6,000

Web Application Penetration Testing

Network Penetration Testing £750

Database Penetration Testing £750

Cloud Penetration Testing £1,000

Mobile Penetration Testing

£750

VOIP Penetration Testing £1,000

Example: Web Application Penetration Testing – x 3 days at £750, plus £750 retest = £3,000 *Please note – our guideline pricing structure is based on an average number of days per test in our experience, this is subject to change on conducting a project scoping exercise as the length of the test will depend on the size of the infrastructure, number of IP addresses etc. These variables will influence the proposed total following the scoping exercise.



Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.