An IT security audit enables to detect a company's main vulnerabilities and to prioritise the actions to be taken to improve the level of cybersecurity.
An overall approach to cybersecurity involves a risk analysis, the definition of a security policy, the implementation of procedures, as well as penetration tests to evaluate the effectiveness of the protections put in place.
For a more concrete approach, the pentest phase itself can help identify the main risks for the company and propose a plan of action. In this case, pentests encompass a wide range of techniques, in order to reproduce attacks that are commonly directed against companies.
By definition, this type of security audit does not have a defined scope at the outset: the security auditors (pentesters) will determine the test targets themselves, according to the reconnaissance phase carried out during the audit.
The objectives of the audit are adapted to the context of the company, based on the common risks for any information system: data confidentiality, data integrity, service continuity. Other types of risks not specific to information systems, such as financial transactions and brand image, have to be taken into account”.
The first step is to validate the purpose and conditions of the security audit. It is possible to perform an external security audit and an internal security audit, or only one of them.
The security audit may cover all risks, with technical and social engineering tests, or it may be limited to technical tests only.
The company that commissions the audit may issue restrictions on certain types of tests. Apart from any restrictions, the company authorises the pentesters to reproduce a realistic cyber attack, in all legality. An emergency communication plan is put in place, as well as back-up procedures.
The results of the audit allow the company's strengths and weaknesses to be identified in the event of a cyber attack, and the security measures to be adapted accordingly.
An external security audit consists in targeting all the elements that are visible by a remote attacker: IP addresses, mail servers, VPN, web servers, staff members who can be contacted by email or telephone, etc.
The reconnaissance phase is used to identify the attack surface, not to make an exhaustive list of the elements exposed, but to decide pragmatically which attacks are most likely to succeed.
The offensive phase is the major part of the audit. By identifying and exploiting the vulnerabilities present, the client who commissions the audit can be provided with very concrete feedback concerning the types of vulnerabilities identified, their impact, the level of criticality and corrective solutions.
An internal security audit targets the elements exposed on an internal network, while trying to bypass the levels of control of access rights, corrupt the IS, trap users, etc.
The reconnaissance phase identifies the elements exposed on the network before moving on to the offensive phase.
Apart from the computer network, the pentest can target physical access to the company’s premises, by picking conventional locks or searching for vulnerabilities on electronic locks (RFID, biometric or connected locks).
The pentest can target the company’s employees through various social engineering techniques: internal phishing, malicious USB keys, fraud and face-to-face manipulation, etc.
Our white paper "How to define the scope of a pentest" gives you clues to define the scope and a pentest strategy. It brings together the key points resulting from our discussions with around 200 companies.
Office 365 is a solution used by many companies. It is a sensitive element because of the type of information obtained by an attacker who gains access to a user account, or even administrator rights.
The purpose of testing Office 365 is to detect weaknesses in its configuration that would allow an external or internal attacker to perform malicious actions. This includes black box tests (without a user account) and grey box tests (from a standard user account).
Key numbers
56%
56% of organizations were victimized by ransomware attack in 2018
2019 Cyberthreat Defense Report. CyberEdge Group. (p. 14).
17%
17% of all sensitive files of a company are accessible to every employee.
2019 Global Data Risk Report: Data Gets Personal. Varonis. (p. 4).
85%
85% of attacks were financially motivated
2019 Incident Response Insights Report. SecureWorks. (p. 6).
There are various ways for criminals to make money by a cyberatattack, such as: “using systems to mine cryptocurrency they can sell, encrypting files and demanding ransom, gaining access to bank accounts to steal money, or stealing personal or credit card data that they can sell.”
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.