Solutions

We have been helping our customers work proactively with their security work since its inception in 1997. We have performed thousands of security analyzes and are constantly working to develop our security products (the Secure IT product family). If you know where the risks are, you can plan for how to avoid them.

You can better utilize your resources, your time and your budget to achieve maximum results in a safe and stable environment!

For more than 20 years, we have developed and delivered 100’s of solutions based on the Secure IT platform. Our consultants are experts on the Secure IT platform and can guide you on how to best implement a Secure IT solution. Use us to ensure that your Secure IT solution works optimally. Our team of experts will make sure your project is successful.

Below is a selection of the packaged solutions we offer:

EU:s data protection reform (GDPR)

The reformed data protection legislation consists of two parts: an EU regulation that applies to everyone except the police (and other law enforcement agencies) and an EU directive that applies only to the police (and other law enforcement agencies).

The fact that it is an EU regulation means that the rules will apply as a law directly and in the same way in all EU Member States. The regulation will replace the EU’s current data protection directive of 1995. When the regulation comes into force, it will replace national rules, such as the Swedish Personal Data Act. The regulation will start to apply in Sweden (as in other Member States) on May 25, 2018.

For companies, authorities and other organizations that collect personal data, new requirements are set. Should a company be subjected to data breach or in some other way lose control over personal data, the company must inform both the persons to whom the data apply and the Data Inspectorate, if the incident is serious. It could be if the information leaked out could lead to people being subjected to discrimination, ID theft, fraud or financial losses.

If a company intends to handle personal data in a way that can pose great privacy risks, the company must first make an assessment of the planned processing’s consequences for the protection of personal data, a so-called impact assessment regarding data protection. For most companies, this impact assessment should be started already, since at least all companies handle personal data in the form of information about employees.

Secure IT AB can assist with both the technical and the practical impact assessment and to inform about and develop supporting data on this in accordance with the recommendations of the EU data protection reform regarding reporting to the Data Inspectorate.

The Data Inspectorate has presented 13 paragraphs that describe the EU’s data protection reform in a fundamental way to prepare those responsible for personal data at companies. These points are briefly as follows:

  • Is your organization aware of the EU’s new data protection regulation?
  • What personal information do you handle?
  • Do you use the abuse rule today?
  • What information do you provide?
  • How should you comply with the rights of the data subjects?
  • With what legal support do you process personal data?
  • How do you obtain consent?
  • Do you process personal data on children?
  • What should you do in case of personal data incidents?
  • What specific privacy risks are there with your treatment?
  • Have you built in personal data protection in your IT systems?
  • Who is responsible for data protection issues in your organization?
  • Do you have operations in several countries?

Secure IT can assist, both technically and practically, in informing and performing impact assessments on the following specific points:

  • Is your organization aware of the EU’s new data protection regulation?
  • What personal information do you handle?
  • How do you obtain consent?
  • What should you do in case of personal data incidents?
  • What specific privacy risks are there with your treatment?
  • Have you built in personal data protection in your IT systems?
  • Who is responsible for data protection issues in your organization?

The technical part of an impact assessment is carried out with tools that accurately emulate different types of attacks and thereby clearly clarify the types of risks that might exist with the storage of personal data, regardless of system and purpose, and how these risks could be managed on it. the simplest and most effective way. The practical part is carried out via information in seminar form and is followed up via checklists.

In-depth Vulnerability Assessments

Using vulnerability analyzes, we can check the security of a network from many different aspects. We perform vulnerability analyzes internally in wired and wireless networks, external controls against and through firewalls, and analyzes of different types of applications and server environments. We then present a report on the status of the security of the analyzed systems with improvement measures.

Our customers regularly perform vulnerability analyzes to detect and correct new security vulnerabilities due to changes in the outside world and the internal environment. The analyzes are the basis for continuously monitoring the technology development that affects the IT environment, where deficiencies can quickly adversely affect stability.

The analyzes also serve as decision support for management and for the IT department and are useful before and during change work as well as for the daily operation of IT environments and systems.

Load analysis and network monitoring

If one or more systems become slow without you being able to understand why and create the frustration of not being able to work normally, then a load analysis may be relevant to investigate the root causes.

Testing of performance and availability in wired and / or wireless systems through various network monitoring tools gives a picture of the type of traffic passing through the network. The results are analyzed to identify unnecessary traffic, possible conflicts and to prevent unauthorized communication.

Have you experienced that performance and availability in your wired and / or wireless systems is not what you expected?

We have often done network monitoring as an analysis of the type of traffic passing through the network. When we do these analyzes, we review the results to identify unnecessary traffic as well as any conflicts that may arise. We check the result against a list of approved traffic to prevent unauthorized communication in the network from, for example, viruses or Trojans.

Network monitoring results in a report on the status of the security of the analyzed systems as well as suggestions for improvement measures.

To investigate performance and accessibility problems in your wired and / or wireless systems, we can get a picture of the type of traffic passing through the network through load analysis. This result can then be analyzed to identify unnecessary traffic and any bottlenecks that may arise from under-sized hardware.

Carrying out a load analysis gives you a picture of how the analyzed systems are affected and in the report we also suggest suggestions for improvement measures.

Application Testing

If you feel uncertain about how your applications work in terms of security and how they behave under load, you have a lot to gain from doing a basic application test.

We work with solutions tailored to the different types of applications you have within your business, when we are going to test security. We can do these tests in your operating environment but recommend instead to perform these tests in a virtual environment, a so-called “sandbox”, which means that we can check the security of an application without affecting the normal environment.

We can also make scripts to test applications that you have developed yourself, and therefore are not generally available.

Security control of web applications and validation of code according to Best Practice

We perform program code control for proprietary systems (web applications) from a security perspective. In addition, a validation / quality check is made to ensure that the code follows Best Practice regarding how coding should be done in the safest possible way.

Security testing of code and reporting of this is carried out as agreed. The normal model for this type of analysis is that the code is lifted into a “sandbox environment” that we provide, or if the customer has a test environment suitable for this. The code is then checked based on various criteria and tests / measurements of traffic are conducted to identify potential risks with how the system is coded to handle different types of functions and information. Based on this result, a number of improvement measures as well as a Best Practice can then be created and presented to provide new / changed routines that will enable the continued development work to be safeguarded.

The purpose of the security test is to ensure that the program code produced for in-house developed systems does not contain any risks with regard to vulnerability or security, and a follow-up validation / quality control, based on Best Practice, for how coding should be done in the safest possible way. The purpose of this check is to be able to propose measures to improve safety. Furthermore, the purpose is to make you aware of the risks of possible detected and identified vulnerabilities, thus raising the level of security even further. This can also lead to changed routines and working methods for coding and own testing of code.

When analyzing web applications, the following types of tests are done:

  • Identification of vulnerabilities in web applications, web servers and associated databases
  • Tests all attack vectors in OWASP (Open Web Application Security Project) Top 10
  • Traditional SQL Injection – tests database calls (OWASP A1)
  • Blind SQL Injection – tests database calls (OWASP A1)
  • OS Command Injection – tests isolation between web application and operating system (OWASP A1)
  • XSS (Cross Site Scripting) – tests vulnerabilities that give user control over browser (OWASP A2)
  • Reflective XSS, Persistent XSS and Dynamic XSS
  • Authentication and session management – tests vulnerabilities in login functions (OWASP A3)
  • Uncertain object references – tests for unlinked pages, old versions and sensitive URLs (OWASP A4)
  • Cross Site Request Forgery (CSRF) – identifies application vulnerabilities (OWASP A5)
  • Security Configuration Problems – testing the entire chain from web application to underlying hardware (OWASP A6)
  • Security control of cryptography and certificate management / storage (OWASP A7)
  • Blocked URL access – tests for vulnerabilities when accessing sensitive pages eg. admin mm. (OWASP A8)
  • Inadequate transport layer protection – tests vulnerabilities in SSL / TLS configuration (OWASP A9)
  • Unvalidated redirects and forwarding (OWASP A10)
  • RFI (Remote File Inclusion) – tests for risks in both remote and local file inclusion
  • Configuration problems with WebDAV and CardDav etc.
  • Security Solutions Tests (Firewall evade, obfuscating, fragmentation, encrypting)
  • Controls the level of encryption of the web application
  • “Fingerprinting” to see if standard vulnerabilities can be exploited
  • Dynamically generated code to control security vulnerabilities in code and platform
  • Impact description of possible infringements
  • Information gathering to manage vulnerabilities / risks and prevent infringement
  • Information gathering to develop proposals for changed policies for continued development

Social Engineering

Test awareness of phishing and other social engineering attacks

The purpose of Social Engineering is to ensure that the protection of the Customer is sufficient to minimize the potential risks of intrusion via these different routes.

A quality control based on Best Practice is done, which is the basis for any changes / improvements that can be made in the various systems and routines that have been checked. The purpose of this check is to be able to propose measures to improve safety. Furthermore, the purpose is to make you aware of the risks of possible detected and identified vulnerabilities and thus significantly increase the level of security in the future.

In addition, we recommend that the information collected during these checks can be used as a basis for then moving on and also doing internal vulnerability analyzes to proactively prevent the emergence of new risks and vulnerabilities in the customer’s IT infrastructure and routines.

We make it easy for you to regularly evaluate your organization’s sensitivity to phishing, spear phishing and other social engineering techniques. We certainly replicate email-based attacks to test end-users’ understanding of your security policy and identify systems that require patches and other updates. Each test is backed up by comprehensive reports that help you with compliance initiatives and help put your finger on different methods to strengthen data security.

We can replicate attacks in several steps that, through simple attacks, can endanger end-user systems and then access backend resources and reveal how chains of exploitable vulnerabilities can open paths to business-critical systems and data.

Quick identification of goals for testing social engineering

We use a number of modules to collect email addresses from your organization, including:

  • Crawling a website to harvest addresses published on the site
  • Utilize large search engines to find addresses for a particular domain
  • Scan online documents for email addresses
  • Find addresses in PGP and Whois databases
  • Import lists of email addresses for testing

Start phishing and spearphishing attacks in a controlled way for testing

We can help you test your users’ safety awareness by replicating realistic phishing attacks with or without trying to utilize endpoint systems.

  • Evaluate security awareness by identifying users who click on links in emails
  • Customize standard phishing templates, or create custom spear phishing emails
  • Set up phishing trap web forms for testing data leakage risks
  • Test end-user machines for exploitable vulnerabilities and opportunities to access other network systems

Commercial quality of client vulnerabilities

Our extensive library of client attacks exploits threats and vulnerabilities that target:

• Endpoint programs: e.g. browsers, email programs, instant messaging programs, media players, business systems, and productivity tools
• Endpoint Security solutions: for example, antivirus, anti-phishing, anti-malware, host-based intrusion detection and prevention systems
• Endpoint operating systems and services: e.g. Windows, Mac, Linux

Our client attacks are of commercial quality – we make sure they are up-to-date, efficient and secure for your network. Automated opportunities to test an endpoint system against various client-side vulnerabilities with a single click, efficiently and quickly when investigations are needed.

Assess the consequences of successful social engineering attacks

  • View the local file system and mapped drives
  • Upload and download files to and from the end-user system
  • Open and interact with files on the infected system
  • Collect user names and passwords from endpoint applications
  • Take a screenshot of current activity on the end user’s desktop
  • Harvest email addresses from email clients
  • Distribute a keylogger that tracks the user’s keystrokes
  • Perform password dumps from the user’s browser
  • Automatically “listen” after clicks, launch attacks, and gather evidence of successful infringement

Pivoting: demonstrate the risks with inside access

We also have network penetration testing capabilities that can utilize all vulnerable end-user systems as a bridgehead to start subsequent testing on other systems in the end-user’s network – without uploading any code to the machine. This ability allows you to leverage trusted relationships and fully understand the “rings on the water” of threats that can occur when an end-user system is compromised, we replicate the steps that attackers actually use in reality.

Monitor end-user response and evaluate the need for security training

We can create simple benchmark reports on awareness and methods for response to incidents, as well as report ongoing improvements in the effectiveness of safety education for audit and compliance purposes. You can also identify critical, exploitable vulnerabilities that link from your organization’s endpoints to underlying systems and data.

Among other things, we use the following endpoint and end-user reports:

  • Client-side penetration test report: a complete verification chain for each attack, including e-mails sent, attacks executed, test results (successful or unsuccessful), and compromised system information
  • User report: a report on which links were clicked, when they were clicked, and by whom

In addition, we offer a variety of other ways to document your security assessments, including visual attack reports that show which way we accessed certain information, participant reports and compliance reports for PCI and FISMA.

Security testing of mobile devices

Penetration test of mobile devices

With our solutions, you can detect vulnerabilities on iPhone®, Android ™ and BlackBerry® smartphones by using the same attack techniques used by criminals today.

By performing penetration tests on mobile devices, you can:

  • Identify and prove that critical data created in / by mobile devices in your environment can be exposed
  • Evaluate the security of new mobile technology before commissioning
  • Get valuable data needed to demonstrate financial and operational risks
  • Assess end-user safety awareness of various social engineering techniques
  • Protect end users from slander, fraud and blackmail
  • Audits and reports on the security of mobile units to the company management and other stakeholders
  • Assess the security of mobile devices before an attacker can exploit deficiencies

We help you control end users and mobile devices using the following techniques:

Phishing

Enables you to send emails and text messages that determine if your organization’s employees would fall victim to phishing and spear phishing attacks by clicking through to malicious websites and / or installing malicious mobile apps.

Web form

Assessing data leakage threats by conducting phishing tests where links are attached to web forms aimed at capturing and recording user-specified data, e.g. username and password.

False wireless access points

Imitate valid wireless access points in an attempt to trick users into connecting their devices to them.

Wireless man-in-the-middle (MITM) attacks

Identifies and monitors wireless networks that either do not have encryption or use weak encryption and observe any connected devices.

Our solution for conducting penetration tests on mobile devices speeds up the testing process, automates everyday tasks and provides a repeatable assessment method to measure the security of mobile devices over time.

Attack and Penetration: Utilize mobile devices with methods that exist in the outside world.

One of the most effective ways for an attacker to take control of a mobile device is by getting the user, or the device itself, to install a malicious program. In phishing tests, you trick the user into clicking on a link that triggers the attack. For Wi-Fi testing, attacks are delivered in response to data requests (fake AP attacks) and insert them into existing traffic (MITM attacks).

Methods of delivering attacks

  • E-phishing attacks are delivered directly via email
  • SMS phishing attacks are delivered via an email-to-SMS gateway service
  • Wi-Fi attacks delivered via integration with custom hardware that enables low-level communication with the device’s built-in wireless radio card

Penetration tests of mobile devices

These tests are mobile attacks that are packaged as regular programs that try to run locally on the mobile device. In addition, some attacks attempt to exploit known vulnerabilities in the device’s operating system as well as built-in programs or components to run the program. All attacks, tests and malicious code are developed and tested in sandbox environments and are designed to maximize stability and integrity and receive continuous updates as new vulnerabilities emerge and attackers hone their technology.

Information gathering: Demonstrate the consequences of a mobile device intrusion

You can not only show how the security of mobile devices in your environment can be compromised, but also reveal how attackers can access and manipulate data from the device to get information about your company’s intellectual property rights, but also potentially deceive, persecute or blackmail an end user.

Excerpt of information

Once a tested device has been utilized, it is possible to extract data from the device in the same way an attacker would. For example, the following data types can be extracted:

  • Phone calls, SMS and MMS logs
  • GPS position
  • Contact Information
  • Pictures

You can also potentially capture still images, video and record audio with the device’s built-in camera and microphone without the user being aware of this, which can provide further evidence of the seriousness of the intrusion.

Code validation

This refers to the control of program code for proprietary systems (both client-server and web applications) from a security perspective. In addition, a validation / quality check is made to ensure that the code follows Best Practice regarding how coding should be done in the safest possible way.

The purpose of this type of control is to ensure that the program code produced for in-house developed systems does not contain any risks with regard to vulnerability or security, and a follow-up validation / quality control, based on Best Practice, for how coding should be done in the safest possible way. The purpose of this check is to be able to propose measures to improve safety. Furthermore, the purpose is to make you aware of the risks of possible detected and identified vulnerabilities and thus significantly increase the level of security in the future. This can also lead to changed routines and working methods for coding and own testing of code.

Security testing of code and reporting of this is carried out as agreed. The normal model for this type of analysis is that the code is lifted into a “sandbox environment” that we provide, or if the customer has a test environment suitable for this. The code is then checked based on various criteria and tests / measurements of traffic are conducted to identify potential risks with how the system is coded to handle different types of functions and information. Based on this result, a number of improvement measures as well as a Best Practice can then be created and presented to provide new / changed routines which will enable the continued development work to be secured.

When analyzing applications, the following types of tests are done:

  • Identification of vulnerabilities in client-server applications, web applications, web servers and associated databases
  • Tests all attack vectors in OWASP (Open Web Application Security Project) Top 10
  • Traditional SQL Injection – tests database calls (OWASP A1)
  • Blind SQL Injection – tests database calls (OWASP A1)
  • OS Command Injection – tests isolation between web application and operating system (OWASP A1)
  • XSS (Cross Site Scripting) – tests vulnerabilities that give user control over browser (OWASP A2)
  • Reflective XSS, Persistent XSS and Dynamic XSS
  • Authentication and session management – tests vulnerabilities in login functions (OWASP A3)
  • Uncertain object references – tests for unlinked pages, old versions and sensitive URLs (OWASP A4)
  • Cross Site Request Forgery (CSRF) – identifies application vulnerabilities (OWASP A5)
  • Security Configuration Problems – testing the entire chain from web application to underlying hardware (OWASP A6)
  • Security control of cryptography and certificate management / storage (OWASP A7)
  • Blocked URL access – tests for vulnerabilities when accessing sensitive pages eg. admin mm. (OWASP A8)
  • Inadequate transport layer protection – tests vulnerabilities in SSL / TLS configuration (OWASP A9)
  • Unvalidated redirects and forwarding (OWASP A10)
  • RFI (Remote File Inclusion) – tests for risks in both remote and local file inclusion – Configuration problems with WebDAV and CardDav etc.
  • Security Solutions Tests (Firewall evade, obfuscating, fragmentation, encrypting)
  • Controls the level of encryption of the web application
  • “Fingerprinting” to see if standard vulnerabilities can be exploited
  • Dynamically generated code to control security vulnerabilities in code and platform
  • Impact description of possible infringements
  • Information gathering to manage vulnerabilities / risks and prevent infringement
  • Information gathering to develop proposals for changed policies for continued development