On the basis of the ISO 19011 standard, A2F Consulting has developed and implemented a professional approach to the methodological and technical audit of information systems security.
Our services verify the consistency of your practices with regard to the strategic and economic stakes, your referential, your business and regulatory context. Our experts identify the specific vulnerabilities of your information system, and accompany you in the implementation of corrective measures to reduce deviations to good practices. You can then initiate a proactive management of residual risks, on the basis of the axes of improvement defined in collaboration with our auditors.
Excellent communicators, our experts accompany you in the awareness of the actors, the presentation of action plans to the Directions, and the inscription of the recommended measures in a logic of continuous non-coercive improvement.
Compliance audits consist of assessing the conformity of practices with respect to customer security and regulatory standards, or practices generally observed in similar organizations, and proposing action plans to gradually align Practices and standards, covering the whole scope of the audit (architecture, means, organization, procedures, etc.).
Depending on the scope of the audit or the need expressed by the client, our auditors take into account the security standards promoted by the client, regulatory constraints, procedures, codes of conduct, organizational and technical rules, normative standards ISO 2700x (information security standards) in their most recent versions or sectoral repositories (eg. PCI/DSS, GDPR, CobiT, ISO 20000 or ITIL for an operating department within an IT Department) as basis of analysis.
On the basis of the formalized requirements within these documents, and / or on the basis of A2F Consulting standard consolidated from our experience of similar organizations, our auditors propose the audit plan and the points to be checked during the audit.
The aim of a technical audit is to provide an overview of the integration of good security practices on the technical components of the information system, identify vulnerabilities, assess their criticality (and usability) and propose the associated recommendations.
Technical infrastructures or applications deployed on the Internet and Intranet, interfaces of the information system of the company, are preferred targets (both by exposure and sensitivity). Their vulnerabilities and weaknesses may expose the organization to critical operational, legal, or critical risks.
In a proactive approach to detecting vulnerabilities, A2F Consulting offers infrastructure audit missions and missions to assist application recipes and validation in terms of application security.
These services are based on the experience of the auditors and on proven methodologies (OWASP, OSSTM). This approach covers technical domains such as information gathering, infrastructure control, authentication system control, session management, authorization control, business functionality and technical aspects (AJAX, Web Services, Injections)
Our teams know how to put these audits and their results into your internal assessment and risk management process.
The intrusion tests are particularly well suited to test the security of an environment and qualify its resistance to a certain level of attack. They also help to educate very pragmatically actors (policy makers, administrators, etc.) within the targeted company by demonstrating the reality of an attack.
Depending on the client’s objective, the tests are carried out through different approaches to serve different purposes:
Denial of Service Resistance: This is to collect vulnerabilities to denial of service attacks on active network hardware. Once these vulnerabilities are analyzed, an operation takes place by injecting code, or by using the appropriate tools. The aim is to analyze the possibilities of making the machine unavailable and thus create disruptions on the company’s information system.
Resistance to taking control of remote equipment: it comes to collecting vulnerabilities to sensitive material of the company or assets material. Exploiting these vulnerabilities makes it possible to take control of the hardware directly or by rebound. Once the machine is under the control of the attacker, the attacker can try to take control of another more sensitive machine or carry out many other actions.
Resistance to espionage: It is a question of collecting vulnerabilities on the materials as well as the protocols of transport of the information. When exploiting these vulnerabilities, attempts are made to intercept traffic on the internal information system or to access information stored on specific hardware.
Resistance to business data corruption: This involves gathering vulnerabilities on databases or on storage media. The purpose of exploiting these vulnerabilities is to illustrate the possibility of modifying or deleting data from the company’s information system.
Resistance to achieving branding: It comes to collecting vulnerabilities on the company’s websites (main external image vector). Exploiting these vulnerabilities illustrates the possibility of making sensitive data public, changing the homepages.
A2F Consulting offers two main classes of intrusion tests with or without prior knowledge:
External testing: A2F Consulting auditors position themselves as an external attacker. They try to access from Internet through vulnerabilities to be determined. The goal is not necessarily to penetrate the client network, but to be as exhaustive as possible by listing the vulnerabilities potentially exploitable by an actual attacker. These tests are conducted from our test platforms.
Internal Tests: A2F Consulting auditors take the role of an internal attacker. These tests are carried out from within the company’s information system and can be used to test the internal vulnerabilities that may be present. The goal is to access the critical resources of the company’s internal network and, if necessary, highlight the weaknesses of the system. These tests are carried out from analysis probes (to be connected on the internal network) specially developed for this type of mission.