Threat Modeling is a complex and ongoing process, where our security professionals identify threats to the security of your organization, and provide consultation on how to eliminate risks. More than that, it is a self-evaluation of your company’s defensive position, so you know which parts you absolutely must protect, and which inherent risks have the most potential for harm. Threat Modeling is necessary to fill understanding gaps regarding web applications threat profiles, but it can also infuse system and application development, to put a security-first mentality in the forefront. It teaches developers to look beyond the expected attack vectors and think as a creative attacker would.
ArtsSEC offers on-point threat modeling for companies of all sizes, and websites or databases of all types:
We take a look at any exchanges which may occur between your front-end - whether it’s an application, a client, or a website, and external sources like servers or the Internet.
Comprehensive models are formed by the most relevant threats to your business according to their damage potential. The intent and scale of these threats is conveyed to our clients in a way that is digestible by non-IT managers and staff.
We roll up our sleeves and come up with solutions to harden your defenses against the threats we discovered, implementing our own preventative measures where applicable, providing best practices and references.
The objective of this service is to identify and analyze vulnerabilities in a company's web applications. These vulnerabilities are generally associated with security mistakes in the application's design, its development, or its implementation. If unchecked, a seemingly small opening can lead to a wider range of possible gaps that could be exploited by attackers. Our methods are aligned with the process described by the Open Web Application Security Project, or OWASP, a network of 42,000-plus volunteers who promote web application security in all its forms. Specifically, we identify with the first steps in web application security, that is, manual testing to identify vulnerabilities. We also provide implementation of automatic tools, and the corresponding confirmation of potential vulnerabilities.
Our web application analysis services are provided with three distinct approaches:
Black box analysis: This is a simulation of an attack by an experienced user from the Internet with no previous access to information. It is meant to understand how vulnerable, if at all, a web application is to the world at large.
Grey box analysis: The application's vulnerabilities are analyzed with a simulated user that has access to certain levels of information. It is meant to ascertain how vulnerable a web application is to someone on the inside and test levels of clearance.
White box analysis: This test focuses on vulnerabilities in the source code of an application.
Penetration testing is the service analysis of external system vulnerabilities. This method uses of a set of tests to identify vulnerabilities and their associated risks related to company assets that are exposed to the Internet.
The tests are divided into the following phases:
Identify unprotected services on the Internet using one or more of the methods described in the 'Application Security' section.
Perform tests on the registered services to identify vulnerabilities.
Enact a simulated exploitation, a series of carefully controlled tests that attempt to cash in on vulnerabilities like an attacker would.
A written report about the vulnerabilities and their associated risks is sent to the company. These reports will target assets, from a technical and commercial standpoint. Strategic and tactical recommendations are then provided, so our clients can make immediate decisions to eliminate these risks.
A re-test is performed after 30 to 45 days, meant to verify the effectiveness of the controls implemented by the company.
The methodology used to develop these different stages include both automated and manual test execution tools. The results are tested manually in both cases. If false positives have appeared as a result of the automated tools, they are identified and removed.
For mobile security, we use automated scanning, manual testing, and design testing to find weaknesses and mend them quickly. This is done by hardening backend servers, which are usually responsible for the data execution for a mobile application. Server hardening is a series of software-related optimizations, which runs down a checklist of potential threats and takes measures to rectify them. We also express practices for keeping the applications safe after we've left—protecting sensitive data from exposed misconfigurations, consistent patch management, limiting access to authorized personnel, typical platform vulnerabilities, and the most persistent vectors of attack.
The goal is to reduce liability costs and exposure, and to instill secure coding practices in our clients so they have an understanding of how to prevent advanced threats.
Now that phones and tablets have all the capability of desktops, companies can no longer ignore mobile devices as potential entry points for their networks and servers.
Here is a listing of the Top 10 mobile device risks, according to OWASP:
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Client Side Injection
Security Decisions Via Untrusted Inputs
Improper Session Handling
Lack of Binary Protections
The term "hardening" applies mostly to servers and their attached nodes, but it can also apply to entire systems. Whenever there is a risk of devices and machines leading back to a centralized source of data, the routes into that source need to be well-defended.
Hardening is a process involves altering the configurations of software to make it more resistant external attacks. After identifying weaknesses that can be exploited by outside attackers, we deliver a complete document with findings based on the best practice controls for security.
Our software hardening consists of strategic measures at each level of data transmission through your system. It begins with system-level configuration optimization, where we assess the security level from the ground up. That includes, but is not limited to: strengthen passwords, firewall implementation, limiting access to authorized individuals, and implementing necessary updates.
We then take measures to audit the hardware devices that require checks, like switches and routers. Configurations for these devices are checked at the software level to make sure they meet our lofty standards based on the best industry practices. As with all our services, detailed reports are then provided, so our clients gain an in-depth understanding about prevention and maintenance long after we’ve completed our tasks.
Bugs bounty programs are incentives offered by different companies that reward individuals or groups for finding critical bugs within their systems. The programs are a way to expand the company’s base of knowledge, while allowing resourceful users the opportunity to actively participate in improving the quality of products they find useful. Skilled programmers and hackers will prevent threats before attackers do.
The incentives the programs offer can be quite lucrative, and often give hackers who want to earn legitimate income for their skills a chance to do using private or public programs and report vulnerabilities. ArtsSec will use standard bug bounty programs platforms to foster constant improvement of all your web security systems, to elevate your quality assurance operation beyond outstanding to the upper echelon of industry standards. Planned incentives will vary based on programs, which we will continue to revamp according to their effectiveness and consumer feedback. The goal of our bug bounty programs are part of an ongoing effort to improve the quality in all every aspect of our services.
We can setup the program, responsible disclosure, bug bounties, manage the communication with hackers, researchers, triage and test the vulnerabilities and help your developer team to fix the issues.
Our security awareness services are for training and continued learning for companies who want to make sure their employees understand their roles in protecting data.
It is a program that we have developed in-house using relevant curriculum from industry experts, as well as materials we've accumulated through our own experiences in the industry.
The programs will focus on the most important aspects of security awareness:
The best practices for security awareness according to industry standards, and according to our standards, which are higher in most cases.
How to respond to direct attacks—those where the offending party attempts to dupe the employee into revealing information by taking advantage of human nature. These are the spam emails, suspicious phone calls, and solicitations by external parties who use various methods to lower an employee's guard.
Avoiding human mistakes like leaving terminals unlocked or failing to discard written information that compromises the system (like a written-down password).
We use creativity and enthusiasm to expand your knowledge base, and we establish effective learning programs using metrics that can assess your staff's performance accurately. After they have completed our coursework, your employees will have a firm understanding of their role in cyber security matters, and how to prevent cyber-attacks using the industry's best practices.
While building their defenses with software and hardware, many companies will marginalize the possibility of human error to create vulnerabilities. The main target of this service is to simulate an attack against a company's sensitive data using techniques that exploit the latter. Rather than the straightforward approach of finding code-based vulnerabilities, it is done through social engineering strategies, wherein attackers use direct communication and human nature to find information about companies.
The goal of these tests is to identify the level of information available to each user and find the weakest links. Then, we will assess the potential threats to which they are exposed and determine if they are knowledgeable about how to handle sensitive information. A typical attack stage involves the creation of a website designed specifically for the company. The site could provide exclusive offers for employees, and follow up with requests to access corporate accrediting documents. Another attack stage may include a series of emails asking to update access information to the company's intranet through a specially designed gate.
The results of these tests are sent to management, so they have an understanding of the security awareness among those who work for them.
Lastly, tactical and strategic recommendations are provided, so these managers can make immediate decisions about how to mitigate future risks.