Small and medium-sized
enterprises

Security Audit and Hardening Check

A security audit and hardening check includes the review of a company infrastructure or individual applications in the form of guideline-based interviews with the responsible contacts in the customer organization. The subject of the audit is the security-relevant processes of the organization as well as the architecture and configuration of the IT systems. In addition, a detailed review of the configuration (hardening check) can be carried out for selected systems.

Reasons for a Security Audit and Hardening Check

With the help of a security audit and hardening check, the security level of an organization can be assessed very efficiently, while also taking business processes into account. In contrast to penetration tests, for example, an audit offers a holistic view of IT operations. By conducting it in the form of guideline-based interviews, an audit offers deeper insights into internal processes. In addition, there is usually no need to create access and authorizations for the security specialists, which saves time.

Goals

The main objectives of security audits and hardening checks are therefore to identify security gaps, assess risks and generally improve the security level.

• Identification of security gaps: A key goal of security audits and hardening checks is to uncover vulnerabilities in processes or IT systems that endanger the secure operation of the infrastructure. By identifying such vulnerabilities, companies can take measures to close these gaps and increase their security.
• Risk assessment: A security audit and hardening check can help assess risks related to the security of IT systems. By identifying and assessing risks, companies can make better decisions about what measures they should take to improve the security of their IT systems.
• Improving the security level: The ultimate goal of a security audit and hardening check is to improve the security level of an organization. By identifying and assessing vulnerabilities, companies can take measures to close these gaps and increase their security level.

As a result, the auditors provide recommendations for improving the organization’s security level through targeted measures.

Implementation

The implementation of a security audit is divided into several phases. The aim is to ensure the best possible coverage of the audit topics in accordance with the customer’s objectives:

1. Preparation: Preliminary discussion to define the objectives, organizational points (time/place of implementation, contact person), rough idea of the company’s infrastructure
2. Document review: Provision and review of relevant documents
3. Creation of audit plan: Determination of the timing and content of the audit topics, ensuring the availability and accessibility of relevant contacts
4. Conducting the audit: On-site or remote audit, interview-based presentation of processes and system configurations
5. Documentation and reporting: Documentation of deviations and corrective measures, preparation of the final report
6. Final meeting: Presentation of the results and recommended measures to remedy the problem, coordination of the next steps

The test points when auditing a company infrastructure are based on the standards of the Federal Office for Information Security (BSI). These include in particular the BSI Basic Protection Compendium [1] and the series of standards for Internet security (ISi series). In addition, the auditors of SmartTECS Cyber Security GmbH introduce their own test points based on experience in auditing organizations.

The specifications of the Center for Information Security (CIS benchmarks) and recommendations from manufacturers are used to test hardening measures for individual systems [3].

Sources

• [1] IT-Grundschutz-Kompendium, BSI
• [2] BSI standards for Internet security, BSI
• [3] CIS Benchmarks, Center for Information Security (CIS)

IT infrastructure testing refers to the investigation of software systems and IT landscapes at network level from the perspective of a malicious actor. The simulation of malicious activities to identify vulnerabilities takes place over the public Internet or from a company’s internal network and includes the examination of …

• Network components: e.g. application servers, proxies, etc.
• Network protocols and network services: e.g. SSH, FTP, RDP, LDAP, Kerberos, Windows Active Directory (AD), etc.
• Network access and protective measures at network level
  e.g. remote maintenance and VPN access, network segmentation, firewall configuration, etc.
• Technology-specific testing activities: e.g. Docker, Kubernetes, etc.

Why penetration testing?

Due to the ongoing digitalization of business processes in particular, more and more business-critical areas are accessible via the public internet. Adequate protection against malicious attackers is therefore important in order to avoid potential technical and financial damage (e.g. due to data loss, restriction of availability).

With the help of IT infrastructure testing, vulnerabilities within a network can be identified by simulating malicious activities in order to determine existing security risks for applications and their users. By recommending specific measures to eliminate identified vulnerabilities, the software quality in the area of IT security can be increased and adequate protection against successful attacks can be guaranteed.

In general, security tests can be used to check the following protection goals [1] according to the German Federal Office for Information Security (BSI):

1. Confidentiality: “Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permissible manner.”
2. Integrity: “Integrity means ensuring the correctness (integrity) of data and the correct functioning of systems.”
3. Availability: The availability of services, functions of an IT system, IT applications or IT networks or even information exists if they can always be used by users as intended.

Goal

The aim of the test activities generally consists of the following three points:

• Identification of existing vulnerabilities and misconfigurations within the application system or IT landscape.
• Recommendation of appropriate measures to eliminate vulnerabilities in order to increase the resistance of the IT infrastructure against possible internal and external attackers.
• Determination of the security level of the IT infrastructure at the time of testing based on the test results.

In addition to the general objectives mentioned above, it is possible to determine the specific test objectives and their prioritization individually in consultation with the client before the test is carried out and to adapt the study accordingly.

General test methodology

Our test methodology in IT infrastructure testing is based on the implementation concept for penetration tests and IT-Grundschutz compendium of the BSI and the procedure of the Penetration Execution Standard (PTES). The specific test activities are adapted according to the agreed customer objective and the technical conditions.

Next Steps

Once the study has been completed, there are various starting points for effectively continuing the previous analysis. A selection of sensible options can be put together individually during the consultation depending on the customer’s objective, wishes and results.

• Further testing activities at network level: If previous penetration tests have not been able to adequately examine all areas of the network, an expansion to other network areas is possible.
• Web Application and Web Service Penetration Testing: Previous testing activities can be focused on individual application systems within the network in order to perform a more application-specific analysis of the security risk.
• Security consulting: Based on the knowledge gained and the vulnerabilities identified, general or application-specific topics in the area of IT security, best practices or know-how can be conveyed to raise awareness or for solution approaches.
• System hardening: By specifically checking application systems that are accessible in the network at the configuration level, test coverage can be increased.

simulation of a phishing attack

Phishing attacks are one of the most common attack methods, for example to specifically exfiltrate sensitive data and information from a company or to extort a ransom after successful compromise using ransomware. The approach of an attacker in a phishing attack is quite simple: The attacker tries to send an email or message that looks like it comes from a trustworthy source, e.g. an internal system or an internal company campaign. According to the IT security report of the Federal Office for Information Security (BSI), a successful ransomware attack often begins with a malicious spam or phishing email [1].

We test your systems and employees with simulated phishing attacks to check the effectiveness of your current defense measures and the awareness of your employees.

Why simulate a phishing attack?

Our phishing simulation is simple, fast and reliable. We simulate a phishing attack and send an email to your employees that looks like it comes from a trustworthy source. You can set the focus of the simulation yourself, e.g. handling passwords or data protection.

After the simulation, you will receive a detailed report on how your employees reacted to the phishing attack. You will get an overview of how many of your employees were affected by the realistic deception and where your defense measures need to be improved.

Goal

The goal of a phishing awareness campaign is to increase awareness and understanding of phishing attacks among individuals within organizations. This is to create an in-depth understanding of how phishing works, the forms it can take and the impact it might have. The campaign aims to strengthen participants’ ability to recognize phishing attempts and respond appropriately to them in order to protect themselves and their organization from potential security breaches and data leaks.

Implementation

A phishing campaign is carried out in the following sequential steps:

1. Kickoff: In this initial phase, the goal of the campaign is defined. A comprehensive strategy is developed that determines which target groups should be addressed and which specific phishing threats are relevant. Important aspects such as budget, time frame, required resources and communication channels are also determined in this phase.
2. Implementation: Once all the general conditions have been clarified, the campaign is carried out within the agreed period. All essential data is recorded.
3. Documentation: At the end, the customer receives a comprehensive report. This reflects the awareness of the employees. In addition, customer-specific measures are suggested to increase security. Based on this information, the customer can determine the need for further awareness-raising measures.
4. Consulting (optional): Further consulting can support the implementation of the measures and the elimination of the identified weaknesses. The next steps can also be discussed. If necessary, an additional campaign can be carried out in order to compare whether and in what form the awareness campaign has had an effect.

Service description

The goal of testing activities is generally to generate quantifiable metrics to evaluate employee awareness and the effectiveness of awareness training. These metrics enable an assessment of our customers’ resilience to actual phishing attacks and provide the basis for recommendations to increase employee vigilance and optimize training content.

As part of a phishing awareness campaign, the following data is collected:

• Number of people who opened phishing emails
• Number of people who clicked on the phishing link
• Number of people who entered data (e.g. user names and passwords)

Note: Due to the anonymous evaluation, no names or other data that could be used to identify individual employees can be mentioned.

In addition to the general objectives, it is possible, in consultation with the client, to individually define the specific test objectives and their prioritization in advance of the test execution and to adapt the investigation accordingly.

Sources

[1] BSI Bund