360° audits

Research and analysis of information related to the company in the various sources of public information present on the “Internet” that may affect the security of the company, its data, its employees or facilitate the implementation of attack scenarios (employees, financial data, business/technical documents, secrets, etc.).
We rely in particular on search engines (Google, DuckDuckGo, Yandex, Bing, etc.), information exchange or code deposit platforms (Stack Overflow, Reddit, GitHub, etc.), social networks , information from DNS resolvers, specialized forums, etc.

We are evaluating here the ability of an “external” attacker to compromise or harm the Information System from the Internet. These tests in the 360 ​​context are generally carried out in a “**black box**” (without a user account) (showcase site, extranet, business application).
However, we can target critical “grey box” applications (with user accounts communicated by the technical teams) in order to delve into more complex scenarios according to the needs of each client.

Technical audit of the Information System from internal access (on premises or via VPN). We assess the ability to compromise or harm the client’s Information System by an attacker with internal access, a collaborator or a malicious service provider.
The usual objective is to take total control of resources (e.g. by taking control of a domain administrator account in an Active Directory context) or highlighting so-called “risky” information recovery scenarios (approach via “flags” to be retrieved set out upstream of the audit).

The goal is to simulate the behavior of an attacker able to interact with the company’s Wi-Fi access in order to highlight exploitable vulnerabilities near the premises.

Here we evaluate the attack surface of the environment administered by the customer (or by outsourcers) and carry out various checks on the configuration (generally with an administration account with read-only rights).

Whether it is directly administered by the client or by various outsourcers, we will carry out a **pragmatic** study of the procedures and policies put in place, the documents available, etc. (organizational audit approach).
The objective here is to understand the practices in force within the company, to identify its issues and then to assess the level of maturity of the company with regard to its needs and the market (good practices and average level observed within comparable organizations) in order to produce an inventory supplemented by one or more interviews.

Depending on the request and the context of each client, we will make the choice to:
– a full-scale awareness-raising exercise in order to take stock of the level of employee awareness (fictitious phishing campaign with a model);
– an awareness-raising workshop presented by XMCO consultants around the theme of “general safety” in order to help all technical and non-technical employees to better understand the risks.