+1 917 993 9742
andersen in the open

End-to-end IT Security Management Services

gdpr
hipaa

Corporate security and network protection are assurance of your data confidentiality and integrity

Impressive experience

For 13 years, we have been implementing comprehensive risk management strategies for Fintech companies, leaders in retail, healthcare, and other industries

50+
successful projects

Expert staff

We hire high-skilled developers with extensive knowledge of modern cybersecurity technologies and deep understanding of OWASP Penetration Testing Methodology.

20+
Security specialists

Total vulnerability control

Regular network scans, constant analysis of potential internal and external threats can eliminate weaknesses in your infrastructure within minutes

24/7
security monitoring

Business protection begins with business understanding

Thanks to the development of Machine-to-Machine communications, the concept of BYOD, and the Internet of things, data productivity has grown significantly. However, each of these digital world properties has a set of cyber vulnerabilities.

We implement a risk management strategy, striking a balance between the effectiveness of our customers’ work and their need for security.

Testing the IT infrastructure perimeters

  • Collection of information on the external infrastructure of the Company
  • Search for used technologies and prioritization of external IT assets by an attacker
  • Identify vulnerabilities and configuration flaws on the most critical assets
  • Selective exploitation of vulnerabilities and configuration flaws for vulnerability verification
  • Assessment of the possibility of advancing inside the corporate network based on compromised assets
  • Assessing the possibility of compromising sensitive data based on the implemented attack vectors
  • Development of a map for implementing attack vectors based on successful penetration vectors
  • Development of a plan of necessary IS measures based on the identified shortcomings
  • Development of a report and the formation of recommendations to increase the level of security

Identification of risks based on public information

  • Search for disclosed technologies and software versions
  • Identification of public services and assessment of their criticality
  • Search for disclosed contacts of employees and other data that can be used during a phishing attack
  • Identification of information leaks (including source codes of developed products, etc.)
  • Search for compromised accounts
  • Analysis of activity in social networks
  • Darknet monitoring for the presence of confidential information
  • Development of a report and the formation of recommendations to increase the level of security
  • Identification of deficiencies in IS settings on detected services, as well as the presence of public vulnerabilities in passive mode

Web Application Security Testing

  • Testing application business logic in a security context
  • Security analysis of web server IT component and verification of settings
  • Application Information Collection
  • Testing parameter processing functions
  • Testing Web Access Control and AAA mechanisms
  • Source Code Vulnerability Analysis
  • Development of a report and formation of recommendations for improving the security level of a web application

Security Analysis of Remote Access Infrastructure

  • Testing the security of IT infrastructure components
  • Communication channel security testing
  • User device security testing / BYOD security testing
  • Analysis of the overall remote access architecture
  • Test employee awareness through phishing

Our projects

We offer our expertise, first-class engineers, robust development processes, flexible customer-oriented approach.

Public order placement system

Mobile application and infrastructure for placing orders with free access

The methodologies we use

Our experts use Black Box Testing, Grey Box Testing and White Box Testing to test a system for safety

Black Box Testing

Testing an information system or infrastructure from an external perimeter with the least possible information about the system. We imitate an attacker.

Black Box Testing scheme

Methodological stages:

  • Collection of additional information about the test object from open sources, such as search engines, whois services, as well as using DNS enumeration techniques
  • Using automated scanning tools (nmap, OpenVAS)
  • Search for open web services for internal use, administration systems
  • Analysis of interaction protocols of services published in the world, such as HTTP, collection of service banners, study of http headers
  • Analysis of available applications using the OWASP TOP-10 methodology
  • Disclosure of information about installed applications, CMS systems
  • Using phishing attacks to obtain additional information about the infrastructure, services, users, and accounts used
  • Verification of support for encryption methods and TLS / SSL settings
  • Checking available services for the possibility of exploiting vulnerabilities

Grey Box Testing

Testing an information system or infrastructure from the internal perimeter or having basic (roles in the system / supplier, user, partner, client) privileges in the system.

Grey Box Testing scheme

White Box Testing

Testing the information system having key information about the information system and infrastructure, including the source code for the software. Analysis of source code for vulnerabilities.

White Box Testing scheme

Methodological stages:

  • Infrastructure and integrations are analyzed for compliance with predefined standards and requirements, such as GDPR, PCI-DSS, HIPAA, ISO 27001
  • A threat model is being developed for the target system
  • Customizable metrics for monitoring and response
  • The operation of backup systems is analyzed
  • Solutions are being developed for mitigating risks by technical and organizational methods
  • Encryption of critical data is implemented if necessary
  • Additional authentication methods are introduced
  • Extends the settings of SIEM systems
  • Testing SAST / DAST code to identify possible problems
  • Problem solving and incident response profiles for SoC
  • Run scenarios in accordance with the Disaster Recovery Plan

Company of experts

Our certificates

To test knowledge, confirm their qualifications and professional skills, our experts receive the following certificates in the field of security of information systems

Certified
Information |
Systems Security
Professional
Systems Security
Certified Practitioner