IT Security Audit

There are several types of IT security audits: organizational audits, technical audits and penetration testing.
All these variants are complementary and enable to analyze optimally an organization’s level of security. In this article, we will voluntarily leave aside the organizational audits in order to focus on the technical aspects of security audits.

Cybersecurity Issues for Businesses in 2020

Penetration Testing: Approach, Methodology, Types of Tests and Rates

The current trend is to strengthen the security requirements for customers, partners and investors. Security audits have been democratised to small and medium-sized companies, for whom they represent a prerequisite to be able to collaborate on IT issues with large companies. In fact, large accounts almost systematically integrate requests for security audit reports into their purchasing processes. The introduction of the GDPR 2 years ago also enabled companies to become aware of data security issues in business sectors where risk awareness was previously low. Security certifications (ISO 27001, HDS, PCI-DSS, SOC2, etc.) are increasingly popular among small and medium-sized companies, as a way of differentiating themselves and making security a quality issue.

Doing a Pentest for Less Than €1,500

Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.

Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe.

Knowing its attack surface

What does it tell us? That preparation is key.
You cannot protect what you don’t know, therefore knowing your attack surface is the first essential step to protect it efficiently.

In order to
assess the security of an information system, a very pragmatic approach
consists of conducting a cyberattack in the most realistic possible way. Can a
security auditor really put itself in the shoes of the “bad guy”? Is it
possible not to bias the tests by not providing information beforehand?

Black Box Pentest under different attacks

Yes, it is
actually possible with a “100% Black Box” security audit. In this situation,
the pentester starts the audit having only the name of the company as
information. Up to him to discover the scope exposed to attacks and then to
carry out attacks trying to maximise the impact of the tests within the time
that was given.

benefits for the company that order this type of black box audit are:

When we talk about computer attacks, we often think of an activist or a criminal sitting in front of his screen on the other side of the world… while half of the attacks involve internal actors, according to the Insider Threat Report 2018. In fact, 58% of respondents confirmed that they had suffered a cyberattack related to the internal threat. Protecting yourself from the inside against these attacks is therefore just as important as defending yourself from the outside.


Internal Security Audit

During an internal security audit, penetration tests are conducting from inside the company or sometimes through a VPN. Most of the time, pentesters go to the company’s buildings, bring their equipment and put themselves in the shoes of an internal attacker.