Type of Client: Pharmaceutical / Biotechnology with more than 15,000 employees and global presence
The Client has a set of strategic partners that provide technological solutions, mainly in CaaS (Cloud as a Service) model, and the client did not have the structure nor the in-depth knowledge to regularly perform the assessment of the cybersecurity posture of its partners and the potential risks that may arise from this.
Devoteam Cyber Trust presented a service designed together with the client which regularly performs the evaluation of each of the third parties designated by the client in order to carry out the identification, characterization and also provide recommendations on the identified risks.
The evaluation process holds several degrees of depth that are defined in accordance with the criticality of each of the third parties and the solution itself.
Within the scope of the service, and in order to provide a service as effective and efficient as possible, Devoteam Cyber Trust combines the INTEGRITYGRC solution that accelerates the process of structuring, defining and identifying risks, as well as, the use of the Assessments module and risk management, providing the client with a more practical deliverable based on which it is possible to take action and monitor the evolution of the Implementation Roadmap.
The client now has an in-depth knowledge of the risks that result from each of its third parties and solutions, and through the follow-up and management of these deliverables has as a result, a considerable risk reduction to the organisation.
Through this service, the client was also able to respond in a structured way in order to comply with requirements regarding third parties risk management.
Type of client: National Government Entity
Within the scope of functions development, the client had a regulatory requirement for the adoption and implementation of an information security management system (SGSI ISO 27001), with its certification by an accredited entity.
The Client did not have sufficient knowledge or resources to carry out the implementation.
Devoteam Cyber Trust provided a service composed by a project, with the intervention of its consulting team that carried out the process of implementation and support in the certification obtained by the client.
During this project, which lasted 9 months, Devoteam Cyber Trust applied its 5-step roadmap proven in numerous projects, through which supports the client in all activities, namely in the structuring of processes and documentation, in the implementation of these processes, definition and action of risk management analysis, operation, among other critical activities.
All activities carried out were supported by INTEGRITYGRC platform, which has a proven effectiveness of more than 40% at the time of its implementation, taking into account the functionalities provided by the platform that fully support all key activities in the implementation of a given standard or regulation, from the documentary components to ensuring its connection with the operational component.
The Client was able to increase its maturity and information security management practice very sharply through the adoption of ISO 27001, and was able to meet its ISO 27001 certification objective in the established time, through Devoteam Cyber Trust’s implementation service.
Type of client: Financial Entity with more than 35,000 employees and with global presence
The Client has a very considerable set of business applications, with very sensitive data and financial transaction support, and with a high dynamic of updates.
The Client felt that the traditional test model could not keep up with the dynamics of their business requirements, as well as felling a lack of agility in the reporting process and management of the results of their Pentesting actions.
This customer's requirements were immediately matched by KEEP-IT-SECURE-24 Persistent Testing service that Devoteam Cyber Trust launched in 2013.
Through this service the client has Persistent Pentesting performed, integrated in its change management cycle and with manual in-depth tests performed by Devoteam Cyber Trust’S certified team.
As a deliverable of this service, the client has access to the service platform where he can manage the lifecycle of vulnerabilities, ensure the interaction between the resolution teams and the Devoteam Cyber Trust testing team, dynamic generation of reports and support during the effective resolution of vulnerabilities.
The customer was able through KEEP-IT-SECURE-24 to obtain a service with a very efficient cost compared to the service they previously had, with effective fulfilment of their objectives.
The service eventually helped the customer mitigate more than 60% of vulnerabilities compared to what they had before, and with a resolution time in some cases reduced to less than half of what had ben previously recorded.
Type of client: The Client is a leading performance analysis company and operates in a global geography
As an industry leader our client strives to introduce the latest technologies in its industry in order to achieve insightful data from camera real time video streaming. The process used to capture video and execute analysis relies on the geographical distribution of cameras that sometimes might not be connected to trusted environments and will need to connect in a secure way to our client infrastructure.
Our client asked us to subject their star product, a Smart Camera, to in-depth security testing.
The requirements posed by our client were addressed by a Pentest project considering multiple threat vectors. The approach included the following scenarios:
• Physical access to the camera was considered since the cameras are placed often in
unsecure areas and a potential attacker can access them to gather knowledge or
compromise the system;
• Wired and Wireless network access to the camera was considered a valid vector since the cameras are usually placed in unsecured networks that can be accessed by potential attackers;
• The API endpoints directly consumed by the camera on our client infrastructure were also targeted.
The approach encompassed the following steps:
• 1st step – research the solution and understand the role
of each block;
• 2nd step – do a threat modelling exercise and decide which vectors to analyse first (network, hardware, application);
• 3rd plan and execute.
Some of the techniques used:
• Research the hardware to understand the chips and suppliers used;
• Subvert boot using serial connection;
• Tests and Wi-Fi enrolment (mobile app - camera activation);
• Detach the SSD M2 disk from the camera to read the information;
• Intercept communications from Ethernet ports;
• Test camera exposed services;
• Boot operating system (alternative) through the Micro SD-Card slot;
• Certificate Authority (CA) installation on the camera operating system to perform MiTM.
The Pentest project enabled the discovery of multiple important vulnerabilities that were promptly solved by the client, reducing the risk to the client’s organisation and solution users. Findings range from the ability for an attacker to access to video footage by accessing internal storage of the camera, the ability to compromise the camera and intercept communications and also the ability to compromise the analysis backend of our client’s infrastructure.
The Pentest Project helped the client to understand the risks that the solution posed and enabled the resolution of vulnerabilities, preventing them from being used by real attackers to impact our client’s organisation or solution users.
Confronted with the detailed in-depth results from the camera solution Pentest, the client perceived the value of having several other solutions being continuously looked and engaged with the KEEP-IT-SECURE-24 Service.
Edifício Atrium Saldanha
Praça Duque de Saldanha, nº 1, 2º andar
1050-094, Lisboa | Portugal
T: +351 21 33 03 740
5th Floor, Cottons Centre
London, SE1 2QG | United Kingdom
T: +44 20 7288 2800
Calle Cronos 63, 4ª planta Oficina 2
28037, Madrid | España
T: +34 91 376 88 20