VASC - Vulnerability Assessment & Security Consultancy

VASC is specialised in the efficient identification, reduction and prevention of IT security risks

Our focus is on carrying out high-quality services such as high-end penetration tests on IT infrastructures/applications and Red Teaming. In doing so, VASC is open to innovative partnerships to address current vulnerabilities and continue pioneering when it comes to IT security.

Society is digitalising at a rapid tempo. An ever-increasing number of people and businesses are online more often, storing information in a cloud and striving for maximum mobility and connectivity. This creates opportunities for users, partners, clients, employees and competitors. It also opens the door for cyber criminals who cleverly capitalise on the new opportunities of digitalisation and thereby form a constant, growing threat to organisations. VASC has added value in these fights against cyber terror, and in particular to the information security landscape in organisations.

Companies are justifiably increasingly concerned about their reputations and damage to their brand.

Damage caused by cyber-attacks can cost millions and is often not solved quickly. However, one may expect large organisations to handle private, sensitive information with utmost professionalism. VASC can contribute to this by carrying out (periodic) technical IT security tests.

Technical IT security screenings are available in all shapes and sizes and can be carried out on various objects under scrutiny.

The type of screening depends on several factors. These include the moment at which they are carried out (if the environment has already been put in place or not), which type of risk is being tested (a hacker attacking the system or someone attacking a user through social engineering) and how expansive the survey needs to be (with or without a source code) or the accessibility to the configurations of systems. In this regard, it is wise that organisations to consider beforehand what their “crown jewels” are that need to be protected.
During a screening the methodology of cyber criminals forms the basis; what are the crown jewels of an organisation and how can they be reached?

In carrying out a technical IT security screening, VASC presides over diverse screening modules that include Black box, Grey box and Crystal box. VASC also supplies Code reviews/inspections, penetration tests, (physical) social engineering and Red teaming.

SCADA/ICS

Many SCADA/ICS systems are used within the critical infrastructure for controlling and reading data in the processing industry. In general these systems are not designed from a security perspective, but they must operate normally and have a long life. Failures in SCADA/ICS systems can have an impact on the physical world. Locks may open unintendedly, power stations may fail or water purification plants may suddenly not be reliable anymore.

In order to protect your SCADA/ICS environment against possible cyber attacks, VASC can carry out a security investigation to identify safety leaks. A frequently applied method hereby is Red Teaming, whereby a mix of a number of attack and test techniques are used.

Safeguard precious data and enable trust.

Carrying out technical IT security screenings is a preventative and detective measure through which IT security problems can be found so that these can be solved before certain actors may misuse them. How organisations should then to be protected largely depends on identifying the possible actors and the conceived threat. This distinction is of vital importance, since not all organisations are equally “attractive” for the different types of cyber terror.

The person or organisation behind the attacks can be divided into the following groups:

The basic hacker, mostly motivated to show what he/she is capable of
The activist, focused on expressing a philosophy, often driven by an ideology or aiming to spread fear, driven by political objectives
Organised crime, aiming for direct monetary gain (by phishing, for example) or indirect monetary gain, aiming to sell company information
Nation states, aiming to improve their geo-political position or expanding their internal position of power

Seven types of threats may be distinguished here:

Obtaining and publicising information
Identity fraud
Manipulation of data
Espionage

Disrupting of ICT
Take-over and misuse of ICT
Wilfully causing damage to reputation

Application screenings

VASC uses both application and infrastructure screenings. Application screenings can be divided into 6 levels of risk profiles. Factors such as the manifold risks, damage to reputation and the size of the user groups play a major role or when it involves unique personal information. Risk profile 1 is the profile with the highest risk and risk profile 6 is the lowest.

Infrastructure screenings

For security screenings of IT infrastructures that are newly produced the same risk classification can be used as described for applications. In many cases, it concerns an integral project wherein both a new application and the corresponding IT infrastructure is developed.

We work with 7 types of IT security screenings

The need for preventative, detective and reactive measures usually only becomes evident after an actual threat. Carrying out technical IT security screenings is a preventative and detective measure through which IT security problems can be found so that these can be solved before certain actors may misuse them.

Black Box - The screen that provides insight

Prior to a Black box screening, no information is given except which system (application and/ or infrastructure) is to be screened. VASC is not given assistance in this and will have to discover this by itself. In doing so, we gain insight into what an attacker can achieve from the Internet without any prior knowledge and without legitimate access. Black box screening is often carried out within a limited time, a timeframe that is much shorter than the time attackers are prepared to take when attacking.

Grey Box - Exposes vulnerabilities

Login information is provided to our consultants during a Grey box screening. This is how they gain insight into possible vulnerabilities that can be exploited by users who have legitimate access to the system, network or application. All of the screening actions that are carried out during a Black box approach are also carried out during a Grey box approach. This may reveal, for example, if it is possible to circumnavigate the login for non-authorised users.

Crystal Box - Providing insight into the system.

A Crystal box screening provides a full insight into the functioning of a system that is to be screened. Administrator access to the servers, for example, is provided and the source code of an application is made available. Questions concerning the arrangement are answered by architects, developers and administrators. This allows segments of the environment to be evaluated which otherwise could not be accessed.

Social Engineering - Aimed at humans

The social engineering screening is not aimed directly at the technology, but rather at what is often the weakest link in the chain: humans. During an attack, a hacker will attempt to gain access to confidential information.

We distinguish 4 different kinds of social engineering attacks/screenings:

Phishing can be implemented to allow large groups of people to come into contact with the test (which can later be used during the awareness campaign). In consultation with the organisation or institution a scenario is invented in which users receive an e-mail containing a link and/or an attachment. A separate report can be made about the number of persons who have clicked on the link and how many people also gave their credentials on the corresponding website.

In this form of social engineering a department or specific individuals are contacted by phone. The aim here is to convince these people to share sensitive information such as their user name and password over the telephone and we will also attempt to acquire certain “crown jewels”.

How simple is it to infect an internal PC? To find out, USB devices are spread around that contain an electronic piece which will attempt to infect the PC. Here, USB sticks will be left at locations or sent as a gadget to individuals. Both the USB stick and the gadget have been prepared in such a way that when they are used in a laptop or a PC, code execution will occur. As a rule, only a connection will be set up instead of actually infecting the PC, this in connection with the extra work and added risk involved. In both cases, the vulnerability will be shown.

How easy is it to gain access somewhere? We examine through social engineering if we can enter an organisation or gain access to places that are not open to the public, such as computer centres, operating rooms and research laboratories.

Physical social engineering includes any actions that are necessary to physically gain access to areas with confidential information. This may involve tail-gaiting (walking with someone else past security) and the temporary assumption of another identity. VASC is unique in this and facilitates both technical and physical IT security through which a broad spectrum of IT security can be provided.

Code Review/Inspectation - Checking the Code

During a code review/inspection an evaluation is made of a running application/code based on a check of the source code that has been made available. This does not cover a complete code review, but is a check of the (important) parts of a code.

During a full review of the code a (very) large part of the code is examined manually and other parts are reviewed with the help of automatic tooling.

Penetration tests - How far can we go

Black/Grey/Crystal box screening is mostly geared towards finding as many vulnerabilities as possible and reporting them. During a penetration test, the idea is to find one or more vulnerabilities in a limited amount of time and to actually exploit them by penetrating as deeply as possible into a network/application.

Red Teaming - Aimed at the crown jewels

Red teaming screening is not aimed at a specific application or (section of) an infrastructure. This screening is aimed at the crown jewels of the organisation. Here, a focused effort is made to gain access to the most important company information by utilising the path of least resistance, and based on the ideas and work methods of actors who are out to steal certain crown jewels of an organisation.
A Red teaming screening consists of a combination of both technical (mostly Black box) as well as social engineering screenings.

The scenarios to be followed are drawn up in advance in consultation with the client. Ultimately, the client decides how far he or she wants to go with this screening. A screening such as this provides a realistic picture of the vulnerability of an organisation and can also test incidence response and forensic readiness.

Intake

At the start of a screening assignment the size, complexity and vulnerability of the object must become clear. Together with the applied screening methods used, this determines how much time should be spent on a screening. This why determining the right scope is important prior to carrying out IT security screenings. In order to determine the scope for either a screening of applications or the IT infrastructure, a few crucial issues will be established during an intake consultation and be used as starting points.

Estimate

The price of the IT security screening consists of 2 components: the (day/hourly) rate and the budgeted time of the screening. The estimate will contain a description of the approach based on the framework of standards and/or best practices for the screening to be carried out. It will also clearly be indicated what can be expected of VASC and which preconditions must be present in order to perform a proper screening.

Scheduling

The IT security screening will be scheduled after determining the scope and allocating the assignment. Are there any special requests concerning the scheduling? Should we, for example, consider the date of going live? Or is the screening part of an audit that the organisation has to deal with? It is recommended that these issues are addressed at the earliest possible stages.

When scheduling, it is also advisable to consider the time that is needed (if necessary) to eliminate the discovered risks and carry out the subsequent re-screening. Based on the desired scheduling and the pre-established scope, we can determine which team of specialists can best be implemented. In accordance with their availability, we will then establish a definitive schedule together.

Contract

The customary contracts and general conditions for IT service provision may serve as the basis for a contract with general conditions (GC). When drafting a contract for carrying out an IT security screening we apply the following specific points of interest:

Permission and indemnification and the proper establishment of the (technical) scope of the assignment through URLs, IP addresses and/or network ranges.
Confidentiality: it is important for all parties that (the results of) the IT security screening is handled with utmost confidentiality.
Limiting liability: it is customary to limit the liability of both parties to the relative scope of the assignment.

Reporting

Upon completion of the IT security screening the VASC will provide a thorough report of all its findings from the screening. This report will include the following information:

The scope of the screening
The implementation dates of the screening
Management summary
Conclusion based on the risks discovered
The risks discovered
- Description of the risk or evidence of the risk
- Classification of the risk
- Advice concerning the measures to be takencovered

Follow-up

As soon as the VASC report is supplied it is important that the results are carefully examined. Follow-up actions may be defined in this report. The most positive outcome of the IT security screening and the report is that there are no findings. However, the opposite is often the case in practice. The impact for the organisation and the costs to mitigate the finding must usually be established for every finding.

For findings with a high risk level the choice is often quite clear. However, for medium and in particular for low-risk findings the organisation has to make careful decisions. These decisions may include implementing procedural changes to such an extent that the risk and/ or impact of a finding is reduced - preferably to nil, but in any case to an acceptable level for the organisation.

Re-screening

After carrying out a screening and resolving the findings, it is recommended to perform a re-screening to find out if it has been done properly. Depending on the number of adaptations made to resolve the findings, the VASC can carry out a partial screening. However, it may also be necessary to carry out a complete, new screening in order to determine if the measures that have been taken have not caused any new vulnerabilities. A complete re-screening is recommended once several months have passed since the original screening was carried out. This increases the likelihood that not only all findings will have been resolved, but also that other adaptations can be made and functionality is either added or removed.

Once it has been decided to perform a re-screening, we will provide details concerning which findings are related to the re-screening.

Structural Approach

We recommend that IT security tests be approached on a structural level. In practice it often appears that these tests are carried out ad-hoc or only periodically (with a low frequency and limited scope).

Developing a clear policy regarding IT security tests can offer colleagues a better understanding of when certain applications and IT infrastructures should be tested at which frequency and according to which method. Besides these periodic tests, it should also be considered to test new IT projects.

Safeguarding your precious data

Address

Zuid Hollandlaan 7, 2596 AL The Hague, The Netherlands

Phone

+31 70 240 08 30

info@vasc.international

How well are your crown jewels protected?

About us