SysValue, the reliability company

Security Auditing and Penetration Tests

corporate stance, services portfolio, references

2013

SysValue, “the reliability company”

Who we are

3© SysValue 2012.

About SysValue

Who we are

SysValue is an Information Security Services company based in Portugal, employing over 30

people. We have been in the market since 2003, always focused on this field.

Our work is exclusively in the area of Information Security, with a strong focus on the fields of

Security Audits and Security Consultancy.

We have done projects on most of the big players in the financial, insurance, telco and

government sectors in Portugal.

We have done a limited amount of projects on other European countries, by leveraging our good

references on multinational players operating in Portugal.

We are also currently expanding to Angola where we already have a permanent operational

presence since the end of 2011.

By maintaining our strong focus and independence, SysValue is the leading provider of Security

Auditing and Technical Penetration Testing services in Portugal. We have achieved this position

by specializing, gaining market from unfocused companies and retaining independence.

4© SysValue 2012.

Availability &

Quality of

Service

Security

SysValue, “the reliability company”

“One integrated vision of IT in terms of security, reliability and compliance”

SysValue develops its competences with the objective of being recognized by the market as a company

specialized in “security, reliability and compliance”, in their broadest sense.

ComplianceManaged

Services

“the

reliability

company”

SysValue is a company specialized in services and solutions that potentiate the elevation of security, availability and quality of

service (reliability) and compliance of the IT of organizations.

SysValue, “the reliability company”

What we do

Excellence is a result of strong focus

Sysvalue provides information security auditing services and related

security reviews such as penetration tests, risk analysis and

forensics work. We pride in high specialization by employing highly

skilled and experienced individuals and investing in in-house training.

The following slides summarily describe services provided on this field.

7© SysValue 2012.

About SysValue

What we do

Here is SysValue’s relevant security services offer:

• Security Auditing and Security Assessments:

• Internal / External

• Black box / White box

• Web Application testing

• Code Reviews

• Risk Analysis and Security Architectures:

• Threat assessment / modelling;

• Security controls modelling;

• Forensics work and incident handling

• Stress and Denial of Service testing:

• Distributed Jmeter

• Web Application bottleneck identification and exploitation

8© SysValue 2012.

About SysValue

What we do (cont.)

Here is SysValue’s relevant security services offer:

• Risk Based auditing:

• ISO 27005 Risk Analysis

• Compliance based auditing:

• ISO 27001

• PCI-DSS

• WLA-SCS

• Security Consulting:

• Gap analysis / Roadmap for compliance

• Architecture review

• Security Training:

• Security Policy training and awareness

• Secure development of Web Applications

9© SysValue 2012.

Policy

Standards

Procedures, Guidelines and Practices

Policy Compliance Controls

Actual Environment

Top-down

approach

Bottom-up

approach

About SysValue

What we do (cont.)

We believe in a “two front” approach. We do not value one over the other: We are neither “paper

pushers” nor “tech heads”

10© SysValue 2012.

Standard Team

• CISSP / CISA / GSNA / ISO 27001 at 50%

• GPEN at 100%

Preferred customer contact

• Chief Security Officer / IT Director

• Compliance Manager

• Other CxOs

Time Frame

• Small sites – 5 to 10 days

• Large web-enabled businesses – 20 days

• Large internet presence - 30 to 40 days

Target Market

• Organizations with high visibility Internet presence;

• Businesses that operate primarily on the Web;

• Supervised / regulated organizations;

Summary Description

Assessment of a system/platform’s resilience when

targeted by a motivated attacker:

• Evaluation of the systems/networks/services

exposure to the external network, identifying

vulnerabilities and problems in the networks, systems

and services layers. Production of recommendations

that serve to reduce impact from yet undiscovered

vulnerabilities

• Internal evaluation of the systems internal exposure

by conducting an internal attack simulating a

malicious insider.

• Web application testing. We have members with over

10+ years experience conducting automated and

manual testing of Web Applications. Our experience

has made it possible to streamline manual testing

and we have a systematic and mature methodology

that gives the client a clear view of all tests

conducted and their results

SysValue - Specialized Services

Penetration Testing

11© SysValue 2012.

SysValue – Specialized Services

Information Security Audits

Summary Description

Compliance assessment of information systems relative

to security policies and procedures, business strategy,

mission and organization objectives and to technological

and process related best practices:

• Quantitative and qualitative assessment of the infra-

structure’s exposure to external and internal

attackers;

• Confidentiality, integrity and availability review of

environmental, physical, technological and

procedural aspects of information systems;

• Risk analysis of information systems, using as a

primary criteria the value of the information

generated and processed by such systems.

Target Market

• Finantial or other regulated organizations;

• Telcos;

• Organizations dealing with sensitive customer information

• ISO 27001, PCI, SoX candidates.

Standard Team

• CISSP or GSNA at 50%

• GPEN from 50% to 100%

• Technical and process auditors, from 50% to 100%

Time Frame

• Small organizations – 20 to 30 days

• Large organizations – from 30 days (depending on

scope)

Preferred Customer Contact

• Chief Security Officer / IT Director

• Compliance Manager

• Other CxOs

12© SysValue 2012.

SysValue, “the reliability company”

Our Team

13© SysValue 2012.

Commitment comes from, above all, loving what we do.

Sysvalue is proud of having an experienced team and continuously

investing in their education.

14© SysValue 2012.

SysValue

Partners for Auditing and Consulting

João Barreto - Partner & Consulting Manager

Founding Partner. Msc in Information Systems (Faculdade de Ciências da Universidade de

Lisboa). Invited teacher at Faculdade de Engenharia da Universidade Católica Portuguesa. Over

15 years professional experience having worked previously at HP Labs, LNEC (pt), Alcatel,

Convex. João is currently the President of the Portuguese Association for the Promotion of

Information Security (AP2SI – www.ap2si.org)

CISSP (2005), ISO 27001LA (2007), CISA (2010), CDMP.

http://www.linkedin.com/in/jbarretosysvalue

Luis Grangeia - Partner & Auditing Manager

Partner since 2005. Studied Engineering and Computer Systems at Instituto Superior Técnico.

Over 10 years professional experience having worked previously at SideStep.

GSNA Gold (2001), CISSP (2005), ISO 27001LA (2007), CISA (2010).

http://www.linkedin.com/in/lgrangeia

http://www.slideshare.net/lgrangeia

http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf

(The technique presented in the paper above was used by Dan Kaminsky on the Sony rootkit, story at:

http://www.wired.com/politics/security/news/2005/11/69573)

15© SysValue 2012.

SysValue

Team for Auditing

Five members (only auditing team):

• Luis Grangeia (team leader, see previous slide);

• Tiago Pereira

• 5 years at SysValue, 6 years professional experience in Information Security;

• College Degree in Information Systems;

• Post-Graduate in Information Systems Auditing;

• CISA, GPEN

• http://linkedin.com/in/tiagompereira

• Francisco Guerreiro:

• 3 years at SysValue, 7 years professional experience;

• 2 years work experience at UK Companies (Local Borough Council, Orange, Atos Origin);

• http://linkedin.com/in/francisg

• Tiago Henriques:

• MSc by Research in Information Security and Computer Forensics, University of Bedfordshire

• BSc Software Engineering, University of Brighton

• http://linkedin.com/in/balgan

16© SysValue 2012.

SysValue

Team for Auditing

• Miguel Marques:

• 4 years at SysValue

• Born in Maputo, Mozambique;

• Studied Engineering and Computer Systems at Instituto Superior Técnico;

• Portuguese nationality (working to achieve double nationality – Portugal-Mozambique);

• En route to achieving GSNA certification before years end;

• http://www.linkedin.com/profile/view?id=3668678

17© SysValue 2012.

SysValue

Team for Auditing (cont.)

• Excellent written/spoken english skills;

• Experience in report writing in English (for international customers, such as AXA

Group);

18© SysValue 2012.

SysValue, “the reliability company”

Our Clients

19© SysValue 2012.

Telcos & Media

SysValue

Clients (only auditing)

IT Services

Financial Services

Central

Administration

Others

20© SysValue 2012.

SysValue

Clients: A Case Study

• MEO: the IPTV product of Portugal Telecom, the first full featured IPTV service in

Portugal, launched in 2007;

• SysValue has performed an extensive end-to-end security assessment at the

time of launch:

• Emulation of a malicious IPTV customer:

• Web application security reviews of self-care Web apps and other portals;

• Hardware modification of set-top-boxes and firmware reverse engineering;

• Infra-strutucture pen-test through the IPTV interface;

• Emulation of a malicious corporate insider:

• Pen-test of core and distribution networks through unprivileged corporate

network access;

• Web app testing of operations and management portals (content

acquisition, video-on-demand publishing, etc.)

21© SysValue 2012.

Auditing & Penetration Testing

Porquê a SysValue, “the reliability company”

Other References

Information Security Consulting Business Continuity

22© SysValue 2012.

SysValue, “the reliability company”

What we can Offer

23© SysValue 2012.

SysValue

Value proposition

• Independent, agile company

• Experienced in projects for European and African countries (ie. AXA Group)

• Can provide competent professionals for Information security Projects anywhere in

the World

• Considered the leader in Portugal for independent technical security reviews:

• Accenture, PwC as partners.

• Fluent portuguese (native language) and soft skills for working in portuguese

speaking markets.

24© SysValue 2012.

Contacts:

Filipe Rolo – Senior Sales Director

email: frolo@sysvalue.com

mobile: +351 914 131 020

http://www.sysvalue.com | http://en.sysvalue.com

Moradas:

Av. Eng. Duarte Pacheco, 26, 7 - 1070-110 Lisboa, Portugal

Rua Duarte Barbosa, 368, 4C - 4150-282 Porto, Portugal

Bairro Lar do Patriota, Rua 5, Casa 105 - Luanda, Angola