Upload
filipe-rolo
View
108
Download
0
Tags:
Embed Size (px)
Citation preview
SysValue, the reliability company
Security Auditing and Penetration Tests
corporate stance, services portfolio, references
2013
SysValue, “the reliability company”
Who we are
3© SysValue 2012.
About SysValue
Who we are
SysValue is an Information Security Services company based in Portugal, employing over 30
people. We have been in the market since 2003, always focused on this field.
Our work is exclusively in the area of Information Security, with a strong focus on the fields of
Security Audits and Security Consultancy.
We have done projects on most of the big players in the financial, insurance, telco and
government sectors in Portugal.
We have done a limited amount of projects on other European countries, by leveraging our good
references on multinational players operating in Portugal.
We are also currently expanding to Angola where we already have a permanent operational
presence since the end of 2011.
By maintaining our strong focus and independence, SysValue is the leading provider of Security
Auditing and Technical Penetration Testing services in Portugal. We have achieved this position
by specializing, gaining market from unfocused companies and retaining independence.
4© SysValue 2012.
Availability &
Quality of
Service
Security
SysValue, “the reliability company”
“One integrated vision of IT in terms of security, reliability and compliance”
SysValue develops its competences with the objective of being recognized by the market as a company
specialized in “security, reliability and compliance”, in their broadest sense.
ComplianceManaged
Services
“the
reliability
company”
SysValue is a company specialized in services and solutions that potentiate the elevation of security, availability and quality of
service (reliability) and compliance of the IT of organizations.
SysValue, “the reliability company”
What we do
Excellence is a result of strong focus
Sysvalue provides information security auditing services and related
security reviews such as penetration tests, risk analysis and
forensics work. We pride in high specialization by employing highly
skilled and experienced individuals and investing in in-house training.
The following slides summarily describe services provided on this field.
7© SysValue 2012.
About SysValue
What we do
Here is SysValue’s relevant security services offer:
• Security Auditing and Security Assessments:
• Internal / External
• Black box / White box
• Web Application testing
• Code Reviews
• Risk Analysis and Security Architectures:
• Threat assessment / modelling;
• Security controls modelling;
• Forensics work and incident handling
• Stress and Denial of Service testing:
• Distributed Jmeter
• Web Application bottleneck identification and exploitation
8© SysValue 2012.
About SysValue
What we do (cont.)
Here is SysValue’s relevant security services offer:
• Risk Based auditing:
• ISO 27005 Risk Analysis
• Compliance based auditing:
• ISO 27001
• PCI-DSS
• WLA-SCS
• Security Consulting:
• Gap analysis / Roadmap for compliance
• Architecture review
• Security Training:
• Security Policy training and awareness
• Secure development of Web Applications
9© SysValue 2012.
Policy
Standards
Procedures, Guidelines and Practices
Policy Compliance Controls
Actual Environment
Top-down
approach
Bottom-up
approach
About SysValue
What we do (cont.)
We believe in a “two front” approach. We do not value one over the other: We are neither “paper
pushers” nor “tech heads”
10© SysValue 2012.
Standard Team
• CISSP / CISA / GSNA / ISO 27001 at 50%
• GPEN at 100%
Preferred customer contact
• Chief Security Officer / IT Director
• Compliance Manager
• Other CxOs
Time Frame
• Small sites – 5 to 10 days
• Large web-enabled businesses – 20 days
• Large internet presence - 30 to 40 days
Target Market
• Organizations with high visibility Internet presence;
• Businesses that operate primarily on the Web;
• Supervised / regulated organizations;
Summary Description
Assessment of a system/platform’s resilience when
targeted by a motivated attacker:
• Evaluation of the systems/networks/services
exposure to the external network, identifying
vulnerabilities and problems in the networks, systems
and services layers. Production of recommendations
that serve to reduce impact from yet undiscovered
vulnerabilities
• Internal evaluation of the systems internal exposure
by conducting an internal attack simulating a
malicious insider.
• Web application testing. We have members with over
10+ years experience conducting automated and
manual testing of Web Applications. Our experience
has made it possible to streamline manual testing
and we have a systematic and mature methodology
that gives the client a clear view of all tests
conducted and their results
SysValue - Specialized Services
Penetration Testing
11© SysValue 2012.
SysValue – Specialized Services
Information Security Audits
Summary Description
Compliance assessment of information systems relative
to security policies and procedures, business strategy,
mission and organization objectives and to technological
and process related best practices:
• Quantitative and qualitative assessment of the infra-
structure’s exposure to external and internal
attackers;
• Confidentiality, integrity and availability review of
environmental, physical, technological and
procedural aspects of information systems;
• Risk analysis of information systems, using as a
primary criteria the value of the information
generated and processed by such systems.
Target Market
• Finantial or other regulated organizations;
• Telcos;
• Organizations dealing with sensitive customer information
• ISO 27001, PCI, SoX candidates.
Standard Team
• CISSP or GSNA at 50%
• GPEN from 50% to 100%
• Technical and process auditors, from 50% to 100%
Time Frame
• Small organizations – 20 to 30 days
• Large organizations – from 30 days (depending on
scope)
Preferred Customer Contact
• Chief Security Officer / IT Director
• Compliance Manager
• Other CxOs
12© SysValue 2012.
SysValue, “the reliability company”
Our Team
13© SysValue 2012.
Commitment comes from, above all, loving what we do.
Sysvalue is proud of having an experienced team and continuously
investing in their education.
14© SysValue 2012.
SysValue
Partners for Auditing and Consulting
João Barreto - Partner & Consulting Manager
Founding Partner. Msc in Information Systems (Faculdade de Ciências da Universidade de
Lisboa). Invited teacher at Faculdade de Engenharia da Universidade Católica Portuguesa. Over
15 years professional experience having worked previously at HP Labs, LNEC (pt), Alcatel,
Convex. João is currently the President of the Portuguese Association for the Promotion of
Information Security (AP2SI – www.ap2si.org)
CISSP (2005), ISO 27001LA (2007), CISA (2010), CDMP.
http://www.linkedin.com/in/jbarretosysvalue
Luis Grangeia - Partner & Auditing Manager
Partner since 2005. Studied Engineering and Computer Systems at Instituto Superior Técnico.
Over 10 years professional experience having worked previously at SideStep.
GSNA Gold (2001), CISSP (2005), ISO 27001LA (2007), CISA (2010).
http://www.linkedin.com/in/lgrangeia
http://www.slideshare.net/lgrangeia
http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf
(The technique presented in the paper above was used by Dan Kaminsky on the Sony rootkit, story at:
http://www.wired.com/politics/security/news/2005/11/69573)
15© SysValue 2012.
SysValue
Team for Auditing
Five members (only auditing team):
• Luis Grangeia (team leader, see previous slide);
• Tiago Pereira
• 5 years at SysValue, 6 years professional experience in Information Security;
• College Degree in Information Systems;
• Post-Graduate in Information Systems Auditing;
• CISA, GPEN
• http://linkedin.com/in/tiagompereira
• Francisco Guerreiro:
• 3 years at SysValue, 7 years professional experience;
• 2 years work experience at UK Companies (Local Borough Council, Orange, Atos Origin);
• http://linkedin.com/in/francisg
• Tiago Henriques:
• MSc by Research in Information Security and Computer Forensics, University of Bedfordshire
• BSc Software Engineering, University of Brighton
• http://linkedin.com/in/balgan
16© SysValue 2012.
SysValue
Team for Auditing
• Miguel Marques:
• 4 years at SysValue
• Born in Maputo, Mozambique;
• Studied Engineering and Computer Systems at Instituto Superior Técnico;
• Portuguese nationality (working to achieve double nationality – Portugal-Mozambique);
• En route to achieving GSNA certification before years end;
• http://www.linkedin.com/profile/view?id=3668678
17© SysValue 2012.
SysValue
Team for Auditing (cont.)
• Excellent written/spoken english skills;
• Experience in report writing in English (for international customers, such as AXA
Group);
18© SysValue 2012.
SysValue, “the reliability company”
Our Clients
19© SysValue 2012.
Telcos & Media
SysValue
Clients (only auditing)
IT Services
Financial Services
Central
Administration
Others
20© SysValue 2012.
SysValue
Clients: A Case Study
• MEO: the IPTV product of Portugal Telecom, the first full featured IPTV service in
Portugal, launched in 2007;
• SysValue has performed an extensive end-to-end security assessment at the
time of launch:
• Emulation of a malicious IPTV customer:
• Web application security reviews of self-care Web apps and other portals;
• Hardware modification of set-top-boxes and firmware reverse engineering;
• Infra-strutucture pen-test through the IPTV interface;
• Emulation of a malicious corporate insider:
• Pen-test of core and distribution networks through unprivileged corporate
network access;
• Web app testing of operations and management portals (content
acquisition, video-on-demand publishing, etc.)
21© SysValue 2012.
Auditing & Penetration Testing
Porquê a SysValue, “the reliability company”
Other References
Information Security Consulting Business Continuity
22© SysValue 2012.
SysValue, “the reliability company”
What we can Offer
23© SysValue 2012.
SysValue
Value proposition
• Independent, agile company
• Experienced in projects for European and African countries (ie. AXA Group)
• Can provide competent professionals for Information security Projects anywhere in
the World
• Considered the leader in Portugal for independent technical security reviews:
• Accenture, PwC as partners.
• Fluent portuguese (native language) and soft skills for working in portuguese
speaking markets.
24© SysValue 2012.
Contacts:
Filipe Rolo – Senior Sales Director
email: [email protected]
mobile: +351 914 131 020
http://www.sysvalue.com | http://en.sysvalue.com
Moradas:
Av. Eng. Duarte Pacheco, 26, 7 - 1070-110 Lisboa, Portugal
Rua Duarte Barbosa, 368, 4C - 4150-282 Porto, Portugal
Bairro Lar do Patriota, Rua 5, Casa 105 - Luanda, Angola