SITIS

Security Consultancy

Projects

The fabric of modern business process at SME, large enterprise, government and public entities business is increasingly dependent on a multitude of interconnected and interdependent secure infrastructures. 

While core services such as mail, database, backup and other corporate applications have always been critical for the business to succeed, their delivery is increasingly enmeshed with communications infrastructure and cyberspace more broadly. SITIS Inc. has been recognized for their contributions to the field of digital information security.

Our cyber security projects integrate the most advanced cyber security technologies and components to ensure the entire organization’s network’s overall safety can be secured so that the business data can’t be breached.

Our constantly monitoring on the latest cyber threat and integrate security tools like malware detectors, spyware, intrusion detection, and more at each stage of software development allows us to be proactive and prompt in detecting any kind of malicious behavior and fix it before it becomes too unruly, leading to some sort of security breach

As far as technical knowledge is considered, our seasoned cyber security team have garnered years of theoretical plus practical knowledge about application security, data secrecy, cryptography, network security, in the cyberwarfare discipline

The following list projects below, address how cyber security fits into most of our clients requirements for adequate protection of their IT critical infrastructure:

Most organization Security Policy (SP) and its supporting Standards specify requirements for protecting its assets, including information, and directs those departments and agencies to which it applies to be responsible for streamlining and enhancing service delivery, reforming information technology (IT) practices and have a clear understanding of the need to implement an effective information security practices. Our client’s operation is dependent on IT infrastructure and the services provided to its customers and users, has added the need for trust and accountability in electronic transactions such that the security objective is met when:
  • Information is observed by or disclosed to those who have a right to know (confidentiality).
  • Information is protected against unauthorised modification (integrity).
  • Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability).
  • Business transactions as well as information exchanges between enterprise locations or with partners can be trusted (authenticity and non-repudiation)
An Information Security Framework comprises those structures and practices that an organization uses to minimize security risks to information over its entire lifecycle.

TRA process is not a means to an end. It is a continual process that once started should be reviewed regularly to ensure that the protection mechanisms currently in place should adequately address the security requirements of the organization in terms of integrity, availability and confidentiality. TRA should be an integral part of the overall life cycle of the infrastructure. Any risk management model has to fit with how an organization makes decisions about its risk exposure and how it likes to manage it.

Many of our clients have requested SITIS Canada to conduct an independent security controls assessment of the potential risks of bringing their new system to production (in terms of people, process and technology).This specific review provides recommendations on what security controls should exist before this system is placed into a production state. It will include:

  • A brief Statement of Sensitivity (SOS) to identify and categorize the system’s assets according to it’s confidentiality, integrity and availability values based upon injuries that may reasonably be expected in the event of a compromise;
  • An identification of deliberate threats, accidents and natural hazards that might affect these assets adversely with an analysis of the likelihood of occurrence and gravity of impact;
  • An assessment of vulnerabilities, based on an evaluation of existing or proposed security measures and their adequacy;
  • An analysis of residual risks for each asset that is vulnerable to specific threats; and
  • Where assessed residual risks exceed the [Low or Medium] level, a list of recommendations proposing additional safeguards to achieve a [Low or Medium] target risk level with an assessment of their effectiveness and cost. 

A Penetration Test, PenTEST, is the authorized, scheduled and systematic process of using known vulnerabilities in an attempt to perform an intrusion into host, network or application resources. The penetration test can be conducted on internal (a building access or host security system) or external (the company connection to the Internet) resources. It normally consists of using an automated or manual toolset to test the company.

PenTEST allows organizations to verify that new and existing applications, networks and systems are secured and not vulnerable to unauthorized data disclosure, misuse, alteration or destruction of confidential information, including Personal Identifiers. Therefore organizations are encouraged to test the internal and external network as part of the organization’s Security Policy and Program based on best industry practices.

The External PenTest refers to tests performed to identify vulnerabilities that are present for connections that have been established through the organization such as connection to the Internet via the firewall or gateway. The objective of the test is to verify that the organisation’s internal domain is sufficiently secure from the corporate Internet site so that their sensitive information is not exposed to the outside world.

There are two types of PenTEST. The Internal PenTEST refers to tests performed to identify vulnerabilities with physical access or exposures to social engineering. These tests are intended to determine what vulnerabilities exist for systems that are accessible to authorized network connections or login credentials that reside within the network domain of the organization.

Powerful Penetration Testing Tools

Intruder is the most popular cloud-based network vulnerability scanner that helps you to find the cybersecurity weaknesses in your most exposed systems to avoid costly data breaches. It is the right solution for your cybersecurity issues. It helps to save your time to a great extent.

Syxsense Secure provides Security Scanning, Patch Management, and Remediation in one console from the cloud, allowing IT and Security teams to stop breaches with one endpoint security solution.

Wireshark  will provide you detailed information about what is happening on your network. It provides decryption support for many protocols. Wireshark will allow you to export the output in XML, PostScript, CSV, or Plain Text.

NMap  is a port scanning tool. It is used for network discovery and security auditing. It can be used for Network Inventory and managing service upgrade schedules. It will also help you with monitoring host or service uptime.

Nmap is a must-have tool for ethical hackers. This is a very popular hacking tool that predominantly aids in understanding the characteristics of any target network.

Netsparker   is a dead accurate automated scanner that will identify vulnerabilities such as SQL Injection and Cross-site Scripting in web applications and web APIs. Netsparker uniquely verifies the identified vulnerabilities, proving they are real and not false positives.

Acunetix is a fully automated web vulnerability scanner that detects and reports on over 4500 web application vulnerabilities including all variants of SQL Injection and XSS.

Core Impact claims the largest range of exploits available in the market, they also let you run the free Metasploit exploits within their framework if they are missing one.  They automate a lot of processes with wizards, have a complete audit trail including PowerShell commands, and can re-test a client simply by re-playing the audit trail.

Cain & Abel If cracking encrypted passwords or network keys is what you need, then Cain & Abel is the perfect tool for you.

Indusface WAS provides both manual penetration testing bundled with its own automated web application vulnerability scanner that detects and reports vulnerabilities based on OWASP top 10 and also includes a website reputation check of links, malware and defacement checks of the website in every scan.

BreachLock is the industry’s first Artificial Intelligence, Cloud and Human Hacker powered automated web vulnerability scanner.

Metasploit is the most advanced and popular Framework that can be used for pen-testing. It is based on the concept of “exploit,” which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating a perfect framework for penetration testing.

Dradis is an open-source framework (a web application) that helps with maintaining the information that can be shared among the participants of a pen-test. The information collected helps to understand what is done and what needs to be done.

BeEF is a penetration testing tool that focuses on the web browser which means, it takes advantage of the fact that an open web-browser is the window(or crack) into a target system and designs its attacks to go on from this point

SET is a unique tool in terms that the attacks are targeted at the human element rather than on the system element. It has features that let you send emails, java applets, etc. containing the attack code. It goes without saying that this tool is to be used very carefully and only for white-hat reasons.

John the Ripper  Another password cracker in line is John the Ripper. This tool works in most environments, although it’s primarily for UNIX systems. It is considered one of the fastest tools in this genre.

Nessus is also a scanner and needs to be watched out for. It is one of the most robust vulnerability identifier tools available. It specializes in compliance checks, sensitive data searches, IPs scans, website scanning, etc. and aids in finding the “weak-spots”.

Other documented security testing methodologies:

  • Internal Network Scanning
  • Port Scanning
  • Manual Configuration Weakness
  • System Fingerprinting
  • Services Probing
  • Configuration Testing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Testing and Verification
  • Limited Application Layer Testing
  • Firewall and ACL Testing
  • Administrator Privileges Escalation Testing
  • Password Strength Testing
  • Network Equipment Security Controls Testing
  • Database Security Controls Testing
  • Internal Network Scan for Known Trojans
  • Third-Party/Vendor Security
  • Government of Canada Security Policy – GoC Policy -IT Framework Technology 
  • Government of Canada’s Harmonized Threat and Risk Assessment (HTRA)  – HTRA  

    CERT-Octave Criteria Version 2 OCTAVE Method Implementation Guide Version 2.0 

  • PRISM™, a Performance and Risk-based Integrated Security MethodologPRISM 

By monitoring, detecting, investigating, analyzing, and responding to security events, SITIS Canada cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities. Our cybersecurity specialists work on IT teams that are dedicated to protecting the integrity of the business’s network and data in the following areas:

  • Access control
  • Antivirus and anti-malware software
  • Application security
  • Behavioral analytics
  • Data loss prevention
  • Distributed denial of service prevention
  • Email security
  • Firewalls

Our cybersecurity Team will observe five types of cybersecurity techniques, which will help in reducing the cyber attack against your organizations.

  • Critical Infrastructure Cybersecurity
  • Network Security
  • Cloud Security
  • Internet of Things Security
  • Application Security

The Enterprise Security Architecture is a conceptual design of the network security infrastructure, related security mechanisms, and related security policies and procedures.  It includes all aspects of security governance, security technology architecture, and security operations required to protect the information technology assets of the enterprise. 

Enterprise security starts with defining an enterprise security program framework that places security program management in the larger context.

Cloud security refers to the technologies, policies, controls, and services that protect cloud data, applications, and infrastructure from threats. Cloud security is a responsibility that is shared between the cloud provider and the customer. 

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. 

The Internet of Things (IoT) describes the network of physical objects, so known as, “things” — that are embedded with sensors, software, and other technologies that is used for the purpose of connecting and exchanging data with other devices and systems over the Internet. IoT security incorporates techniques, strategies and tools  to protect these devices from unwanted  intruders and cyberattacks. 

IoTSF is a collaborative, non-profit, international response to the complex challenges posed by cybersecurity in the expansive hyper-connected IoT world. As such, IoTSF is the natural destination for IoT users and technology providers including IoT security professionals, IoT hardware and software product vendors, network operators, system specifiers, integrators, distributors, retailers, insurers, local authorities, government agencies and other stakeholders.

Application security is an essential part of the software development lifecycle, and getting it right should be a top priority in today’s ever-evolving and expanding digital ecosystem. Application security is the practice of protecting your applications from malicious attacks by detecting and fixing security weaknesses in your applications’ code. 

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The following list projects below, address how cyber security fits into most of our clients requirements for adequate protection of their IT critical infrastructure:

Most organization Security Policy (SP) and its supporting Standards specify requirements for protecting its assets, including information, and directs those departments and agencies to which it applies to be responsible for streamlining and enhancing service delivery, reforming information technology (IT) practices and have a clear understanding of the need to implement an effective information security practices. Our client’s operation is dependent on IT infrastructure and the services provided to its customers and users, has added the need for trust and accountability in electronic transactions such that the security objective is met when:
  • Information is observed by or disclosed to those who have a right to know (confidentiality).
  • Information is protected against unauthorised modification (integrity).
  • Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from failures (availability).
  • Business transactions as well as information exchanges between enterprise locations or with partners can be trusted (authenticity and non-repudiation)
An Information Security Framework comprises those structures and practices that an organization uses to minimize security risks to information over its entire lifecycle.

TRA process is not a means to an end. It is a continual process that once started should be reviewed regularly to ensure that the protection mechanisms currently in place should adequately address the security requirements of the organization in terms of integrity, availability and confidentiality. TRA should be an integral part of the overall life cycle of the infrastructure. Any risk management model has to fit with how an organization makes decisions about its risk exposure and how it likes to manage it.

Many of our clients have requested SITIS Canada to conduct an independent security controls assessment of the potential risks of bringing their new system to production (in terms of people, process and technology).This specific review provides recommendations on what security controls should exist before this system is placed into a production state. It will include:

  • A brief Statement of Sensitivity (SOS) to identify and categorize the system's assets according to it's confidentiality, integrity and availability values based upon injuries that may reasonably be expected in the event of a compromise;
  • An identification of deliberate threats, accidents and natural hazards that might affect these assets adversely with an analysis of the likelihood of occurrence and gravity of impact;
  • An assessment of vulnerabilities, based on an evaluation of existing or proposed security measures and their adequacy;
  • An analysis of residual risks for each asset that is vulnerable to specific threats; and
  • Where assessed residual risks exceed the [Low or Medium] level, a list of recommendations proposing additional safeguards to achieve a [Low or Medium] target risk level with an assessment of their effectiveness and cost.

Methodology

A Penetration Test, PenTEST, is the authorized, scheduled and systematic process of using known vulnerabilities in an attempt to perform an intrusion into host, network or application resources. The penetration test can be conducted on internal (a building access or host security system) or external (the company connection to the Internet) resources. It normally consists of using an automated or manual toolset to test the company.

PenTEST allows organizations to verify that new and existing applications, networks and systems are secured and not vulnerable to unauthorized data disclosure, misuse, alteration or destruction of confidential information, including Personal Identifiers. Therefore organizations are encouraged to test the internal and external network as part of the organization's Security Policy and Program based on best industry practices.

There are two types of PenTEST. The Internal PenTEST refers to tests performed to identify vulnerabilities with physical access or exposures to social engineering. These tests are intended to determine what vulnerabilities exist for systems that are accessible to authorized network connections or login credentials that reside within the network domain of the organization.

The External PenTest refers to tests performed to identify vulnerabilities that are present for connections that have been established through the organization such as connection to the Internet via the firewall or gateway. The objective of the test is to verify that the organisation's internal domain is sufficiently secure from the corporate Internet site so that their sensitive information is not exposed to the outside world.

 
Powerful Penetration Testing Tools

Intruder is the most popular cloud-based network vulnerability scanner that helps you to find the cybersecurity weaknesses in your most exposed systems to avoid costly data breaches. It is the right solution for your cybersecurity issues. It helps to save your time to a great extent.

Syxsense Secure provides Security Scanning, Patch Management, and Remediation in one console from the cloud, allowing IT and Security teams to stop breaches with one endpoint security solution.

Wireshark  will provide you detailed information about what is happening on your network. It provides decryption support for many protocols. Wireshark will allow you to export the output in XML, PostScript, CSV, or Plain Text.

NMap  is a port scanning tool. It is used for network discovery and security auditing. It can be used for Network Inventory and managing service upgrade schedules. It will also help you with monitoring host or service uptime.

Netsparker   is a dead accurate automated scanner that will identify vulnerabilities such as SQL Injection and Cross-site Scripting in web applications and web APIs. Netsparker uniquely verifies the identified vulnerabilities, proving they are real and not false positives.

Acunetix  is a fully automated web vulnerability scanner that detects and reports on over 4500 web application vulnerabilities including all variants of SQL Injection and XSS.

Core Impact claims the largest range of exploits available in the market, they also let you run the free Metasploit exploits within their framework if they are missing one.  They automate a lot of processes with wizards, have a complete audit trail including PowerShell commands, and can re-test a client simply by re-playing the audit trail.

Indusface WAS provides both manual penetration testing bundled with its own automated web application vulnerability scanner that detects and reports vulnerabilities based on OWASP top 10 and also includes a website reputation check of links, malware and defacement checks of the website in every scan.

BreachLock is the industry’s first Artificial Intelligence, Cloud and Human Hacker powered automated web vulnerability scanner.

Metasploit is the most advanced and popular Framework that can be used for pen-testing. It is based on the concept of “exploit,” which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating a perfect framework for penetration testing.

Dradis is an open-source framework (a web application) that helps with maintaining the information that can be shared among the participants of a pen-test. The information collected helps to understand what is done and what needs to be done.

BeEF is a penetration testing tool that focuses on the web browser which means, it takes advantage of the fact that an open web-browser is the window(or crack) into a target system and designs its attacks to go on from this point

Nmap is a must-have tool for ethical hackers. This is a very popular hacking tool that predominantly aids in understanding the characteristics of any target network.

SET is a unique tool in terms that the attacks are targeted at the human element rather than on the system element. It has features that let you send emails, java applets, etc. containing the attack code. It goes without saying that this tool is to be used very carefully and only for white-hat reasons.

John the Ripper  Another password cracker in line is John the Ripper. This tool works in most environments, although it’s primarily for UNIX systems. It is considered one of the fastest tools in this genre.

Cain & Abel If cracking encrypted passwords or network keys is what you need, then Cain & Abel is the perfect tool for you.

Nessus is also a scanner and needs to be watched out for. It is one of the most robust vulnerability identifier tools available. It specializes in compliance checks, sensitive data searches, IPs scans, website scanning, etc. and aids in finding the “weak-spots”.

Other documented security testing methodologies:

  • Internal Network Scanning
  • Port Scanning
  • Manual Configuration Weakness
  • System Fingerprinting
  • Services Probing
  • Configuration Testing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Testing and Verification
  • Limited Application Layer Testing
  • Firewall and ACL Testing
  • Administrator Privileges Escalation Testing
  • Password Strength Testing
  • Network Equipment Security Controls Testing
  • Database Security Controls Testing
  • Internal Network Scan for Known Trojans
  • Third-Party/Vendor Security
  • Government of Canada Security Policy – GoC Policy -IT Framework Technology 
  • Government of Canada's Harmonized Threat and Risk Assessment (HTRA)  - HTRA  

    CERT-Octave Criteria Version 2 OCTAVE Method Implementation Guide Version 2.0 

  • PRISM™, a Performance and Risk-based Integrated Security MethodologPRISM 

By monitoring, detecting, investigating, analyzing, and responding to security events, SITIS Canada cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities. Our cybersecurity specialists work on IT teams that are dedicated to protecting the integrity of the business's network and data in the following areas:

  • Access control
  • Antivirus and anti-malware software
  • Application security
  • Behavioral analytics
  • Data loss prevention
  • Distributed denial of service prevention
  • Email security
  • Firewalls

Our cybersecurity Team will observe five types of cybersecurity techniques, which will help in reducing the cyber attack against your organizations.

  • Critical Infrastructure Cybersecurity
  • Network Security
  • Cloud Security
  • Internet of Things Security
  • Application Security

Other Services

Business Contingency

Business Resumption Plan (BRP) Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)

Digital Forensics

Research and Investigations Media Exploitation, Incident Response and
Net- Forensics

Planning & Architecture

Applications, topology, perimeter,
e-Business, remote access.

Prevention & Detection

Intrusion detection, vulnerabilities, incident response. Managed Vulnerability Assessment.

Incident Response Services

Vulnerability Assessment, Incident
Response and Crisis Management.

Security Review

Host Build , Network Architecture and Design, Firewall Rule Set, Application Source Code

Penetration Testing

Voice Over IP (VoIP), Database, Network (Webserver, Apps, Fileservers), Wireless (WiFi)

Security Framework

IT Governance and Policy
Framework

Training & Awareness

Customized courses, seminars & workshops