Port Zero

One of the key measures to optimize resilience of security-relevant IT systems and applications, penetration testing comprises a solicited series of controlled intrusion attempts by security experts to identify a system‘s vulnerabilities and assess the corresponding risks. Penetration Tests are an essential strategy component for companies to ensure and optimize their products‘ robustness against malicious attacks and other pertinent threats. As such, regular penetration tests are also required by most security certification and compliance frameworks.

* you will have a concise understanding of your product’s security level

* you will get a detailed report about:

* what aspects of your product were tested

* and how they were tested

* a list of findings (security risks) classified by severity

* a recommended action you can perform yourself to address the discovered risk

* you will get an immediate alert from us if a major risk is discovered

* you will get a list of actionable tasks to improve the security of your product

* you will have full compliance and the means to prove it in regards to pentest requirements from security certification (e.g. ISO27001, PCI DSS, Tisax, BSI Grundschutz, GDPR)

* you will get a final presentation workshop where we’ll discuss findings and the best course of action you can take

WHAT YOU CAN EXPECT

When you contact us about performing a pentest, this is our recommended course of action:

1. Requirements: You will first explain your goals, what you want to achieve with the pentest, your setting and requirements. This will allow us to select the right type, scope and duration for the pentest with you.
2. Offer: You will receive a binding offer from us to perform the pentest for you with the requirements and scope above.
3. Preparation Call: When you accept our offer, you will plan with us what’s allowed (e.g. production systems are off limit; only non-destructive testing) and echange a secure channel of communication for alerts and quick response.
4. Pentest: We will perform the Pentest for you and transparently update you in regular intervalls of the progress.
5. Report: You will receive our pentest report listing all findings, classified by severity with a recommended action you can address them with
6. Final Presentation: You can discuss with us the findings and plan the best course of action to address them

WHAT TYPES OF PENTESTS

• Blackbox: You do not want us to know anything about your systems, before we start testing (Simulates an outside attacker).
• Whitebox: You share knowledge about your systems and possibly restricted accounts with us (Simulates an attacker with inside knowledge).
• Grey: You’ll let us start with no knowledge and accounts, and share both with us after a while

PENETRATION TESTING AT PORT ZERO

While there are many tools to automatically scan arbitary systems for the most obvious vulnerabilities, our security engineers instead place special focus to the individual characteristics of your product’s technical architecture, thus simulating the actions of experienced intruders targeting your product in a realistic attack scenario.

• We manually sound out your infrastructure’s unique attack surface to produce the highest valuable insights about your product’s vulnerabilities.

• Our teams consist of experts specialized in diverse technical fields to ensure we fully meet your product’s individual security challenges.

• Vulnerabilities only exist in their risk contexts. We pay special attention to interpret our findings within your respective threat landscape.

• We believe in close personal communication with you throughout the whole process to maximize your direct gain of knowledge about your product.

Methodology

Our many years of experience in the field have led to a solid testing methodology, firmly based on proven industry standards and best practices of the security community (like the Implementation Concept of the German BSI or the OWASP Testing Guide).

• Building on these standards, our procedural steps will be laid out with respect to your situational needs and requirements. Before we start, we will listen.

• Our teams include expert consultants in the fields of various relevant security compliance and certification frameworks (like ISO 27001, BSI-Grundschutz, PCI DSS) to ensure we fulfill their methodological requirements.

Customer Reporting

To produce the highest possible gain of knowledge, our Final Reports are tailored towards your operative utilization after the project. Besides Management Summaries for decision makers, they regularly contain as their core in-depth technical explanations of our findings, each detailed with respective severity assessments and technical/organisational recommendations for their elimination. Of course, we will respect any risk management methodologies implemented in your organisation and can match our reports to them.

We perform a risk analysis of the client’s services, systems, tools and infrastructure and weigh them against the economic costs that would be incurred in the event of a loss.

The result is a prioritized list of security risks and proposed measures (highest priority is given to gaps with high risk and high potential damage).

The aim of Threat Modelling is to identify and understand the most valuable assets and the greatest risks (easy to carry out and causing major damage). The workshop will teach Threat Modelling Frameworks such as STRIDE for the systematic identification of risks, and in general a risk-based approach to IT security (this allows to make sound technical decisions and to invest resources where they have the greatest benefit (e.g. very valuable assets + high risk)). In addition, best practice defence strategies for the attack vectors learned are presented and applied together with the participants.

During the interactive workshop, the participants will be trained in modern best practice approaches in order to identify future threats within their design and development processes. The corresponding workshop is documented and the key results are subsequently provided and presented with an action plan. The workshop and its results are also intended to be a fundamental measure to improve IT security within the company and that of its products. To this end, the individual findings of the workshop will provide valuable prerequisites on which subsequent measures can be built upon.

The workshop can take place either on site or remotely via video conference and is led by methodically experienced security engineers.

Suggested Agenda

# Day 1

09:00 – 09:30 Kick-off and getting to know each other

09:30 – 10:30 Current threats / previous security incidents

10:30 – 10:45 A short break

10:45 – 11:30 Determining the attack surface / definition of the scope / look at the architecture and previous

measures

11:30 – 13:00 Introduction into Threat Modeling Frameworks (e.g. STRIDE)

# Day 2

09:00 – 09:30 Welcome back and Recap

09:30 – 11:00 Creation of Threat Models (in small groups)

11:00 – 11:15 Short break

11:15 – 12:15 Presentation and discussion of the results

12:15 – 13:00 Integration of threat modelling into the development process (presentation of tools such as OWASP Threat Dragon)

13:00 -13:30 Open discussion and Feedback

Follow-up after the workshop

• Preparation of a summary of the key findings
• Joint 1-hour call for further action / next steps (presentation and handover of the report)

Our security awareness workshops aim to educate your team members about cybersecurity threats and best practices for protecting your organisation’s information and assets. The workshops can be conducted in-person or online and are led by our experienced trainers.

Who – Our trainers

At Port Zero, we have a team of certified security experts with a deep understanding of the challenges in the field of cybersecurity. In addition to their technical expertise, our security experts have strong communication and teaching skills in order to effectively convey the material.

Why – Peace of mind

Cybersecurity attacks can have serious consequences for businesses, including financial loss and damage to reputation. By participating in our workshops, your team will be better equipped to recognise and prevent such attacks.

How – Interactive learning

Our security awareness workshops are tailored to your industry and specific needs, and cover topics such as phishing attacks, password security, and secure browsing habits. The workshops are interactive, with opportunities for your team to ask questions and participate in hands-on exercises.

We provide quick emergency support in case of incidents. Both in handling the actual incident (incident response) as well as analysing the root causes (forensics) and helping to remediate them, as well as, restoring systems to an operable state.

* analysing the situation and it’s criticality

* support in handling the situation

* quick help to get back into a working state

* consultation in informing data privacy and police authorities

* help in dealing/communicating with attackers/ blackmailers

* analysis of the attack, vulnerabilities and entry points

* assessment of compromise

* first aid for quick security measures to alleviate situation

* recommendation for security measures to prevent situations in the future

* consultation on client/ customer communication

We provide consulting and support for the introduction of security certifications and the associated development of an ISMS.

In addition to consulting, we are also happy to take on the active development of the ISMS (e.g. writing policies, processes, etc.), as well as the project management associated with the introduction (coordinating all internal resources, roadmap, milestones, task plans, regular meetings, etc.).

Happy to get you started on your journey towards building an ISMS and getting certified.

Depending on where you are on this journey the first steps are

1. Scope Workshop: Select and formulate a suitable scope for the ISMS
2. Gap-Analysis: Understand what’s already there, what’s missing and what’s need to be improved
3. ISMS Structure: Choose a platform / tool for the ISMS and create it in it’s basic structure, so it can grow over time.
4. Road Map: Depending on your time goals, we can help you set down a sensible roadmap including logical steps that should go first, as others depend on them, things that need to be around for a while until certification and things that just take a lot of time to implement and get all these in a logical doable order including effort estimations and milestone plan
5. Building the ISMS: Supporting you in actually filling the ISMS with live. Writing policies, overhauling processes, checking security controls and introducing mandatory meetings, etc.
6. Internal Audit: Performing an internal audit before the actual audit. Both as this is required by most certifications and also as it clearly shows you the final steps/changes needed before the actual audit.