Penetration testing

Ever wondered if a skilled hacker can break into your website, infrastructure, business application, wireless (guest) network, mobile device, etc? I can give you that insight by mimicking a hacker in what is called an ethical hack or penetration test. I believe a penetration test is far from a scan with standard scanning tools. Every test is a custom job.

After we agree on what the exact components are in scope, I will test how effective the IT security measures are. Once weaknesses are identified these are exploited in a controlled manner in order to identify the technical and the business impact.

I believe the actual testing is only part of the job. An equal important part is you understanding and knowing the way forward. In my reporting I find it important you not only receive the identified findings, but also receive a quality management summary of the findings and their impact, along with main recommendations.

Red teaming

Where the goal of a penetration test is to test the security of a strictly defined IT scope, the goal of red teaming is to test your organisation's resilience to real world attacks; attacks that include techniques and objects you might not even have thought about.

A red team may combine many different types of attacks (e.g. social engineering, physical security testing, malware dropping, etc.), spreads out their attacks over a longer period of time, builds custom tools and may include the use of exploits not publicly known, strives to stay hidden for a longer period of time, gains multiple ways of persistent access and exfiltrates data.

We believe an equally important step of red teaming is after the attack when we present the results. We believe in extensive sharing and presenting of all steps and details with your defensive team. Only this way we can maximise the learning effect.

As red teaming requires many different hacking skills in order to be most effective, Linq42 teams with other professional hackers that add to the total skill set of the red team. All team members will be known to you before the start of the engagement.

IT security advisory

Sometimes you just want an expert's advice on an IT security topic you are battling. Maybe you are developing a product and want an external view on it's security setup. Maybe you want advice on your cyber security strategy. Perhaps you want an assessment of the risks associated with the use of a certain application within your IT environment. Or maybe your team requires in-depth IT security training or security awareness so they better understand how to build better defences.

What I find important in my advisory services is that I'm independent, skilled and tailored to your needs. Wether you need a second opinion, a risk assessment, or support in an ongoing project, contact me to see if I can be of help.

IT audit

An IT audit is a thorough assessment of both technical configurations as well as administrative processes and governance of a given object. If you require such an assessment there are many IT auditors that can help you with this. Unfortunately many lack the technical expertise to perform an in-depth assessment. That's why I focus on IT audits of technical systems and components while keeping in line with official guidelines and regulations from certification bodies. Im qualified to perform these audits as Im a registered IT auditor (RE) and CISA certified.

Selection of past engagements

To give you a better idea of my experience I've provided a short selection of some of the engagements performed in the last few years:

  • Periodic penetration tests and IT audits for a mid sized Dutch bank, helping them becoming more mature in IT security. Scope included customer facing websites and e-banking portals, as well as internal IT systems. Reported to head of IT operations and Board of Directors.
  • Performed countless penetration tests for an international petro chemical company. The scope included infrastructures, applications and appliances, e.g. Citrix, SAP, mobile apps processing high confidential data, large scale network inventory scans, AD, DNS, databases, end user devices, secured cells, et cetera. Basically everything with an IP address has been in scope at some time. Reporting to IT auditors and to IT operations.
  • For a large Dutch firm's new building housing 2000+ employees, verifying the security of all things network connected that was not part of regular IT. This included breaking into physical security systems and the building management system, allowing for the control of physical doors, light, heating and air conditioning. Reported to the IT security officer.
  • Numerous penetration tests and security audits in support to the financial auditor. Procedures and technical implementations were verified in search for insecurities that the financial auditor needed to be aware of. Reported to financial auditor.
  • Several IT audits and reviews using common frameworks, e.g. ISO27001, PCI, COBIT. Where possible technical (penetration) tests were included in the modus operandi. Reported to client's audit department and management board.
  • Risk assessment on the usage of DropBox and Prezi for a large Dutch firm with remote workers processing confidential data. Advise included technical measures as well as proposed procedural changes. Reported to IT security officer.
  • Multiple two day hands-on trainings of fellow international hackers on mobile security for iOS, Android and popular MDMs.
  • Multiple 2 day Master Classes on the security of mobile devices. Training IT managers, IT auditors and security officers on the risks of mobile devices, apps and BYOD and how to counter these risks.
  • Penetration test on mobile apps used during an international conference for nation leaders. Reported to IT security experts at relevant government agency.
  • Review of implemented security measures in selected network, OS and application components for NL largest web shop. Reported to IT security officer.
  • Several international companies: acting as trusted advisor for incorporating mobile devices and line-of-business apps in a secure and controlled way. As part of this role several risk assessments and penetration tests were performed on the platforms, MDM solutions and developed Apps. Reported to IT security officers and heads of IT operations.