Consulting

Clients who trusted on us

Professional services

External and internal penetration activities

Specific intrusion tests for wireless networks

Specific intrusion test for ip telephony

Intrusion test in compliance with PCI regulations

Aligned with best practices in the field

Different types: black box, white box and gray box

Security gap analysis on PCI credit card environment

Gap analysis in security management system ISO 27.001

Gap analysis in protection of personal data: local regulations and GDPR

Colaboration in compliance with PCI, ISO 27.001 and GDPR

PCI vulnerability analysis

Periodical PCI intrusion test

Penetration activities in external and internal applications

Specific intrusion test for mobile applications

OWASP TOP TEN intrusion test

Aligned with best practices in the field

Different types: black box, white box and gray box

Definition of process management systems

Development, redesign, implementation and process improvement

Evaluation / Audit processes (ISO 27.001)

Assistance in project management

Strategic control boards or processes

Applicative security assessment

Technological risk analysis

Assessment of compliance and legislation

Securing platforms

Iinternal and external intrusion test (Ethical Hacking)

Adaptation to the law on protection of personal data

Computer audits

Technology management models based on ITIL V2, V3 and COBIT

IT strategic planning and business alignment

Development and implementation of ITIL processes

Systems integration for IT use

IT process assessment

Implementation of project management methodology

IT support area and SI

Business continuity planning and disaster recovery

Risk analysis

Design documentation of internal controls and business IT (COBIT, COSO)

Development of management plans for the control environment

Design and test execution

Active Directory design and implementation

Design and implementation of email infrastructure

Deploying firewalls and VPN

Deploying voice over IP and IP telephony

Implementation and administration of database

Expert analysis of unauthorized access to private servers

Capture and preservation of digital evidence

Expert analysis of security breaches

Forensic video analysis, digital images and audio

Corporate computer security expert

Examination of company IT infrastructure

Design and implementation of awareness programs

Dictation of specialized courses in information security for

technical personnel or in general

Development of extensive communication tools

Social engineering and phishing simulations

Development of online courses or trainings

Security continues

ACC: Adoption to Cloud Computing


Many organizations have made the strategic decision to migrate to the cloud, in order to take advantage of the many benefits of Cloud Computing, however, not always have the time and experience to face the new paradigm in an efficient and successful. A great challenge facing infrastructure leaders is to identify the most appropriate Cloud Computing offerings according to the needs of the company and the objectives it defines for its services, requiring specialization in the different areas of the new paradigm . Although the concept of cloud is associated with the ease and simplification of the traditional infrastructure problem, this will be true to the extent that in each of the stages decisions are made that benefit the organization, overturning the myth that The cloud are virtual machines on powerful servers.

Adoption Model



Adoption Model

Benefits

benefits

Main issues


  • Which providers could provide cloud services aligned with business requirements?
  • What limitations are there in migration and how can it be minimized?
  • How to present the migration project against non-technical decisions?
  • What is the best deployment model? Private | Public | Hybrid | Community
  • What service models do you choose? IaaS | PaaS | SaaS
  • What services do you use for processing, storage, database, networking, development, administration, security, analysis, …?
    - Microsoft Azure: Web site | Virtual Machines| Mobile Services | Cloud Services | Storage | Multimedia Services | ...
    - Amazon: AWS EC2| EC2 Container Service | Elastice Beanstalk | Lambda | ...
    - Office 365
    - G Suite
  • What is your optimal architecture?
  • How to minimize the likelihood of hidden costs (not initially considered)?
  • How to adapt the operational processes of administration and operation to the new paradigm?
  • What type of training does the internal staff require according to their new role?

Frameworks

  • iso

    ISO/IEC 17788 (Information technology -- Cloud computing -- Overview and vocabulary)

  • ISO/IEC 17789 (Information technology -- Cloud computing -- Reference architecture)

  • ISO/IEC 19086-1 (Information technology -- Cloud computing -- Service level agreement (SLA) framework -- Part 1: Overview and concepts)

  • ISO/IEC 27017 (Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services)

  • ISO/IEC 27018 (Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)

  • Nist

    NIST Cloud Computing Program

  • CSA

    Security Guidance for Critical Areas of Focus in Cloud Computing

  • Papers academicos

    Cloud Computing Adoption Framework–a security framework for business clouds


    Cloud Computing Adoption Model



Awareness program

The human factor remains the main cause of security incidents that occur in organizations today, and this is especially true when security risks are not understood by their personnel or are not prepared for the different threats of the environment.

The Awareness Program of Penta Security Solutions is a comprehensive solution that includes the dissemination and awareness of information security through the use of different channels such as courses, posters, banners, newsletters, wallpapers, videos and even tools Of evaluation (quiz).

The program is entertaining and easy to implement, which effectively transfers best practices with respect to information security, emphasizing the protection of strategic and confidential.

Characteristics


  • Easy to implement
  • Generates positive behavioral changes in staff
  • Understandable and audience-focused content
  • Adaptable to the communication formats of the organization

Benefits


  • Provision of only relevant information to the user
  • Change in the behavior of the personnel achieving greater protection of the own information and of the company
  • Reduction of information security incidents
  • Increased engagement of incident reporting
  • Greater involvement of staff in information security
  • Compliance with regulations, standards and standards

Working Methodology


Awareness Methodology

Communication tools



awareness tools

Compliance with regulations PCI DSS, SOX, HIPPA, ISO 27.001, Privacy Policy, BCRA.



Source code security audit


Software development areas tend to prioritize the creation of applications that meet functional expectations. This situation causes the late arrival of security measures favoring the emergence of vulnerabilities. It is widely proved that early detection of vulnerabilities significantly reduces costs and losses from security breaches.

This service consists in the use of different, properly parameterized automated tools, along with a manual analysis that requires the cooperative work of professionals from different areas (development, architecture, and security) for processing the results, eliminating false positives, defining the criticality of each finding, and proposing the best alternative solutions. This service allows the identification of risks, and unsafe source code practices in the different stages of development or maintenance.

Continuous auditing

Continuous auditing

Main areas of analysis

  • Authentication / Authorization
  • Session management
  • Cryptography
  • Input validation
  • Secure transmission
  • Error handling
  • Resource usage
  • Logging

Features

  • Successive analysis allow modifications to be planned so they have minimal impact in development timelines
  • Works integrated with agile development methodologies
  • It is a continuous process, monthly analysis, over 12 months
  • Complements the QA phase
  • The resolution of detected vulnerabilities. and the emergence of new ones is checked at each iteration
  • The development team effectively incorporates security concepts
  • Improves the safety of all the software generated by the same team
auditoria seguridad

Supported programming languages



All trademarks and logotypes are property of their respective owners

Typical findings


  • Application flow alteration (redirection, access to areas not available)
  • Possible client/server code injections
  • Information leakage and improper error handling
  • Abuse of functionality
  • Sensitive information in unencrypted files


ISA: Industrial Security Assessment

The emergence of the Internet and its adoption by the organizations have generated great benefits for both operational and strategic levels, but at the same time have affected the way information flow behaves in the organization. Additionally, in companies with industrial activities the level of complexity increases affecting the way in which security is managed.

This service helps to prevent security breaches derived from the integration of industrial systems and their exposure on the Internet. It consists of the implementation of different assessment tools, whose results are investigated by our certified in cybersecurity professionals, allowing an exhaustive and in-depth analysis of the critical infrastructure and industrial network, presenting the findings in a report with recommended actions. The scope covers zones 0, 1, 2 and 3 with their ducts.

Scope of the assessment


  • SCADA, PLC, RTU, DCS, IEDs, CNC
  • Servers
  • Operating Systems
  • HMI consoles
  • Operators and engineers workstations
  • Databases
  • Communication protocols
  • Field devices, telecommunications
  • Control network infrastructure

Modality

  • Essentials: 1 work week in plant
  • Deep: 3 work week in plant
Industrial Security Assessment

Frameworks


isa
nerc
nist

All trademarks and logotypes are property of their respective owners

Benefits


  • Improves industrial security environment through an independent control
  • Reduces the costs of security incidents
  • Contributes to compliance of regulatory and standard requirements

Excellent level of analysis and detection of:

  • Individual activity for each node / equipment
  • Statistics and reports
  • Sent / received bytes
  • Frames
  • DNS actions
  • Consumption
  • Nodes off or down
  • Broadcast
  • IP Addresses / Macadress
  • Netbios
  • Load
  • Errors
  • Conflicts
  • Losses
  • Latencies
  • Network diagram


Continuous vulnerability management

Public sites and services monitoring

This service fight this problem, and consists in the implementation of different vulnerability analysis tools.

The results of these tools are analyzed by our professionals - experts in ethical hacking techniques - integrating, debugging and giving context to the findings in monthly reports with recommended actions. Adding the advantage of a customized vulnerability management portal, with alerts, and action plans that ensures the remediation of the findings.

Features


  • Oriented to corporate services and web sites published on the Internet
  • Only need a public IP address and corporate URL
  • Uses different vulnerability scanning tools
  • Complemented with scripts developed by our professionals
  • Completely safe analysis
  • Results documented in technical reports and executive summaries
  • Monthly reports
  • Action plan management: indicators with the evolution of findings and corrections

Modality

  • 12 months service
  • Monthly fixed value per pack of 10 IP addresses
  • Special bonuses for more than 50 IPs
Continuous vulnerability management

Frameworks


owasp
national security
nist
osstmm

All trademarks and logotypes are property of their respective owners

Complementary services


  • Social engineering
  • Monitoring to identify new services or corporate web sites published without authorization
  • Pen-Test / Ethical Hacking
  • Standards and regulations compliance audit for websites (W3C, WCAG A, AA and AAA)

Benefits

  • Preventive control over published corporate web sites and services
  • Improvement in the security environment through an independent control
  • Excellent tool for planning and investment justification in security
  • Reduces the costs of security incidents
  • Contributes to the fulfillment of regulations and standards requirements
  • Facilitates the progress analysis of perimeter security
  • Technical and executive monthly reports

Digital surveillance

Open source monitoring

The high impact generated by social networks and the power of individual expression on the Internet has produced negative effects on corporations. In many cases these situations were not identified in a timely manner causing further contingencies in improving the reputation and corporate image.

This service enables the prevention and early detection of negative situations, which involves monitoring open sources published such as navigable Internet and the Deep Web, for early identification of possible negative actions or information leakage, which could affect the corporate world (companies and brands of the group), facilitating the decision-making process against adverse scenarios that occur in cyberspace.

Features


  • Covers both navigable Internet and the Deep Web
  • Only requires knowledge of companies and brands belonging to the corporate group
  • Different tools used in Internet searches, incorporating artificial intelligence
  • Analyses are oriented mainly in Spanish, English, Portuguese, French and Italian languages
  • The service has no impact on the services provided by the company and develops in a silently manner
  • The results are documented in monthly reports with suggestions of preventive actions to perform

Findings


  • Corporate credentials that are published as a result of theft or user error
  • Phishing attempts of corporate brands
  • Similar domains records (oriented for phishing and other deception techniques)
  • Negative feelings against group companies
  • Organization / call to carry out attacks, sabotage or other malicious activities

Benefits


  • Facilitates the anticipation of possible attacks or fraudulent activities
  • An excellent tool for planning and justification of security investment
  • Reduces the costs of security incidents
  • Optimizes legal processes of derived from identified illegal acts
  • Improves the design of awareness campaigns on information security
  • Contributes to the fulfillment of regulations and standards requirements
Digital surveillance

Service products


  • Summary of findings, criticalities and levels of impact
  • Legal oriented information to facilitate the start of allegations and treatment identified contingencies
  • Control panel with indicators that summarize the observed scenes and levels of criticality

Modality


  • 12 months service
  • Monthly fixed value per brand
  • Special bonuses for more than 5 brands


Have some questions?

Contact us