KEEP-IT-SECURE-24

TABLE OF CONTENTS

Integrity Certifications &

01 Services
02 Our Team Profile 03 Accreditations

04 our Clients
05 Introduction 06 Security Tests

Security Certifications &

07 Traditional Pen-Test
Model 08 KEEP-IT-SECURE-24
09 Accreditations

10 Management Platform 11 References 12 Conclusion

Services

Offensive Security Cybersecurity Managed Services /

Consulting Engineering Awareness Training
Services

Business area focused on performing Business area focused on delivering Cybersecurity assessments, Training and awareness in
Technical Security Audits namely, Consulting Services in Information namely 3rd Parties. Information Security (Lisbon Security
Penetration Testing. Security based on Industry recognized Academy), Awakening, Development,
Best Practices. Technical Controls Audits. Infosec Management.
Integrity has an innovative approach
for Persistent PenTesting (KEEP-IT- Integrity has an innovative approach for CIS Controls - Maturity Online / Video Training.
SECURE-24). Continued ISMS Services (KEEP-IT- Assessment or best practices
MANAGED-24). in information system Table Top Exercises for Top
Leading Portuguese company in configuration. Management.
what concerns to PenTesting Proven experience in the
regarding Certifications, Projects and implementation and support of the PCI QSA - Implementation
Team. International Standard ISO 27001, ISO Services and compliance
27701 and GDPR. support.

Assessment and rating of organisations

global Information Security Posture
(Infosec Rating).

Our platforms: Integrity GRC | Vulnmanager

Our Team Profile
Our focus is the Integrity of People, Processes, Information and Organizations

Our Team Profile We as a Service company are essentially focused and continuously invest in the
knowledge, the experience and in the continual training of our resources.

In the Information Security scope, we have a set of highly experienced consultants,

which have more than 15 years of experience in consulting, auditing and management
of critical projects in the InfoSec field.

• CISA (Certified Information Systems Auditor); • OSCP (Offensive Security Certified

• CISM (Certified Information Security Professional);
Manager); • GPEN (GIAC Penetration Tester);
• CRISC (Certified in Risk and Information • eWPTX (eLearnSecurity Web application
Systems Control); Penetration Tester eXtreme);
• ISO 27001 Lead Auditor; • OSWE (Offensive Security Web Expert);
• CISSP (Certified Information Systems • PCI QSA (Qualified Security Assessor);
Security Professional); • MSc Information Security;
• CISSP-ISSMP (Information Systems Security • PG Information Security.
Management Professional);
Integrity Certifications & Accreditations

Our focus is the Integrity of People, Processes, Information and

Organizations

ISO 27001 (2012) ISO 9001 (2014) CREST (2014) and PNSC (2017) PCI (2020) and Bancontact (2021)

ISO 27001 is the International ISO 9001 sets out the criteria for Integrity is accredited by CREST for its Integrity was recognized by PCI Security
penetration testing services, after being Standards Council as a Qualified Security
standard for Information a quality management system submitted to a certification process for Assessor (QSA) certified entity.
Security Management and it’s based on a number of technological and management practices.
System, and for Integrity, quality management principles
being a key company in including a strong customer
Consulting, Advisory and focus, the motivation and
Auditing services in implication of top management,
Information Security, the process approach and
implementing and being continual improvement.
certified in the standard was
a natural next step. The scope of the certification
aims at Consulting, Auditing and
The scope of certification Advisory in Information Security
aims at Consulting, Auditing and Implementation of Integrity has the National Industrial Integrity is accredited by Bancontact to
Security Credential, with National brand carry out payment security assessments in
and Advisory in Information Management Systems. and Secret grade, assigned by the mobile applications.
Security of our clients' Portuguese National Security Cabinet
projects. (PNSC).
Some of Our Clients

Our focus is Crevisoft of People, Processes, Information and Organizations

Some of our Clients

Currently, we provide services

in more than 19 Countries
over 5 Continents.
Some of Our Clients

Our focus is Crevisoft of People, Processes, Information and Organizations

Some of our Clients

Crevisoft provides services to a considerable number of large and medium-sized companies both at a national and
international level. If you wish to find more about our references and our projects, we will be happy to arrange a
meeting with you.

Banking and Retail Aviation Industry Energy Healthcare

Insurance

Government Service Transportation Information Telcos Entertainment

Organisations Technology
Introduction
Our focus is the Crevisoft of People, Processes, Information and
Organizations

Vulnerabilities
Cybercrime will cost the world $6.000.000.000.000/year
annually by 2021

(Cybersecurity Ventures)

Even though vulnerabilities are being increasingly

discovered, their publication tends to decrease
because the authors are beginning to use these
findings for their own advantage…!

The traditional defensive approach (patching,

updating) has decreasing effectiveness under these
circumstances.
Introduction

Our focus is the Crevisoft of People, Processes,

Information and Organisations

Companies need to use innovative

ways to monitor risks and detect
them in a timely manner!

The risks companies are exposed to

are diverse,
ranging from broken confidentiality
to denial of services, suffering fines
and PR issues.
Introduction

Our focus is the Integrity of People, Processes, Information and

Organisations

Regardless company’s size, the attacks prevail…

Security Tests

Our focus is the Integrity of People, Processes, Information and

Organizations

Security Tests
Usually Information Security Testing is conducted in an Typically tests are performed on a yearly or
organization’s Risk Management processes by having semi-annual basis.
penetration testers performing Security Tests to its
defenses through the eyes of potential attackers.

These Security Tests are usually performed The Security Test deliverable is generally a report
by independent and external individuals who with the identified vulnerabilities description
will use methodologies and tools typically used by and recommendations to mitigate them.
potential attackers.
Traditional Pen-Test Model

Our focus is the Integrity of People, Processes, Information and

Organizations

Traditional Pen-Test Model

Does not catch up with the company’s Change-Management
Independent
processes

Yearly / semi-annual / periodical regularity is incompatible with

External, Exempt
current vulnerability, infrastructure and application dynamics

Not exploring the depth of potential vulnerabilities, the

Performed according to Hacking
practices
business logic and applications are not compatible with
Advanced Persistent Threats

Goal: identifying vulnerabilities

and recommending corrections
Current high cost decreases the regularity of testing

Complements other Security

intervention areas (Technology, Usually there is no vulnerability mitigation follow up
Processes, Awareness)
Traditional Pen-Test Model

Our focus is the Integrity of People, Processes, Information and

Organizations

Traditional Pen-Test Model

KEEP-IT-SECURE-24

Our focus is the Integrity of People, Processes, Information and

Organisations

KEEP-IT-SECURE-24

At KEEP-IT-SECURE-24 our expert

consultants use methodologies and attack
tools the same way potential persistent
attackers do, and will provide you with
continuous feedback and a management
platform showing your current
vulnerabilities and risk levels.
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model

KEEP-IT-SECURE-24 vs Traditional Pen-Test Model

Our focus is the Integrity of People, Processes, Information and

Organizations Traditional
approach

KEEP-IT-SECURE-24 Penetration Testing Applications / Systems

vs Traditional Pen- Continued Regular Testing
Test Model –
Overview Deep Pen Testing
Not
Scope Limited limited/dynamic

Change Management Integration

Re-testing After Correction

Vulnerability Management Framework

Online Metrics Regarding Risk Levels

Reporting

Correction Process Follow-up

KEEP-IT-SECURE-24 vs Traditional Pen-Test Model

Our focus is the Integrity of People, Processes, Information and

Organisations

KEEP-IT-SECURE-24 – Persistent Pentesting

Tests by Request
Cyclic Scanning
Perform specific tests to address
Perform/Run cyclic scans client needs
to the defined scope (Applications
and Infrastructure)
Critical 0-Days

Deep Pentesting Perform tests to assess assets

exposure to a specific 0-day
Perform manual testing in depth vulnerability
according to scope and predefined
roadmap
Dynamic Reports

Re-Testing Dynamic reporting and effective

vulnerability lifecycle management
Perform Re-testing
Management Platform

Online Web Platform that

customers can use to manage their
assets, deal with associated
vulnerabilities, extract reports and
obtain online metrics
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organisations

KEEP-IT-SECURE-24 vs Traditional Pen-Test Model – More Efficiency

Traditional yearly test only represents a risk

reduction at the point in time it is completed.
R
I KEEP-IT-SECURE-24 service enables persistent
S risk management and risk reduction.
K

Time
D
E
P
The depth of the one-off approach is reduced
when compared to the persistent testing T
KEEP-IT-SECURE-24 service. H

Time
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organisations
KEEP-IT-SECURE-24 – Testing Activities

Human Penetration Tester

Unknown Vulnerabilities
Reverse Engineering
(protocols/applications)
Complex Interactions Exploitation
Business Logic Analysis
OWASP TOP 10 (Complete and beyond!)
Coverage

OWASP TOP 10 (Partial) Web Application Scanners

Custom Web Applications
(Requires Human Intervention)
Customized COTS Web Applications

COTS Web Applications Vulnerability Scanners

COTS Software
OS and Basic Services
Basic Network Infrastructure

Complexity
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organisations

Vulnerability Status – 1 year

Scenario:
Customer Size: Corporate
Typical Number of Apps: 10 (Critical) + 26 (Medium)
Published Vulnerabilities: 246
Pen-Test

Complex
Vulns

January December
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organizations

Pen-Test Phases
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organizations

Pen-Test Phases The KEEP-IT-SECURE-24 Model is

persistent.

In the KEEP-IT-SECURE-24 model,

the reporting is done based on the
management tool.

In the KEEP-IT-SECURE-24
model, there is a bigger focus
on the testing phase,
particularly for web applications.
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organisations

KEEP-IT-SECURE-24 vs Traditional Pen-Test Model – More Efficiency

On the traditional Pen-Test model, a single human

Inefficiency resource is allocated to perform all tasks.
C
O Expert
This model reveals itself as inefficient since there are
M
always low complexity tasks that consequently end up
P being performed by senior human resources.
L
E
X
I
T
Y
Low Medium High
LEVEL OF EXPERTISE
KEEP-IT-SECURE-24 vs Traditional Pen-Test Model
Our focus is the Integrity of People, Processes, Information and
Organisations

KEEP-IT-SECURE-24 vs Traditional Pen-Test Model – More Efficiency

On the traditional Pen-Test model, a single human

Inefficiency resource is allocated to perform all tasks.
C
O Expert
This model reveals itself as inefficient since there are
M
always low complexity tasks that consequently end up
P being performed by senior human resources.
L
E
X
I
T C 3rd Line
Y O
Low Medium High
M
LEVEL OF EXPERTISE P 2nd Line
L
The KEEP-IT-SECURE-24 service team is composed of E 1st Line
people with distinct seniority levels, this permits us to X
allocate the resources in an efficient way since tasks are I
handed to each employee according to their know-how T
and experience. Y Low Medium High
LEVEL OF EXPERTISE
Certifications & Accreditations
Our focus is the Integrity of People, Processes, Information and
Organisations

Certifications & Accreditations

The KEEP-IT-SECURE-24 service is performed by specialists in

Information Security and certified in ISO 27001, PCI QSA (Qualified
Security Assessor), CISSP (Certified Information Systems Security
Professional), OSCP (Offensive Security Certified Professional), CISA
(Certified Information Systems Auditor), among others.

For auditing purposes or client presentation evidence, a KEEP-IT-

SECURE-24 certificate from Integrity is made available, signed by
the certified specialists, stating that the client regularly performs a
set of security tests in order to adequately identify Information
Security risks.

Integrity is certified as PCI QSA (Qualified Security Assessor) and ISO

27001, aiming to reduce risk and increase the protection of the
information of its clients.

Integrity is accredited by CREST regarding its PenTesting services

and by PNSC concerning the access and handling of classified
information.
Management Platform
Our focus is the Integrity of People, Processes, Information and
Organizations

Traditional Approach

TEST REPORT CORRECT TEST

KEEP-IT-SECURE-24

TEST

• Manage KPIs; • Monitor Application and

• Enforce Resolution Times; Teams Performance in
• Integrate with Change terms of Vulnerability
VALIDATE MANAGE REPORT Management; Management;
• Extract Dynamic Reports; • Analyze and Incorporate
Lessons Learned.
• Establish Testing
Priorities;
• Test Advanced Scenarios;
CORRECT
References

Integrity Security References

Besides customer references, we believe it is important to highlight the multidisciplinary of Integrity’s team. Combined with best practices in Information
Security, our team conducts research and publishing of 0-day vulnerabilities, meaning that not even the producer was aware of.

Here is the list of the most recent vulnerabilities posted:

• CVE-2021-29357 - Outsystems ECT Provider Server Side Request Forgery

• CVE-2020-13639 - Outsystems ECT Provider Unauthenticated Cross-Site Scripting Stored
• CVE-2020-13963 - SOPlanning Authentication Bypass
• CVE-2020-15934 - Privilege escalation vulnerability in FortiClient for Linux
• CVE-2019-5493 - Information Disclosure Vulnerability in Data ONTAP operating in 7-Mode
• CVE-2018-10377 - Insufficient Validation of Burp Collaborator Server Certificate
• CVE-2017-9376 - ManageEngine ServiceDesk Plus Local File Inclusion
• CVE-2017-9362 - ManageEngine ServiceDesk Plus XML External Entity via CMDB API

https://labs.integrity.pt/advisories/
References

Integrity Security References

• CVE-2015-7343 Reflected Cross-Site Scripting in JNews Joomla Component

• CVE-2015-7339 Bypass File Upload Restriction in JCE Joomla Component
• CVE-2015-7344 Cross-Site Scripting in HikaShop Joomla Component
• CVE-2015-7349 - Reflected cross-site scripting vulnerability in DIGIPASS authentication for Citrix Web Interface
• CVE-2015-3784 Apple iOS Office Viewer XXE vulnerability
• CVE-2014-4925 HTML injection in Good For Enterprise Android
• CVE-2014-1635 Belkin N750 Buffer Overflow
• CVE-2014-1634 - SQL Injection in Advanced Newsletter Magento extension
• CVE-2013-3319 - SAP Host Agent Information Disclosure

https://labs.integrity.pt/advisories/
Conclusion
Our focus is the Integrity of People, Processes, Information and
Organizations

• Information Security tests practically and effectively measure the effectiveness

Conclusion level and the ROI in Technology and Processes.

• Organizations, technologies, and processes are not static, ad hoc tests add very
limited value.

• Information Security testing should not be viewed as an ad hoc project but as a

process.

• Complex vulnerabilities require considerable investigation according to the

current practices of APT (Advance Persistent Threat) attackers.

• KITS-24 is the most appropriate approach to Information Security Testing. It

provides a seamless service integrated into a Change Management process
supported by a Vulnerability Management Platform.

• KITS-24 is provided by an expert Information Security company with collective

intelligence on the subject, relevant professional certifications, and an ISO
27001 certification.
THANKS

Do you have any questions?

www.crevisoft.com