1. Portcullis Informational
Presentation
Eric Christenson – Director of Sales North America
Oliver Gruskovnjak – Director of Penetration Testing Services
Portcullis Security Inc.
www.portcullis-security.com
http://labs.portcullis.co.uk/
2. Portcullis Background
•Established in 1986, Security Testing Services launched in 1992
•Over 60 Staff members including 38 Experienced Consultants:
– Quick response
– Large detailed projects can be delivered in shorter timescales
– Flexibility
– No sub contractors, all full time employees
•3 International Locations
– US Headquarters San Francisco, Ca
– UK Headquarters & Forensics Laboratory, London, England
– European Headquarters Madrid Spain.
•Our Client Base spans:
– Retail and eCommerce (Supermarket, Online Trade, Clothing / Fashion etc).
– Central & Local Government
– Health Care, Financial Services
– Technology and Gaming
– Utilities and Transportation
– Banking
– Non-Profit/Charity
– Defence Sector
•Accreditations and Experience
– CREST (Founding Members)
– FIRST Members
– OWASP Members
– PCI Accredited
– CHECK (Founding Members)
3. Portcullis Strengths and Values
• IT security focused – not sector or industry specific
• Broad experience, across sectors and industries
• Manual penetration testing expertise and focus
• Tool development, R&D efforts ongoing
• Risk based approach
• Multilingual staff with international experience and presence
• 5000+ assessments in the last 5 years
4. Portcullis Security Services include…
IT Security Testing (SPA)
Digital Forensics
Incident Response
CTADS
Secure Development
SRIE - RMDG
5. Security Posture Assessments
• SPA - External Infrastructure Assessment
– Geographically unbound
• SPA - Internal Infrastructure Assessment
–19 Locations
• SPA - Wireless Assessment
–Combined with Internal Infrastructure
Assessment, to save in travel expenses.
6.
7. Security Testing and Auditing Services
– External or Internal Infrastructure – Build Reviews
Assessment – i.e. Penetration Testing > Desktop, Laptop, Server,
and Vulnerability Testing Database etc
– Web Application Assessment – Router Assessment
– Binary Application Assessment – Firewall Assessment
– Web Service Assessment – Switch Assessment
– Code Review – External or Internal Host Assessment
– PCI Security Testing – Data Exfiltration Assessment
– Layer 2 Traffic Analysis – Citrix Assessment
– DOS Assessment – VPN Assessment
– Social Engineering – Mobile Device Assessment
– Information Disclosure Review – VoIP Assessment
– Wireless Assessment – BlackBerry Assessment
– Wireless DoS Assessment – IOS Assessments (iPhone, iPad etc)
– PCI DSS Services – Android Assessment
8. Consultancy, Training and Knowledge Transfer
Consultancy Services Training and Knowledge
Includes: Transfer Includes:
– Risk Assessment and – Application Development
Review – System Hardening
– GAP Analysis of – Security Testing
Compliance – Build Reviews
– Management Summary – Bespoke Training
Reporting
– Best Practise Reviews – Presentations
> Documentation / – Test Observation
Policy
> Architecture
> Topology
– Research Projects
Our services look to articulate the real/actual risk to the systems being assessed rather than theoretical or hypothetical ones that VA provides. Risk Approach: Risk in regards to scope try to understand the main points an attacker would take, where’s the data stored. Risk based approach during testing, we start with a low risk assessment build step by step until we reach a possible compromise
This in an iterative approach as we discover issues and exploit them we can continue to escalate our efforts to compromise as far as the agreed scope will allow.