Formed in 1999, Sec-Tec has over a decade’s experience in delivering market leading, product independent security services to organisations of all types and sizes.

Enjoying massive client retention and careful, organic growth throughout the company’s history, we attribute our success to the simple but important differentiators that make us what we are:

1. From initial contact, your project will be led at all times by a qualified Consultant. Not a sales person. We don’t “do” hard sell, promise the impossible, or stretch our valuable resources to breaking point.

2. We are techies, but we understand business too. We will scope every aspect of your project to meet both the technical and business needs of your organisation. We will work with the business, not in isolation against it. We specialise in translating technical risk to business risk, and are just as comfortable in the boardroom as the server room.

3. We will always aim to add value, deliver more, and differentiate ourselves from our competitors and maximise the ever diminishing budgets of our clients.

4. We are totally product independent, and will work with your existing solutions to help you maximise benefit.

The majority of Sec-Tec’s income is from the repeat business of satisfied clients. We aren’t in this for the solitary project; we are here to truly partner with our clients and are always ready to listen.

In fact, to this day Sec-Tec still retains our first major client.

Fancy a chat?

Penetration testing is Sec-Tec’s core business, and we perform over 100 bespoke penetration testing projects every year for organisations of all sizes. Whether you are an experienced buyer or new to the field, we will explain the pros, cons, options and limitations of this field, and work with you to scope the best solution to your needs.

As you would expect, Sec-Tec holds a number of industry leading qualifications in this area, including the prestigious CHECK Green Light certification allowing us to deliver penetration testing services in Protectively Marked environments such as central and local Government (GCSx Health checks).

Sec-Tec recognises that not everyone is technical, and succeeds in delivering accurate, objective reports that are accurately summarised for all relevant readers. We wont exaggerate the risk associated with findings, and we will work with you to correct any issues identified. Want us to confirm that an issue has been corrected? Not a problem.

Sec-Tec’s penetration testing solutions consist of a number of modules that can be combined as required to provide the assurance you need:

Infrastructure Testing

This is “classic” penetration testing. Your servers, routers and switches that form your basic network infrastructure are tested for a wide range of vulnerabilities including missing security patches, misconfigurations and oversights that could negatively impact the security of your network. This normally forms the basis for additional penetration testing modules specified below.

Web Application Testing

Web applications present a considerable risk to organisations, in that they are often, by design, accessible to untrusted entities and often connect to core business systems. Web developers face a myriad of potential mistakes and assumptions that can be exploited by a malicious attacker. Web applications remain a major factor in most penetration testing projects delivered by Sec-Tec.

Desktops

Often overlooked within penetration testing projects, but vital to the organisation’s security. It may surprise you to know that popular desktop applications such as Adobe Acrobat and Java Runtime Environments are now amongst the most commonly attacked applications in the world*. As core operating systems have matured to automatically install patches and updates, attackers have increasingly moved to targeting third party applications that are less frequently updated. Recognising this trend, Sec-Tec has invested heavily in testing technology for desktop applications, and can demonstrate the total compromise of systems simply by the victim opening a PDF file with a vulnerable viewer. If you haven’t undergone a comprehensive desktop assessment, talk to us.

* http://www.theregister.co.uk/2010/10/19/unprecedented_java_exploits/

* http://features.techworld.com/security/3242064/the-7-most-attacked-applications/

Wi-Fi

Many clients contact Sec-Tec with a “Can you get in?” mentality to Wi-Fi security. In reality, there are often a number of potential security issues from unencrypted guest access to the ability to intercept traffic between trusted hosts. Sec-Tec can provide a thorough Wi-Fi assessment, and indicate potentially unconsidered threats that may exist. For example, Sec-Tec recently demonstrated to a client that it was possible to compromise a legitimate device on an unencrypted guest Wi-Fi network and use the legitimate VPN client installed on the target system to gain access to the corporate LAN.

VOIP

Often relying heavily on VLAN technology for security, many VOIP systems utilise no encryption, meaning that phone calls can often be intercepted from elsewhere within the network. Sec-Tec has the technology to demonstrate these attacks in real-time, providing a real-world indication of risk, and helping organisations reap the benefits without the risks.

The Report

The report is the deliverable. We have a decade of experience in drafting reports, providing the information needed, and clarifying the complex. All reports go through rigid QA before release and provide much more useful information than typical automated scan reports, with screenshots, supporting logs, and sufficient information to reproduce the issue or satisfy an auditor. We take real pride in our reports. Why not ask for a sample?

Why not take a look at our penetration testing buyer's FAQ to answer any common questions you may have on penetration testing.

Our Promise to you

1. We will work with you to ensure the ideal project scope is undertaken.

2. Our testing will utilise the best technologies and methodologies available.

3. Our reports will be clear, objective, and provide a realistic assessment on the risks presented by the findings using internationally recognised scoring mechanisms.

4. Our Executive Summaries will provide a clear indication and position statement to non-technical readers.

5. We will detail the necessary corrective actions, consider the options, and help you to make sure they are correctly implemented.

Fancy a chat?

Clever people can do stupid things. As many organisations can testify, the human aspect emerges time and again when investigating security incidents. Sec-Tec can help equip your staff to deal with the day-to-day security issues that they face while maintaining productivity.

Sec-Tec’s Lunch ’n’ Learn format provides a convenient, onsite, security awareness and training environment over lunch. Logistical issues of training large numbers of staff are minimised and can easily be scheduled to fit around your staff.

Course content is entirely bespoke, but can include:

• What is security?
• Email Security and Acceptable Usage
• Threats from the World Wide Web and Usage Policy
• Laptops, Use and Abuse
• Physical Security
• Legal Obligations and Implications
• Social Engineering, Guests and Visitors

Courses are designed to be short, snappy and highly visible. Live hacking demonstrations are used to demonstrate the ease with which mistakes can be exploited.

Want to know more?

Give us a call.

Sec-Tec provide a range of technical training courses for IT professionals of all types. We specialise in bespoke training for:

• Application Developers
• System Administrators
• Network Administrators
• IT Managers

Delivered by a CHECK Team Leader, our training instils over a decade of penetration testing experience and will teach you to assess the security of your own organisation, projects and systems.

Typical course syllabus includes:

• Legalities and regulation
• Hackers, Hacking and the underground
• TCP/IP security (inc. refresher)
• Enumerating information via passive and active means
• Windows Security
• UNIX Security
• Web Security
• Vulnerability Assessment & Exploitation
• Wrap-up

Two and three day courses are available and training can be provided onsite for groups, in addition to Sec-Tec’s London based training facility.

Contact us for more information.

Gaining ISO27001 can give your organisation an undeniable advantage when dealing with today’s security sensitive clients. Many organisations however, view ISO 27001 as an expensive, unfeasible panacea. In fact, with experience, implementing an effective ISO 27001 Information Security Management System can often be a straightforward task and many organisations already have done much of the work without realising it.

Sec-Tec has helped organisations of all sizes achieve ISO27001 certification, and for those organisations not wishing to certify, alignment with the standard can still offer massive benefits.

The process

The ISO27001 implementation process can broadly be broken down into the follow stages:

Foundation Stage

During this stage, the foundation requirements are met. Executive commitment is confirmed, basic documents such as the security policy, risk assessment methodology and document control processes are created and approved, and the scope of the ISMS is set. The scope of the ISMS does not need to be an entire organisation, aspects of a business (such as a department, office or function) can be certified alone.

Information asset identification

Information assets, together with their owner(s) are identified within the organisation. What is an information asset? Almost anything that would have a measurable impact if the Confidentiality, Integrity and/or Availability was reduced or lost. Organisations tend to be good at identifying tangible assets, but poor at identifying intangible assets. Third parties are also often overlooked. The term owner does not refer to the legal owner, but the entity responsible for the asset.

Risk Assessment

This is where most organisations really struggle. For each asset, the threats and likelihood must be objectively evaluated and the associated risk calculated. The standard allows for any method which produces “Comparable and Reproducible” results, and it is often this flexibility which causes the confusion.

Whilst large organisations will likely require specific risk analysis tools, many organisations need little more than a spreadsheet to perform a useable, useful risk assessment. This stage is absolutely critical to the success of the implementation, and by far the biggest headache for most. It need not be.

Organisations generally get confused about calculating existing controls. For example, if you already have a firewall should it feature in your risk assessment? The answer is generally no. If you work from the assumption of zero controls, then you can assess the existing controls for adequacy and help prevent dangerous assumptions.

Control selection

For those risks beyond the organisations risk appetite (the organisations acceptable level of risk), controls must be selected to reduce the risk in some way. An almost infinite number of methods and strategies can be used to control risk, but the standard provides a useful list of examples. Organisations are free to use these or select their own.

Control implementation and review

The controls selected must be implemented, maintained, and managed. They must also be reviewed, along with the entire ISMS, on a regular basis for adequacy and effectiveness. New threats emerge on an almost ongoing basis, and must be recognised and accounted for.

The Audit

The audit will be performed by an accredited certification body. Normally, within the UK, the certification body will be accredited by UKAS or a UKAS recognised equivalent. Certification providers from other accreditation bodies do exist, but may not be formally recognised by certain clients. Select your certification body carefully.

The audit will generally be performed in two stages:

Stage one will generally investigate the ISMS documentation and supporting material to ensure that it meets the requirement and is generally fit for purpose.

Stage two will be a more in depth audit, and will basically ensure that you actively implemented and follow your ISMS.

Deviations from the standard will normally be recorded according to the severity:

1. Observation – An observation is exactly that. It simply documents a potential improvement. There is no corrective action necessary on an observation, only a recommendation.

2. Minor Non Conformity – A minor non conformity is a non-fulfilment of a requirement. A minor non conformity will not in itself result in a failure but will require a corrective action that will require formal documentation and communication to the auditor.

3. Major Non Conformity – A major non conformity is a significant deviation which results in the breakdown of the management system as a whole. A major non conformity will result in a failure.

The above is of course open to interpretation and the auditor is trusted to make the appropriate judgement. If the audit is successful the organisation will normally receive certification within a couple of weeks. Most if not all certification providers have secondary auditors “Back at base” that will perform a secondary audit. This can result in subsequent questions so do not assume certification until you have received the certificates!

In summary

Although the above is a heavily simplified example, it can be seen that implementing ISO27001 can be straightforward, logical, and of huge benefit. And even seeking alignment as opposed to certification can teach an organisation a lot.

Sec-Tec has helped companies of all sizes achieve certification in a straightforward, cost effective way, and don’t forget, we’ve been through the process ourselves!

Fancy a chat?

Many organisation find complying with Code of Connection requirements a daunting and expensive task. Sec-Tec can help to make your CoCo efforts painless, cost effective and beneficial.

Sec-Tec can help by:

• Performing Health Checks in accordance with requirements.
• Reviewing submission documents.
• Performing gap analysis against requirements.

Let Sec-Tec make your submission efforts the straightforward process it’s designed to be.

Contact us

VST allows organisations to call on Sec-Tec as needed for a wide range of services, without the headache of raising individual purchase orders. Organisations purchase a number of days up front, whilst enjoying a sizeable discount on ad hoc day rates.

By signing up to the Virtual Security scheme, you become a priority client. That means if you need an installation or a security check-up, our team will get to you as soon as possible - just as an in-house team would.

Consultants are available to advise clients on every aspect of security, from policy matters to new threats and software development.

The list of services includes:

• Installations training
• System upgrades
• Auditing
• Penetration testing and rectification
• Policy creation/review

In fact, our entire service portfolio is available under VST.

Payment Options

The costs of Sec-Tec's Virtual Security Team are transparent. Partners purchase a number of days up-front - this can be any number from three to 300 - depending on their predicted requirements (we can advise on this).

Clients maintain control: manage the team however it suits you, and we will provide regular statements showing how much time you have remaining.