Skip to main content

Vulnerability management

Identify and manage potential security risks with rigorous testing and cutting-edge vulnerability management tools

Protecting today’s information and communications technology (ICT) assets is no longer focused on securing the perimeter alone; organizations are now shifting towards “defense in depth” models and “zero trust” strategies. The frequency and sophistication of attacks have grown spectacularly over the last few years, while the level of skill and knowledge required to carry out these attacks has decreased. Also, information security standards, regulatory requirements and guidelines require and/or recommend that organizations conduct regular security tests (including penetration testing) and reviews on their systems, and demonstrate due diligence towards security testing. These include: ISO/IEC 27001:2013, the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR) and the European Banking Authority (EBA) guidelines on ICT and security risk management.

To keep up with the rising risk of cyberattacks and comply with these applicable regulatory requirements, many organizations rely on professional expertise to secure and assess their processes, people and technology. Deloitte Luxembourg offers a wide range of security assessments and ethical hacking services to help improve your overall security posture.

Penetration Testing - Pen Tests

Security Assessments and Ethical Hacking services

Assesses your internet-facing applications and/or internal/external web services that are often used by adversaries as a point of entry into your IT environment. An essential component in every organizations’ security management; we use so-called “pen tests” to put ourselves in potential hackers’ shoes. Applications can be developed inhouse using frameworks (e.g., .NET and Java) or provided by vendors or third parties (e.g., enterprise resource planning (ERPs) such as SAP, application programming interfaces (APIs), etc.).

Simulates an intruder’s attempt to infiltrate your infrastructure that starts from a low-privilege end-user system or phishing attack, allowing you to understand the various vulnerabilities of your network architecture and backend systems. Scenarios can target an active directory environment, a virtual desktop infrastructure (VDI) environment (e.g., VMware, Citrix, etc.), virtual private network (VPN) connectivity, SWIFT local networks, internet of things (IoT) environments, demilitarized zones (DMZ), etc.

Covers threats and attack vectors that can affect the mobile app landscape. Our comprehensive mobile security testing approach covers iOS and Android applications, associated smartphones or tablets (jailbroken/rooted or not) and backend servers or APIs.

Assesses the security of client applications that can process data in addition to rendering. Thick clients are still essential to internal operations and often contain and process sensitive information.

Identifies any potential security gaps in your cloud infrastructure and services and provides you with actionable remediation guidance. We cover most popular cloud providers such as Microsoft Azure, Amazon Web Services (AWS) and Google Cloud (GCP).

Evaluates the security of your Wi-Fi networks and the data they transmit. Through pen testing, we can assess misconfigured wireless access points (AP), vulnerabilities in their firmware, or evaluate the strength of the encryption and authentication methods in use.

Detects and manages vulnerabilities effectively and efficiently through tailored tools and subject matter knowledge. We also manage scan scheduling and running, asset onboarding, and vulnerability reporting for clients. We can also help you select a vulnerability management vendor or solution based on your requirements and needs.

Assesses the security of a standard server, virtual machine (VM), workstation or laptop image. Testing identifies vulnerabilities that can potentially provide unauthorized access to systems, applications, and sensitive data. We support most Windows, Linux, z/OS, and MacOS variations.

Assesses the security level of your voice over IP (VoIP) infrastructure by attempting to exploit vulnerabilities that could lead to critical security issues (e.g., eavesdropping, caller spoofing, etc.). This can also include softphones.

Helps your AppSec and DevOps teams to detect, validate and resolve security issues based on the business criticality and risk profile of your applications in order to foster your secure software development life cycle (SDLC). Static application security testing (SAST) is compatible with DevSecOps culture, the emerging continuous delivery/continuous deployment (CI/CD) pipelines and aligned with industry-leading guidelines such as the Open Web Application Security Project (OWASP). The analyzed source code can be for web applications, thick clients, mobile applications and/or firmware.

Improves your applications and systems’ security configuration through security configuration assessments. We support most operating systems (Windows, Unix, etc.), middleware and database engines, network/security devices, etc. We can base our analysis on your own baselines or with industry-leading guidelines such as CIS Benchmark, Security Technical Implementation Guides (STIGs), the NIST Cybersecurity Framework, the French National Cybersecurity Agency (ANSSI), etc.

Creates real-life attack scenarios to challenge your security capabilities and controls. These simulations can range from phishing campaigns, tailored social engineering scenarios or red team operations.

Reviews and optimizes your vulnerability management processes and controls that include: threat identification, risk assessment, security profile, remediation, and effective management reporting.