Phos Services ltd. is a company established in the United Kingdom that develops innovative, game-changing technologies. Their solutions allow merchants to accept card payments directly on their NFC-enabled Android devices, either smartphones or tablets. The company also integrates a variety of business applications for merchants like: 

• marketing;
• loyalty programs; 
• payroll;
• data-driven e-commerce tools.

Since it was founded in 2018, it shows rapid growth and innovative development. 

Phos Services Ltd.’s challenge

The company contacted 3Cyber-Sec because they needed specific help with one of their PCI certifications. They wanted to be able to meet all the requirements of the standard to be able to develop their mobile payment application in line with the industry security standards, ensuring they can securely accept payments by card on a mobile phone. The essential needs of the client were to:

• Ensure cybersecurity throughout the development of innovative payment technologies;
• Comply with industry regulations;
• Obtain certification for the international standards PCI DSS and PCI CPoC;
• Gain comprehensive cyber risk visibility.

3Cyber-Sec’s Solution 

We approached this task having extensive knowledge that can solve this specific case and offered our consultancy services for PCI CPOC requirements. There were some challenges within the project like the short deadlines and the fact that we had only remote access and contact with the Dev team. 

The extreme conditions and the limited time could not alter in any way effectiveness. We adopted a tailor-made approach to adequately address the situation. First, we began examining what has been done until the point we started working on the project. Then we analyzed the inconsistencies of the mobile application developed by our client related to the standard. Next, we correlated them to each of the requirements of the standard and wrote recommendations for compliance that the client should follow. 

With the support and active involvement of the management team, everything was done in time for achieving compliance. This is how we successfully supported Phos Services Ltd in solving their PCI DSS and PCI CPoC’s certifications.

“3Cyber-Sec is a greatly valued partner for Phos Services ltd. Throughout the development of our software POS, we were required to push the boundaries of FinTech cloud infrastructure and 3Cyber-Sec’s expertise has been critical in ensuring that we adhere to the highest standards of security at all times. Furthermore, 3Cyber-Sec’s team has guided us towards reaching the highest degree of payment security by helping us meet the requirements and obtain certification for the international standards PCI DSS and PCI CPoC. Additionally, 3Cyber-Sec’s vCISO service has enabled us to gain a better understanding of the cyber risks our company could be exposed to by portraying a comprehensive picture of our board-level behavior.” – Chief Technology Officer, Phos Services ltd. 

The outcome

With our help and recommendations, the client was able to further develop its application to a degree ready for certification tests. Also, this helped Phos Services be one of the first companies in the world to offer such a service.

When we started working on the project, the mobile application was not in line with the requirements of the PCI CPOC standard. In just 2 months we were able to navigate them in accordance with the exact requirements regarding InfoSec. With our work, we may have helped them shorten the time invested by almost a year. 

“We strongly appreciate 3Cyber-Sec’s consultants’ knowledge and proficient approach, as well as their ability to effectively translate technical security issues to business-driven top management.“ – Chief Technology Officer, Phos Services ltd.

The post Case Study: How 3Cyber-Sec helped Paynetics – Phos Services Ltd. obtain PCI DSS and PCI CPoC standards? appeared first on 3Cyber-Sec.

The company is positioned on the biggest marketplaces and works with prominent tech and strategic partners like Zendesk, Microsoft Dynamics, EON, Aramex Delivery Unlimited, API2CART, Honeywell, and more. 

For us, it was quite a compliment when ZigZag Global reached out to us at the end of August 2021 with a request for regular cybersecurity checks/penetration testing of their primary system. 

ZigZag Global’s challenge

ZigZag Global had to carry out a cybersecurity checking of their system. That was a preventive measure but was also a requirement by one of their primary clients. The company got in touch with 3Cyber-Sec after they received a recommendation about the quality of our services. 

The client (ZigZag Global) needed penetration testing services of their API infrastructure and security source code review of the back-end system. During the process, the team of 3Cyber-Sec checked over 30 000 lines of source code. “When ZigZag contacted us, they knew that we had the expertise and capacity to carry out such extensive and in-depth research in their system.” – shares Todor Kunev, Board advisor of 3Cyber-Sec.

3Cyber-Sec’s Solution 

Together with internal teams from Zig Zag, we built a custom action plan and completed the following sequence of activities: 

•  We studied in detail the description of the systems’ environment and infrastructure provided by ZigZag Global; 
•  Build a test environment, which was a copy of the production environment. That was the place where we performed the penetration testing; 
• Actively conducted offline source code review and tested the API and microservice infrastructure of the company;
• Prepared and submitted two different reports about our findings;
• Presented the results to the CTO and head of IT Infrastructure at ZigZag Global. 

The biggest challenge in this project was the security source code review due to the large volume of the code we had to go through. Everything went smoothly thanks to the great cooperation of the team of ZigZag Global. 

The outcome  

During our work, we found out something that had the potential to put in jeopardy the whole business of our client. We located a new vector for an attack that could affect the whole operation of ZigZag Global. Due to the scope of the potential threat, the client took immediate measures and this vulnerability was remediated. We also found several bad practices in the code of the microservice infrastructure that was dealt with. 

Thanks to 3Cyber-Sec a vulnerability that could be exploited by hackers was found and mitigated. If this wasn’t done, sooner or later hackers would probably reach the same vector of attack that we reached. If you also need help with your cybersecurity, feel free to get in touch with us. We will be happy to help. 

The post Case Study: How 3Cyber-Sec conducted web service penetration tests and security source code review for ZigZag Global appeared first on 3Cyber-Sec.

One of the values of the company is its constant striving for perfection. The company always sets new high goals to be achieved. That same principle was applied in the field of cybersecurity as well when “Fraport Twin Star Airport Management” had to meet the national regulatory requirement for network and information security. 

For companies in this sector, it is very crucial to be up to date with their cybersecurity measures. A report about airport cybersecurity by paconsulting.com cites the European Aviation Safety Agency (EASA) and outlines that around 1,000 cyberattacks on aviation systems are being done on a monthly basis. 

Fraport’s Challenge

“Fraport Twin Star Airport Management” AD had to review the state and current level of security of IT systems and equipment deemed highly critical for national security and the company’s business. For this purpose, the organization needed experienced cybersecurity experts to execute regular advanced vulnerability scans and checks.

There were several main things that the company wanted to address: 

• Cover national cybersecurity regulations;
• Spot corporate cyber risk exposure;
• Identify and implement remediation activities. 
• Regular C-level reporting

The airport operator first turned to 3Cyber-Sec in the middle of October 2020. The reason was the legislative and regulatory requirements that they had to cover by the end of the same year. The airport management consortium had to cover and report status concerning the requirements of the national regulation for minimum requirements in relation to network and information security. And this needed to be done in around two months. 

3Cyber-Sec’s Solution 

The managerial team of “Fraport Twin Star Airport Management” AD chose to work with 3Cyber-Sec because of the good reputation of the company and its expert team. They relied on the fact that the cybersecurity experts can deliver a high-quality solution in a short time that is tailor-made to the needs, themes, and problems that “Fraport” had. And this is exactly what happened. 

The airport management consortium contacted 3Cyber-Sec to present a solution for Vulnerability Management Services. This involved the vulnerability management services on a regular basis, along with monthly security screening, reports, and analysis of the problems and issues in the cybersecurity of the company. “Fraport” had some catching up to do, especially in the area of internal cybersecurity infrastructure. Something they hadn’t looked into that much detail until they hired 3Cyber-Sec. 

“„3Cyber-Sec” provided professional, timely, and comprehensive services that were highly appreciated by our IT team. As a result of our joint efforts, we were able to successfully address the national “Regulation on the minimum requirements for network and information security” and gain full visibility of the corporate cyber risk exposure.” – the team of “Fraport Twin Star Airport Management” AD.

The work plan was presented, discussed with, and approved by the client. The first thing that the team of 3Cyber-Sec did was to identify together with the staff of “Fraport” each key business services that corresponded to the infrastructure components that were going to be monitored regularly. 

After that, the expert team of 3Cyber-Sec developed a plan for the screening of the different services and prepared cybersecurity reports based on the business needs of the clients. From the data gathered during the screening process, the team created both technical and C-level reports for each service that “Fraport Twin Star Airport Management” AD offers and their infrastructure. All of this was and the main findings were finally wrapped up in a C-level presentation about the cybersecurity state of the company that was presented to the client. 

“We found 3Cyber-Sec’s team to be extremely responsive, attentive, and highly experienced, with in-depth knowledge in the vulnerability management area. ”3Cyber-Sec” reports empowered us to spend less time on identifying remediation activities and focus on remediation itself. Working with 3Cyber-Sec was the best choice we could have made.” – the team of “Fraport Twin Star Airport Management” AD.

The Outcome

3Cyber-Sec managed to provide visibility to the vulnerabilities in cybersecurity that “Fraport Twin Star Airport Management” AD was not aware of and managed to help the client cover the requirements of the regulation and achieve compliance. The joint efforts and the fact that the team of “Fraport” was very cooperative helped the cybersecurity expert team deliver the service in a shorter time.

Without the help of 3Cyber-Sec, “Fraport Twin Star Airport Management” AD was going to delay their compliance with the requirements of the regulation. They probably wouldn’t be aware of the risks and vulnerabilities they had in cybersecurity.

“Based on our positive experience, “Fraport Twin Star Airport Management” AD acknowledges “3Cyber-Sec” as a trusted partner in the field of information infrastructure vulnerability testing. Our company would not hesitate to engage “3Cyber-Sec” again for future projects.”. 

If you also need help in achieving compliance or you want to find out what are the potential vulnerabilities in your cybersecurity defenses, contact us for a free consultation now. We are a boutique cybersecurity company and are always ready to answer the specific needs of each of our clients with tailored cybersecurity solutions. 

The post Case Study: How Fraport Twin Star Airport Management achieved compliance for important national standard appeared first on 3Cyber-Sec.

• Information about citizens’ income taxes;
• patent taxes; 
• VAT and corporate taxes;
• health insurance;
• pension insurance;
• additional mandatory pension insurance data.

It shouldn’t come as a surprise that the NRA is a desirable target for many cybercriminals. Moreover, the cyber risks for the NRA are further enhanced by the lack of qualified IT employees in Bulgarian public agencies and noncompetitive salaries compared to the private sector, as a 2018 government report suggests. According to the report cited by segabg.com, “technical, technological and personnel deficits in state institutions and companies of national security importance are of a lasting nature, and the measures taken to eliminate them, remain insufficient to counter modern challenges”.

NRA’s Challenge

As with any other large organisation or enterprise, the NRA is also challenged with finding well-experienced professionals who are willing to become part of the team and contribute to the cybersecurity of the agency. Back in 2020, NRA’s existing cybersecurity staff had to ensure the cyber resilience of the agency’s networks and systems to avoid and minimize any potential incidents in the future. To do this, the NRA needed to:

• Enhance the cybersecurity awareness of the agency’s Information Security team;
• А key goal for the agency was to ensure that its InfoSec team had an understanding of cyberattack approaches gained through practical experience;
• Getting a clear view of potential cyberattack impacts was also a priority for the NRA. 

“We needed a professional and competent partner for advanced cybersecurity penetration testing training to teach our internal team techniques used by cybercriminals for real-world cyberattacks.” – NRA’s team 

Additional pressure came from the public and media, given the fact that not so long ago there was a huge scandal involving the NRA in a security breach of the data of almost all citizens of Bulgaria. 

The biggest challenge for the agency at that moment, however, was the fact that they needed to conduct the training in a very short time. Just over a month before the deadline, the NRA contacted 3Cyber-Sec as a part of the regular tender process, explaining their specific needs.

3Cyber-Sec’s Solution 

To improve the cybersecurity awareness of NRA’s InfoSec team, 3Cyber-Sec had to urgently conduct a comprehensive penetration testing training, which needed to focus on the specific vulnerabilities and risks faced by the agency. What 3Cyber-Sec did for the NRA involved:

• The penetration testing (also referred to as ethical hacking) training – had the goal of educating NRA’s InfoSec team about the organization’s potential vulnerability to cyberattacks;
• 3Cyber-Sec’s team provided advice and instructions to NRA’s staff on how to practically compromise NRA’s networks – this would help them gain an in-depth understanding of the potential hacking strategies cybercriminals may use to attack NRA’s networks;
• Through practical experience, NRA’s InfoSec team will acquire better visibility of the critical vulnerabilities and weak spots in the agency’s defense systems. 

With no internal knowledge of NRA’s networks and systems, the biggest challenge for 3Cyber-Sec was the tight deadline and specific technology requirements they were faced with. For less than a month, 3Cyber-Sec’s team developed a customized training environment and sessions tailored for the NRA team. They were also aligned with the specifics of the technology toolset used by the company. 

Based on the requirements, 3Cyber-Sec outlined key topics for the training and created a list of practical tasks and challenges, which could enable NRA’s InfoSec team to ethically hack the agency and thus gain a better understanding of possible attack tactics. Once they prepared the training materials, 3Cyber-Sec conducted a 5-day penetration testing course that was held in an isolated technological environment. The training schedule included both theoretical sessions with lecturers, as well as practical workshops guided by 3Cyber-Sec’s team. 

The Outcome

As a result of the intensive 5-day penetration testing course organized and conducted solely by 3Cyber-Sec, five members of NRA’s InfoSec team were fully trained and gained crucial knowledge of potential cyberattack tactics that could penetrate NRA’s defense systems. It’s important to note that some of the trained professionals didn’t have any previous experience with penetration testing tools and methodology. Despite that fact, for just 5 days the NRA’s InfoSec team was able to gain control over 26 machines in a laboratory setting and 14 web-based applications. 

“We found an ally in the face of 3Cyber-Sec Ltd. The straightforward approach they took during the 5-day course, did fit very well with our internal team’s needs. The methodical presentations and onsite practical exercises were done with the proficiency and competency we were expecting. As a result, the National Revenue Agency’s information security team managed to gain a thorough understanding of an attacker’s approach.” – NRA’s team

The success of the penetration testing training provided by 3Cyber-Sec was further enhanced by the dedication of NRA’s InfoSec team, who were actively participating with a determination for acquiring precious know-how and enriching their current expertise. Furthermore, 3Cyber-Sec’s team received full support and cooperation from NRA’s management, which enabled them to successfully conduct the training in such a short period. 

Without 3Cyber-Sec’s help, NRA’s team would not know the actual methods and attack vectors that could penetrate NRA’s defense systems. 

If you’re also not sure which are the weak spots in your organization’s networks, contact us for a free consultation now. As a boutique cybersecurity company, we are always ready to answer the specific needs of each of our clients with tailored cybersecurity solutions. 

The post Case Study: How NRA InfoSec Team improved its penetration testing skills with comprehensive training appeared first on 3Cyber-Sec.