Contrary to popular belief, the Information Security Management System (ISMS) is not only for protecting the information that is stored in the information infrastructure, it is a standard for the protection of information in every environment. Each company has its own information and ways in which this information can be threatened. ISMS creates a systematic roadmap for us to manage these threats and to minimize the risks.
As MAY Cyber Technology, we offer you our ISMS Consultancy Service, taking into account the ISO 27000 family and your organization-specific guidelines, if applicable. Our expert staff will work with you and as a result of our joint efforts, having established an organization-specific ISMS, the necessary road map for monitoring and improvement of your system will be produced and your system will be prepared for certification audit.
Each organization’s customer structure (the internal and external customers to whom we offer IT services) and the services offered differ to some extent. Information Technology Service Management System (ITSMS) is an international standard that guides us in analyzing the information technology processes in our organization and implementing best practices. This standard corresponds with ITIL (Information Technologies Infrastructure Library) processes.
ITSMS Consultancy Service is implemented by MAY Cyber Technology’s expert staff, with reference to ISO 20000 standard and ITIL resources. As a result of the analysis studies that we will carry out with your cooperation, the current status of the IT services in the organization is photographed and then new processes are designed in a way that is most beneficial to the organization. The creation of necessary road maps for the implementation, monitoring and continuous improvement of these processes will ensure your organization is ready for inspection.
Every organization has critical processes that will affect the organization’s work, some of continuing importance, some only in the case of disruptions. Contrary to popular belief, BCM (Business Continuity Management), like ISMS, is not a standard that concerns only IT processes. In this context, BCM guides us in determining the organization’s critical processes, the work necessary for the continuity of these processes, the establishment of emergency action plans in cases where continuity cannot be achieved, the determination of acceptable downtime times, etc.
As MAY Cyber Technology, we offer you the Business Continuity Management (BCM) Consultancy Service, taking ISO 22301 and ISO 22313 standards into account. Our expert staff work with your organization to analyze and identify your critical processes. Work is then carried out in accordance with the standards, to prepare your organization for inspection. Similar to your other management systems, because business continuity is essential, road maps are prepared for the monitoring and continuous improvement of the system and the necessary training is provided.
Gap analysis is a study conducted to identify any compatibility (standard, legislation, law, etc.) deficiencies in the organization. When carrying out this study, the relevant standards (ISO 27001, ISO20000, ISO 22301, KVKK, ISO 9001 etc.) are taken as reference. The gap analysis study begins in order to produce a harmonious organization, by the detection of deficiencies and the focus on repairing these deficiencies with accurate and efficient use of resources.
As MAY Cyber Technology, we offer to implement the Gap Analysis Service, using our prepared checklist to produce the necessary compatibility reference documents. On completion of this service, the “Gap Analysis Report”, containing details of the organization’s good practices and deficiencies, will be submitted to you.
On the 7th April 2016, law number 6698, the Data Protection Act regarding institutions and organizations, was released in the Official Gazette No. 29677. In order to meet the requirements of the Data Protection Act it is necessary to register the data held. This process includes the separation of personal data and special personal data, determination of the processing conditions of this data, determination of the legal basis for personal data processing or clear consent, deletion, destruction or anonymity of personal data, taking all technical and administrative measures into account in order to transfer the data domestically or abroad, determination of data processing roles and responsibilities, ensurance of the fulfillment of the clarification obligations in the processing of personal data and determination of the responsible party for procedures and principles applied to the data.
As MAY Cyber Technology, we offer you Data Protection Act Compliance Consultancy, taking into consideration legal requirements and your organization’s processes. On completion of this service, your organization will be provided with a personal data inventory to be entered into the VERBIS system.
These days there are cyber wars taking place between countries. The serious lack of resources spent on dealing with cyber wars, compared to those spent on military wars, leads people to this area. Considering that most of the critical processes or infrastructures of countries and organizations are managed by IT infrastructure, preventive measures against cyber incidents have become an unavoidable necessity. Consequently, with the “National Cyber Security Strategy” and the 2013-2014 Action Plan, the Cyber Security Council oversaw the establishment of CIRT, Cyber-Incident Response Teams (Institutional CIRT-Sectoral CIRT) within the body of public institutions and organizations and rapidly began the necessary work in this area.
As MAY Cyber Technology, we offer CIRT Service, including The CIRT Installation Guide, Establishment of Cyber Incidents Response Teams, Communication on the Procedures and Principles of duties and Activities, Coordination of National Cyber Security Studies and Decisions and Communication Related to Management and Coordination. This will be presented with consideration of up-to-date and relevant legislation. Taking into consideration staff experience and international media best practices, we strive to produce the most suitable structure for your organization. Ensuring security is like a marathon. For this reason, necessary training is planned and carried out in order to ensure continuity, to be cautious against new threats, to continuously improve the infrastructure and to have an organization that is self-sufficient in many areas.
Vulnerability Analysis or Vulnerability Assessment is an in-depth analysis to determine, measure and prioritize vulnerabilities of the structure. The aim is to detect and eliminate vulnerabilities, or reduce them to an acceptable level, before attackers detect them.
A penetration test provides ideas of the internal or external (web application) attacks that could occur, and which data and/or systems could be accessed as a result of the attacks. In the end, the question we are asking is; how safe are your system and data?
Blackbox: The security investigator is not given any information about the structure and/or system on which the test will be carried out.
Whitebox & Crystalbox: The security investigator is informed about the entire structure and/or system within the company/organization.
Graybox: A Penetration Test between the Whitebox & Crystalbox and Blackbox. The security investigator is not given detailed information about the structure and/or systems.
The ‘Whitebox & Crystalbox’ and ‘Graybox’ are intended to predict the issues that may arise as a result of an attacker who works/has worked at the company/institution (standard user or authorized user) and has access to the company/institution network (physical or logical). At this point, the method of thinking is incomplete or wrong. The 'blackbox' method involves thinking of the penetrable points of the system through the eyes of an attacker, however, an attacker would already have enough information about the target structure. Therefore, the ‘Whitebox & Crystalbox’ and ‘Graybox’ are more effective, more efficient and result-oriented methods.
MAY Cyber Technology follow the above-mentioned steps, considering international standards while performing these tests and unlike ‘standard’ Penetration Tests, a ‘customized’ structure is used. This customized structure is comprised of the parameters below.
When carrying out ‘Data Collection’, ‘Screening and Classification’, ‘Access Acquisition’, ‘Access Management’ and ‘Trace Concealment’, MAY Cyber Technology use internationally recognised tools (Commercial & Open-Source) along with programming tools (MAYpen Analysis & Scanning Tools) and exploits (MAYpen Exploit Research & Development) from on-site security investigators. Security Investigators may program the aforementioned ‘Exploits’ before or during the penetration test. Every ‘Exploit’ that is written is first tested in the ‘MAYpen Pentest Lab’.
MAY Cyber Technology prepares a detailed report on completion of the Penetration Test. This report contains separate parameters such as ‘Technical Report’, ‘Executive Report’ and ‘Details of Findings’. Fully customized answers will be given under the headings ‘Detailed Description of the Vulnerabilities Found’, ‘Evidence of the Vulnerability’ (screenshot and/or printout) and ‘Solutions for the Vulnerability’. The target system in which the vulnerability was detected will be enclosed in a simulation within the ‘MAYpen Pentest Lab’ in order to write the ‘Solutions for the Vulnerability’ section including detailed instructions.
A detailed out-of-service investigation is performed on hosts and web applications specified by the company. The out-of-service test will be performed over each host, taking into account the weaknesses of the company’s open services and web applications.
Following completion of the out-of-service test, MAY Cyber Technology will present a detailed analysis and threat report (classified according to risk level), together with suggested solutions.
Social engineering tests are carried out with staff who either volunteer, or are selected by the company, or selected according to information obtained from the company website, telephone switchboard or the company business or social media pages. Information is collected about the selected personnel, and defences for attack are carried out in accordance with this information.
The social engineering test is carried out via e-mail and telephone channels within the framework of the scenario created in agreement with the designated organization officials. The information security awareness of the target personnel is measured from their responses.
On completion of the social engineering test MAY Cyber Technology present a detailed analysis and threat report along with suggested solutions.
Information about the company wireless networks is collected. Firstly, hidden or open SSID within the WLAN are detected, and the types of encryption used in the detected networks are determined. In addition, web panels that are used for guest entries and allow connection are detected and information is collected about these web panels.
After the discovery phase, your penetration test is performed based on the type of encryption used in the detected SSIDs. When the WLAN is authenticated, we observe which internal network is accessed and the security of the locations accessed on this network is evaluated. Guest logins are audited, to test the security of the applications used to access the guest network.
After the penetration tests are completed, the detailed analysis and threat report shall be organized according to risk level and presented together with suggested solutions.
Our main purpose in the consultancy services we offer as MAY Cyber Technology, is to use our services to produce a self-contained organization. In order to ensure that the whole organization complies with and adopts the offered consultancy services, our projects will involve giving specific training to senior management, all studies are carried out together with the organization, tailor-made solutions are offered along with training provided in relation to each process and overall a compatible corporate culture is achieved.