Testing

Testing is a way to identify **actual** areas for improvements, by identifying factual issues, whose remediation will help organisations to increase their competence in cybersecurity. The objective of C3 is to cover for market's gaps and bootstrap an activity where it's currently insufficient or non-existing. One of the key issues is that testing is perceived as non easily affordable by a significant number of SMB's. The purpose of testing is therefore to allow organisations to easily access a set of basic tools that will enable them to become aware of their true areas of possible improvement in cybersecurity, based on facts. It's aimed as much at systems as at users.

C3 intends to make it evolve through time and offer more tests to broaden the coverage of the platform and complementary services.

C3's Testing Platform

The testing site is a gateway to the tools and services that will help organisations, and more specifically small ones, to perform tests on their email and web-exposed infrastructure. The core tool is the Testing Platform, and more tools will be added through time to increase the coverage of available tests.

How does this work?

A set of tools and standardized procedures, some of them automated, some not, is available to help organisations identify common weaknesses of their systems.

There are three domains at present :

Monitoring of the most common and exposed systems:

The first focus is on websites and email systems, as they are among the most used and targeted infrastructure. They are very often instrumental in incidents, either by enabling an attacker to gain a bridgehead in a system, or by being cause of unavailability of a service once they break. C3 Testing Platform offers several tools to initiate a more active monitoring of such services (cf. description on the platform itself). It's available to organisations based in Luxembourg, with a more specific focus on SMB's and municipalities. Some services are free. Somme are pay as you go, and others will require subscribing to a monthly fee.

Tests of specialised products or services

Some specific categories of IT devices are more and more widespread. But being heavily automated by design, and having an intended usage that requires a minimal interaction with their users, if any, they tend to be overlooked when systems are being secured, and certainly not managed as information systems. The most prevalent category is commonly known as "IoT's" (Internet of Things). These are devices such as temperature sensors, webcams, smartlocks, printers, or even fridges. They are most of the time embedding some aspect of Internet technology, often for maintenance and configuration purposes. In order to enable organisations to be aware of what type of vulnerability or exposure they are adding to their systems when deploying such devices, it is possible through the Testing Platform to test the firmware of the most common IoT's. A first partnership was established with one of the leading European companies for IoT assessments : IoT Inspector. Organisations from Luxembourg can register for a test of a given IoT firmware through the Testing Platform and get a comprehensive report from our partner. One of the key use cases of such testing is to strengthen the procurement process of IT devices and systems by being able to independently assess a so-called "smart device" prior to its acquisition and deployment.

C3 Testing Protocols

The last dimension of testing operations at C3 is more experimental. Its goal is to bridge the gap between full-fledged PenTests and the present usage with amounts often to nothing. A significant number of SMB's are concerned with the cost of a comprehensive Pen-Test. If the financial cost is obvious to understand, there is also the cost in attention time required from key employees. These resources would have to be involved in negotiating the scope and conditions of a PenTest, and then monitoring its implementation, before having to deal with the analysis of the results and the subsequent remediation. C3 worked with some local Pen-Testing companies in the Country, in order to develop a set of standardized tests that would have a preset price and duration. The aim is to have a price cap under 1000 € and a duration of roughly one to two days. These tests would not qualify as full-fledged Penetration Tests, but would allow organizations to initiate a first set of tests, without immobilizing excessive resources. The second purpose is to permit local security providers to enter this market, and broaden the available offer in Luxembourg, making the ecosystem more mature and sustainable.