Strategic Infrastructure Security

Strategic Infrastructure Security (SIS)

Have you recently felt the need to assess your infrastructure's exposure to malicious and unauthorized users?

When considering security, we cannot consider only specific applications and services, we must consider the wider digital and physical enterprise. The components that make up an organization are vast and sprawling, changing frequently, and contributing to the overall attack surface. Scrutinizing and testing security of all facets of the organization in a relevant and methodical way helps provide assurance of a strong overall security posture. Our SIS Practice provides detailed expertly executed services that meet this need.

Every member of the SIS practice is invested in the realization of a more secure future. In a market saturated with highly skilled technical teams, NCC Group’s Infrastructure Security experts will distinguish themselves through their honesty, efficiency of product, commitment to partnership, and passion for solving your security challenges.

Honesty:  We will always deal transparently, fairly and with empathy for the unique concerns your business faces.

Efficiency:  We will only provide you what you need and will ensure you get the optimum value from each engagement.

Commitment:  Our goal is to build a long lasting partnership working with your team towards the continual improvement and security of your organization.

Passion:  Our team consists of people who genuinely love security, bringing their enthusiasm to every project.

The SIS Services include:

Penetration Testing

Assesses the security of a specific environment or entire organization from the point of view of an attacker. This testing ranges from collaborative assessment of a single environment or scenario, to ‘black box’ testing of an entire network or enterprise; often with internal security teams actively attempting to defend against the test. If an organization wishes to experience an attack simulation that closely models the techniques of real-world adversaries, or wishes to determine their protection against a specific scenario, Penetration Testing provides this through the following approaches:

  • External Attack
  • Internal Attack
  • Physical Intrusion
  • Social Engineering
  • Red Team Breach
  • Wireless Attack

Vulnerability Assessments

Provides security coverage via enumeration and investigation, with a collaborative or ‘white box’ approach. This involves open communication between the operational team and security testers during the engagement. When an organization wishes to gain an understanding of assets and
vulnerabilities across the broadest reach of their company, different technologies and targets are assessed in different ways. All efforts move the client towards a greater overall security posture. This can include the following approaches:

  • Asset Discovery & Inventory Development
  • External Perimeter
  • Internal Enterprise
  • Physical Protections
  • Enterprise Telephony
  • Network Architecture Review
  • Database Assessment
  • Wireless Assessment
  • Low Touch Web Application Assessment
  • Security Capability Assessment

Security Assessments of Specialist Systems

Custom engagements are created to determine security weaknesses in a specific operating or technology environment. Specialist systems should be thought of as ‘special use’ systems or environments that service a very direct purpose. When operationally specific environments are in use we are frequently asked to develop specialist security assessment techniques for those environments or for new and emerging technology. The following specialist systems are common requests from our clients:

  • Electronic Point of Sale (POS)
  • Industrial Control Systems (SCADA / ICS)
  • Building Management Systems (BMS)
  • Automated Teller Machines (ATM)
  • Embedded Devices and Systems


Piranha - Phishing Simulation

70% of employees can’t spot a phishing site
(NCC Group, 2015)

Phishing attacks have dramatically increased over the past few years and are fast becoming a digital criminal’s weapon of choice.

But do your employees know how to spot the signs or could they be exposing your organization to an attack?

Understanding your organization’s susceptibility and the robustness of your countermeasures should be a priority.

NCC Group’s Piranha phishing simulation helps you to understand your risk of exposure by testing yourawarenesssusceptibility and response to a phishing attack.


Blog: Phishing affects any businesses of any sizes

Phishing attacks cost global organizations $4.5 billion in losses in 2014
(RSA, 2015)

Nowadays phishing campaigns are more elaborate, personalized and targeted. 'Traditional' phishing campaigns relied on sending a lot of emails to a lot of recipients, but such campaigns are now being replaced by spear-phishing attacks.

The risk of phishing attacks to businesses, regardless of size, is getting higher.

Organizations in all sectors are now targets, including us. We were targeted by a very sophisticated spear-phishing attempt in September 2015.

Follow the link below to find out about NCC Group's first-hand experience of a sophisticated spear-phishing attack:


Read how NCC Group were targeted by a spear-phishing attack


Piranha: How it can help you and your business

Piranha helps you to identify where weaknesses lie, what defenses need to be improved and also if remediation work is reducing your risk of attack.


Download the Piranha PDF Documentation


Piranha’s self-service web portal has the following controls:
It allows access to your metrics on emails sent and credentials supplied whenever you need them. The self-service tool allows you to:

  • Create and send phishing emails to internal employees via a clean, easy-to-use interface.
  • Send an unlimited number of phishing campaign emails, useful if you have multiple sites and regions.
  • Analyze your results with in-depth results via easy to digest graphs and charts.

Piranha Screenshots

Clean and intuitive interface to get straight to the information which matters


Piranha’s expert level report: A final report with metrics similar to the above combined with details and recommendations, including:

  • Recommendations on how to minimize phishing in your organization.
  • Comparison against other similar NCC Group clients as a means of measuring your maturity.
  • Details of which users were identified using open source intelligence, how they were profiled and recommendations to minimize exposure.
  • Details of the hosts that the NCC Group simulated malicious code was executed on.
  • Details of how NCC Group was able to compromise your environment, evade countermeasures, obtain persistence and achieve the agreed goals.



Whether you want to deliver phishing campaigns to your organization yourself using our self-service model, or have more sophisticated phishing attacks simulated by our security consultants, NCC Group has an approach that is right for you.

Piranha Modules

Security Training & Awareness

Training engagements provide instructor-lead discussion and education for your team members. NCC Group has a proven track record for delivering technical security training to a high standard. We empower our clients by increasing the knowledge within their organization, developing internal practices and elevating
key internal teams to a higher level of understanding for complex security
subjects or incidents. Examples of training & awareness engagements include:

  • End user security training
  • Security training for specific job roles (HR, IT, Executives etc.)
  • Security training for security staff
  • Red Team / Blue Team workshops & events
  • Industry and community training events
  • State-of-the-Nation / Threat Intelligence Briefings