Written by Laurent Dupont

Emmaüs

Partnership, not a one shot

Emmaüs & Toreon partners in cybersecurity

Emmaüs’ ICT service guarantees the smooth operation and evolution of digitalisation in all its aspects for 24 healthcare facilities in the province of Antwerp. In order to guarantee the quality of this operation, Emmaüs regularly carries out an audit programme, including an external security audit. A task that they entrusted to Toreon in 2018.

Toreon conducted a large-scale security assessment of Emmaüs’ perimeter, internal network security and connectivity through penetration testing. In addition, Toreon tested the resilience of the users against a phishing attack.

Marc Rosseau, ICT Security Manager and DPO at Emmaüs, is already delighted with the work done. “Toreon’s security assessment confirmed that we had done a good job with our ICT team and also ensured that some peripheral phenomena became visible. For example, 10% of our employees clicked on a link in a phishing email despite the fact that an awareness program was already running. Thanks to Toreon’s input, we were able to persuade management to continue to focus on awareness of cyber risks within the organisation”: says Marc.

Security
Audit

Leak
test

Security
Assessment

Partnership, not a one shot

The cooperation between Emmaüs and Toreon turned out to be a win/win for both of them. “As an organisation we were looking for a partnership and we found it with Toreon. The clear and honest communication ensured that we delivered what had been agreed and even more. Toreon looked beyond a one-off action and their service is still an added value for us” concludes Marc.

Toreon’s approach

We started the assessment with a discovery scan of the entire public IP range. This first step was a black box approach to identify the systems and services exposed to the Internet.

Next, we organised an intermediate meeting to compare our list with the existing list of assets managed by Emmaüs, so we could discover any malicious devices and/or services and detect services that were unintentionally exposed to the Internet.

We then scanned the detected systems and services for known vulnerabilities and verified all findings manually. This was necessary to rule out biased results. During this validation, we also conducted a series of service-specific tests such as SSL certificate security and non-intrusive testing. This allowed us to test the security level of the detected services in production.

Finally, we conducted an online leak test to identify potentially dangerous data online. We looked for hacked accounts in the business domain and performed several checks on potentially malicious information that was accessible to the public online”.