Since 2002 we have been in the business of protecting our clients’ financial and customer data. As an information security company we use a variety of techniques to prevent and minimise the effect that cyber attacks may have on your organisation.
Our Aim
To ensure that your systems are as unattractive to cybercriminals as possible minimising your cyber security risk landscape.
What We Do
We provide the highest level of IT security solutions for various sectors both locally and internationally including advisory, penetration testing, vulnerability assessments, red teaming, social engineering and training. When it comes to our reporting, we have, and always will, focus on vendor-independent reporting ensuring an unbiased view of the findings.
BBBEE
As a proud level 2 BBBEE service provider we are invested in the future of South Africa.
Gallery
A picture speaks a 1000 words, view some of ours here.
Advisory services allow us to offer you our expertise either via Service Level Agreements (SLAs) or as part of our Continuous Red Team (CRT) Assessments.
We offer a variety of training courses which are fun, practical, extremely hands on and very informative. These courses have been conducted locally and internationally at some of the most prestigious security events and have been identified by some of the industries most renowned players as very valuable.
Through our security assessments and as part of our research, Telspace Africa's analysts routinely discover zero-day vulnerabilities in a number of software products. We follow our established responsible disclosure policy when communicating with vendors and provide them with detailed technical information, as well as proof of concepts regarding the flaws we find. For a list of our published security advisories please visit our blog.
Telspace Africa regularly presents at high-level goverment and internationally recognised security confrences. We are often interviewed locally and internationally by magazines, television and newspapers.
This course is an introduction to the basics of ethical hacking. It covers most of the aspects one requires to get started in this field. It has been created for students with limited to no prior experience with ethical hacking. This very exciting course will take each student through the process of ethical hacking, from setting up your virtual machines or desktops to prepare for assessments, through to enumeration and exploitation of networks and systems. This course focuses on attack and defence from an ethical and black hat point of view.
Who should attend
General IT Security specialists and administrators
IT Security Specialists who are interested in hacking
Security Officers for organisations and companies
Network administrators
Any individual who may be interested in these topics
Course Topics
Penetration testing methodology (White Box, Black Box and Gray Box)
Your target and information gathering
Mapping vulnerabilities
Social Engineering
Exploitation of mapped vulnerabilities
Privilege escalation
Maintaining access and pivoting
Course Duration
2 Days
Prerequisites
Basic knowledge of TCP/IP networks
Participants must bring their own laptop that is able to boot from a USB and / or CD ROM
Participants must have administrative rights to install software on their laptop
This course hopes to demystify threats web developers are faced with when developing web applications. Even for the aspiring web security analyst, this course will discuss all attack vectors in hacking web sites including those identified by OWASP. From an in depth view into profiling, authentication bypassing to attacking web platforms. If you are interested in web hacking this course is a must and should not be missed.
Who should attend
IT Security Specialists who are interested in hacking
Security Officers for organisations and companies
Network administrators
Any individual who may be interested in these topics
Course Topics
Overview of Attacks
Attack Methods
Attacking the client side
Securing Web Applications
Course Duration
2 Days
Prerequisites
Basic knowledge of TCP/IP networks
Participants must bring their own laptop that is able to boot from a USB and / or CD ROM
Participants must have administrative rights to install software on their laptop
Telspace Africa follows a Co-ordinated Vulnerability Disclosure (CVD) process.
Upon discovery of a vulnerability, Telspace Africa will attempt to contact the vendor via their security@ , secure@, info@, PSIRT@, or whatever publicly available security contact information exists.
If no security contact is known for the vendor, an e-mail requesting the security contact e-mail address will be sent to certain public e-mail addresses associated with the vendor.
The vendor will be given 2 weeks (10 working days) from the date of contact for an initial response. Should no contact occur by the end of 2 weeks (10 working days), Telspace Africa will evaluate the risk to our clients and may decide, at a minimum, to disclose the vulnerability to our clients.
The vendor will be given a maximum of 90 days after date of contact to release a patch. After 90 days Telspace Africa will consider public disclosure, unless the vendor asks for more time.
The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Telspace Africa will view the vendor as non-responsive and will consider public disclosure.
The vendor is encouraged to provide proper credit to Telspace Africa and to the researcher responsible for discovering the vulnerability. An acceptable credit is : "Credit to [Name of researcher] of Telspace Africa”.
The vendor is encouraged to coordinate a joint public release/disclosure with Telspace Africa so that advisories of the vulnerability and resolution can be made available together.
If the vulnerability is being actively exploited in the wild Telspace Africa will work with the vendor on an escalated disclosure timeline, potentially less than seven days, after date of contact i.e. if exploitation is experienced on a wide and public scale.
The vulnerability information will be published by Telspace Africa when: a) The agreed disclosure date is reached and / or one of the aforementioned conditions are reached b) The vendor issues a fix/patch and / or security advisory.
We will work with the affected party to ensure that a CVE entry, which is used to track vulnerabilities, is assigned to the vulnerability whenever possible, either alongside the reported vulnerability or after the fix/patch.
For any other questions or concerns related to our approach to vulnerability disclosure, please contact us at [email protected].
Wireless Hacking 101
About the Course
This training course hopes to demystify threats people are faced with when using wireless technology, and to give you a greater understanding of techniques and tools used by attackers in compromising wireless networks. This includes how to have fun with the various techniques taught in the course.
Who should attend
General IT Security specialists and administrators
IT Security Specialists who are interested in hacking
Security Officers for organisations and companies
Network administrators
Any individual who may be interested in these topics
Course Topics
Introduction to wireless hacking
Wireless protocols and architecture
Network mapping and methodology for securing wireless networks
Wireless hacking tools and attacks
Defending against wireless hacking
Course Duration
2 Days
Prerequisites
Basic knowledge of TCP/IP networks
Participants must bring their own laptop that is able to boot from a USB and / or CD ROM
Participants must have administrative rights to install software on their laptop
The Social Engineering 101 course is geared at corporates who require assistance in training their staff up against social engineering attacks. The course duration and topics are determined based on who is attending the training i.e. the course is tailor made / adapted based on who is attending the training. This allows for more targeted and effective training.
Who should attend
All employees
Course Topics
What is social engineering
The human weakness
Different types of social engineering attacks (chosen based on which stakeholders are attending the training)
How to defend against social engineering attacks
Course Duration
Dependent on which stakeholders the training is for but typically between 4 to 8 working hours
ITWeb Security Summit 2015 – Speakers, Sponsors and Exhibitors
ITWeb Security Summit 2015 – Speakers, Sponsors and Exhibitors
Limpopo ICT Youth Conference 2015 - Speakers
and many more
Privacy Statement for Telspace Africa (Pty) Ltd
1. Definitions
In this privacy statement, the words below have the following meanings assigned to them:
“aggregate information” is the collective, consolidated information of users of the website that is pooled together and where users are only identified as part of the pool in general terms and are not identified individually.
“data subject” is a person to whom Personal Information relates.
“personal information” as defined in the POPI Act, and in relation to the Data Subject.
“process information” means the automated or manual activity of collecting, recording, organising, storing, updating, distributing and removing or deleting personal information.
“we”, “us”, “our” and “Telspace Africa” means Telspace Africa (Pty) Ltd.
“website” means the internet site with “Telspace Africa” in the address.
“you” and “your” means the user of the website.
2. We care about your Personal Information
We respect your privacy and are committed to safeguarding your Personal Information and keeping it confidential. The objective of this Privacy Statement is to set out how we collect, use, share, otherwise process, and protect your Personal Information, in line with the Protection of Personal Information Act 4 of 2013 (“POPI Act”).
We acknowledge our responsibilities in relation to the integrity, confidentiality and protection of your Personal Information and have taken reasonable technical and organisational measures to prevent unlawful access to, loss, damage, or unauthorised destruction thereof.
We will process your information for different purposes, such as to personalise your experience and to communicate with you about our services and offerings.
3. Our responsibilities
We will only use your Personal Information for the purpose required to assist you, or provide solutions to you. We will not share or further process your Personal Information with anyone if it is not required to assist you with your solutions, or unless it is required by law.
We will ensure that your Personal Information is accurate, complete, updated and not misleading by obtaining your Personal Information directly from you.
It is important to note that if you include the Personal Information of other Data Subjects when engaging with us, we will also process their Personal Information for the purposes set out in this Privacy Statement. When you give us Personal Information about other Data Subjects, you confirm that you have received their permission to share their Personal Information with us for the purposes set out in this Privacy Statement or any other related purposes.
We will ensure that any contracted third party with whom we share your Personal Information, agrees to keep your information confidential and appropriately secured.
We will not sell or rent your Personal Information to third parties. The only information about users we will ever disclose to third parties is aggregate information as defined above.
4. Your consent
Should you wish to engage with us, or make use of our services or offerings, we do require your acceptance of the terms and conditions of this Privacy Statement.
By visiting the website and receiving electronic information or communication by electronic means, you consent to the website’s agreements, notices and disclosures.
When you engage with us through our website, you consent to the processing of your information for the purposes set out below:
To administer and manage systems, websites and mobile applications.
To contract with you and manage our ongoing relationship with you.
To make sure that our records are accurate and up to date.
To enable Telspace Africa and contracted third-party providers to provide you with our services or to communicate with you about these.
To enable Telspace Africa or a representative approved by Telspace Africa to advise you of, or offer to you, any enhanced services, or new services that become available from time to time and which you may become entitled to or qualify for.
To respond to your queries.
To analyse, assess and improve our business and services.
This Privacy Statement may be updated from time to time, and the latest version applies each time that you visit our website. We are not responsible for the content or privacy practices of non-Telspace Africa websites to which our website may refer.
You agree that we may keep your Personal Information until such time as we are compelled or requested by you to delete it. Where we cannot delete your personal information, we will take all steps to de-identify (anonymise) the data. In some cases, we may use cookies and other tracking technologies to collect Personal Information, or to collect information that becomes Personal Information if we combine it with other information. This enables us to improve your future visits to our site.
5. Your rights
We respect your right to object to, or withdraw your consent for the processing of your Personal Information. If you wish to withdraw your consent to process your Personal Information, or if any of your Personal Information is incorrect, inaccurate or incomplete, please notify us.
You can ask us about the Personal Information that we have about you. If you wish to request this information, a specific application must be completed.
For any of the above queries, you can contact us on the following email address: [email protected]. If we are unable to resolve any questions or concerns you may have, you can approach the Information Regulator.
Advisory Services
CRT & Advisory
Continuous Red Team (CRT) testing with Advisory Service gives you a holistic overview of your security posture by conducting various assessments covering a wide scope.
This includes internal and external attack and penetration tests, mobile application assessments, wireless network assessments and social engineering.
Advisory Services are often paired with CRT testing in order to assist with transferring valuable skills to your Internal Security and IT Audit staff. These assessments are normally conducted over twelve months.
Service-Level Agreement
This agreement is perfect for those with smaller IT budgets, or larger corporates that would like to maintain the work that was done as part of a larger vulnerability assessment. You can utilise consulting hours or days as required, in terms of our service portfolio offerings.
This option is done on a month-to-month basis and can include the following services as per your individual needs:
Informing companies of new security trends
Information and new products available
Participation in new infrastructure rollout meetings
Serving as an advisory board for the company on security concerns and issues
Assessments on demand that would take up consulting hours or days
Identify and help mitigate risks on an ongoing basis
The objective of this service is to identify and report on security vulnerabilities on a wide level to allow you to close the issues, thus raising the level of your security protection overall.
Read more...
Full disclosure test (White Box)
This test is conducted by allowing us complete access to information about the target that would otherwise be unavailable to external intruders, such as targets locations, various network diagrams, and source code. This assessment best simulates an internal attacker/threat could do with information about your systems. A typical engagement includes a standard network topology.
Blind Test (Black Box)
Here we simulate an intruder's view of the target, only information that can be acquired by an actual attacker is used to conduct the test. For example, we only know about your company and what you do no additional information is provided. Blind tests are good assessments but do not take into account insider threat.
Partial Disclosure Test (Grey Box)
This can be considered a variation between a full disclosure and a blind test. Specific information might be disclosed about target(s), but not to the same extent as a full disclosure test. This is often the choice if you require a happy medium.
Web Application Assessments
Our manual web application assessments identify and report on security issues related to online web applications.
Our assessments make use of hands on methods (not tools) and typically we assign one or two security analysts to new engagements.
Read more...
White Box Testing (Code Review)
When a white box assessment is chosen, we review each line of code in a specific web application for various security issues and bugs. This is a tedious task but is often necessary to solve any bugs that would not usually be found when utilising the black box method. The white box assessment usually takes a longer period of time than the black box method, however it is usually more extensive and produces better results.
Black Box
A more popular method of testing websites is the black box web application assessment. When you choose this option, we do not have access to source code or any information that assists us in finding out exactly how that web application is coded.
Essentially, we do not have access to the way the web application is put together and coded.
This is a more effective attackers view of the web application and is a shorter test in general.
We alway recommend a web application assessment prior to the actual release of the web application. This will allow the client to close serious issues pre-production - it is always better to be proactive about security, as opposed to reactive.
Mobile Application Assessments
The mobile application assessment services are in many ways similar to our web application assessment services, they are often built on existing web-based components, therefore mobile applications are also susceptible to similar security vulnerabilities.
Read more...
Our mobile application assessments are a manual, hands on assessment which can be conducted for applications running on operating systems such as iOS, Android, Blackberry OS & Windows Mobile.
We will provide your organisation with insight into how well your applications protect sensitive information. This would include various forms of penetration testing attacks, business logic attacks and identifying vulnerabilities that can be addressed before putting the application into production.
Red Teaming
Hire us to mimic your real-world adversaries! Rather us than a real criminal right? Our Red Team assessment is the most realistic and comprehensive assessment that we offer. During these assessments, we find entry points into the organisation by any means possible. Red Team assessments are best if you want to see what techniques real-world adversaries, that aren't constrained by scope, might use.
Read more...
They are also a great way to test your defenses as only a handful of individuals are aware of the assessment, security teams will be left to react as if it is a real attack.
Why do a Red Team assessment if you already do penetration testing assessments?
Red Team assessments have a broader scope.
Red Team assessments will test your detections and mitigation controls.
Add in, Teams are not aware of which systems will be targeted and when, making it more realistic of a real world attack.
In some instances, teams "harden" systems before penetration tests which leads to a false sense of security.
Traditional Red Team
When you choose this option the engagement is typically 6 - 12 months. During this time we try various techniques to compromise the organisation e.g. Social Engineering, Web App attacks, access control card cloning, WiFi attacks and many more.
Once we achieve our objectives the assessment stops and we come and present the results. This is always an eye-opener for organisations.
Continuous Red Team (CRT)
This assessment is basically identical to the Traditional Red Team. However it addresses a major concern that clients have and that is that they are vulnerable for the whole duration of the Red Team i.e. 6 to 12 months.
Therefore during a CRT engagement, we report back on what we found each month. This allows you to show continuous improvement and ensure that other attackers can't use the same vulnerability to compromise your organisation. CRT goes great with Advisory!
This will give you a dedicated consultant each month to run feedback sessions, explain the findings, retest, assist with remediation and transfer skills.
Social Engineering
Social Engineering is one of the oldest and best known attack methods i.e. people have been deceiving and manipulating other people for thousands of years. We adapt these traditional techniques for today's world. Social Engineering is a great way to see how aware your organisation is about these techniques and how susceptible they are to them.
Read more...
Unfortunately, many times people are the weakest link in your security thus this service is a great way to test and educate your users. Some of the techniques we use:
Our daily, weekly or monthly vulnerability assessments are an extremely cost effective way to identify and report on security issues contained in websites, applications, software and/or devices that could potentially be subject to exploitation.
This will allow you to close issues pre-production. It is always better to be proactive about security, as opposed to reactive. Download our Managed Vulnerability Service (MVS) brochure here.
MVS uses a number of well known and private tools to provide you with a list of vulnerabilities and security weaknesses found across your network perimeter or internally.
MVS scans for the following types of issues:
