A Penetration Test is an intrusive type of assessment which simulates an attack by a malicious hacker. The process involves a Vulnerability Assessment (VA) followed by active attempts to try and exploit the vulnerabilities found to both validate the vulnerability and evaluate the impact that any such exploitation could mean for the target organization. While the Vulnerability Assessment might identify the absence of anti-virus software on the system or unpatched software as a vulnerabilities, the Penetration Test will determine the level to which existing vulnerabilities can be exploited and the damage that can be inflicted to the organization due to this.
- External Security Assessment – An External Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear from outside the organization’s security perimeter, usually from the Internet. The goal of an External Security Assessment is to demonstrate the existence or absence of known vulnerabilities that could be exploited by an external attacker.
- Internal Security Assessment – An Internal Security Assessment identifies security weaknesses and strengths of an organization’s systems and networks as they appear to internal users operating within the organization’s security perimeter. Through the Internal Security Assessment it is possible to assess the risks associated to attacks originating from compromised internal host or by disgruntled employees.
Wireless and Mobile
The aim of this Assessment Module is to demonstrate the existence or absence of vulnerabilities that are visible and exploitable through wireless networks and mobile devices both from the outside and inside the organization’s facilities. This Assessment Module addresses both desktop and laptop computers as well as modern mobile devices such as smart phones, iPad and any other device which has wireless connectivity. This Module is both technical and process oriented in nature assessing both the technical vulnerabilities and the overall process for managing mobile security risks.
m of this Assessment Module is to demonstrate the existence or absence of vulnerabilities in a given Web application providing internal or client facing services. This module employs specific testing techniques to find security flaws and weaknesses in Web applications. We fallow Open Web Application Security Project (OWASP) guidelines for application security assessment.
Source Code Review
The aim of the Source Code Review module is identify the existence of any coding vulnerability that affect the normal execution of software which may have been missed by the standard software development process and software assessment. This Assessment Module begins with a review of the software design documentation and it consists of a review of the individual software modules and module inter-communications down to the review of source code with the aim of finding any logical, programmatical and accidental inconsistencies.
Network & Systems Architecture
The objective of this Assessment Module is to assess the security posture of the organization’s network and systems infrastructure by reviewing the current network design and deployment of security devices (network and Web application firewalls, IDS/IPS, HIDS and HIPS) against security best practice and the stated organization’s business objectives, risk evaluation criteria and acceptable risk levels.
Upon completion of a security assessment,we will analyze the findings and prepare a written report. This report is provided for three levels of audience:
- Technical Management
- System Administrators
The final report contains a practical overview of the security posture of the organization, associated threats and pragmatic advice on how best to mitigate any identified risks. Full technical information is also presented within the report, including step-by-step instructions for remediation of security issues.
Risk & Compliance
As we speak the ISO27001:2013 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). Achieving compliance with the requirements of ISO27001 shows the organization’s commitment to managing information security risks while at the same time reducing the cost of information security incidents and improving compliance with legal, regulatory and contractual requirements. It is a milestone for all those organizations who want to be perceived as highly professional and security oriented.
Our consultants can help your company in every aspect of ISO27001 compliance, advising from scope definition and policy writing up to the development of security awareness training. Moreover we can provide our clients with the following services:
- Gap Analysis
- Risk Management
- Selection of Security Controls
- Policies and procedures review
- Security Awareness Training
- Development of key information security processes
- Management of the third party certification process