Information Security Services

Transcription

1 Information Security Services

2 Information Security In 2013, Symantec reported a 62% increase in data breaches over These data breaches had tremendous impacts on many companies, resulting in intellectual property data theft, and over 552 million data leaks including credit card numbers, medical records, home addresses, passwords, financial information, and other personal information. Given the complexity of most networks, many have unpatched security vulnerabilities that, if exploited, can have devastating effects on company operations and a severe long-term financial impact. Regular security assessments and penetration tests are therefore a necessity to protect corporate and customer data from online threats. Our security team has over 22 years of hands-on penetration testing and vulnerability analysis experience, offering a level of protection superior to many competitors who often only run simple automated scans. Through the use of unique in-house tools combined with extensive experience and adherence to industry standard guidelines (NIST, OWASP), we are able to keep our clients data secure from threats. SECURITY IS A PROCESS, NOT A PRODUCT. - BRUCE SCHNEIER Following this philosophy, we offer discounted pricing for quarterly application security assessments for those clients who require the highest degrees of security. Mobile Application Assessment The popularity of mobile devices has created an excellent new way for companies to offer value to their consumers through the use of mobile applications. However, the main focus during the development cycle is usually the user experience, and proper security is rarely ever implemented. As seen previously, this will result in customer data loss, and in some cases provide a way into the main corporate network through improper configuration of backend services. Depending on the application being assessed, Acumen s security detail first creates a compliance checklist, followed by a full run time binary analysis as well as a thorough code review. This results in a comprehensive report identifying the vulnerabilities found along with a detailed risk assessment for each. Acumen s expertise as a world-class application developer places us years ahead of our competition in this field. For more information on mobile security threats, please refer to our Security Threats and Audit Techniques for Mobile Devices paper. Web Application Assessment Our Web application security assessment consists of a comprehensive evaluation of the security status of a web application. These include cloud services, online stores, payment processing systems, banking web portals, amongst others. Given the complexity and diversity of many web Acumen Innovations Information Security Services 1

3 applications, this service is highly customized for each client. The assessment consists of a careful study of the structure and flow of the application, identifying logic flaws, improper input sanitization, correct session management, correct cryptographic implementation, vulnerabilities in software used, system level assessment and much more. At the end of the assessment, a thorough report will be delivered which will include all the vulnerabilities found along with a risk rating for each, and possible ways to fix the issues. This type of assessment will do the following: Reveal security vulnerabilities resulting from implementation flaws Expose flaws in outdated back end services and software Assess the likelihood of different attacks Assess security impacts if the application is breached Increase client confidence in the application s overall security Source Code Audit Much like a mobile application code audit, our security engineers will review the source code to identify weaknesses. The audit will include: Review of authentication, authorization, and session management procedures. Identification of memory safety issues such as buffer overflows/underflows Review of proper mechanisms to secure sensitive data Validations of proper cryptographic protocols such as correct implementation of hashing algorithms, symmetric vs asymmetric protocols, secure communications and more. Internal Vulnerability Assessment During an internal vulnerability assessment, Acumen engineers identify attack vectors coming from within the network. Rather than examine vulnerabilities coming from outside the network, this type of assessment examines weaknesses that may be exploited by someone within such as an employee, a guest, or a breach in the wireless systems. Some of the areas of focus include the following: Packet traffic monitoring, focusing on credentials and insecurely transmitted confidential information. Proper security policies to restrict access to sensitive information such as creation and use of restricted accounts. Privilege escalation exploits enabling a restricted user to gain more privileged roles such as system administrator through common operating system and software vulnerabilities. Internal password policies and compliance. Acumen Innovations Information Security Services 2

4 Penetration Testing Reconnaissance Exploitation Privilege escalation Reporting Penetration testing is the most advanced security assessment offered. There are two types of penetration tests, external (black box) and internal (white box). An external penetration test, the most common type offered, simulates a real-world attack from a malicious hacker or group of hackers with no inside knowledge of the organization. It differs from a vulnerability assessment in that ethical hacking techniques are used to attempt to exploit the vulnerabilities found in the client s systems in order to measure the severity of these security weaknesses. The difference between a real attacker and our security analysts are the permissions given and the detailed scope of work agreed upon before starting the test. The objective of this exercise is to first identify if an external attacker can infiltrate the network, and if done, what information would be available and what level of access can be achieved. False positives are eliminated and a Business Impact Analysis is conducted. An internal penetration test simulates a malicious attack from an individual with some level of authorized access or who has obtained network access. This test is done in conjunction with the targeted organization s IT team and, since it is carried out internally with the IT team, it is essentially an internal security audit of the targeted organization s security architecture and provides excellent value to a client striving to build a strong, effective cyber security defense posture. We recommend an internal penetration test to every company that has only implemented perimeter defense measures to protect their IT infrastructure, since bypassing these defenses in various ways is always a possibility. Penetration testing requires a high level of expertise and knowledge in order to be successful, going far beyond anything any automated tool can provide. In most cases, a successful penetration tester will have to write custom exploits; thus, extensive programming knowledge and experience are needed. Although the exact scope and length of each test varies, most external penetration tests are divided into the following areas: RECONNAISSANCE: Usually the longest part of a penetration test, the main focus of this stage is to gather as much information about the target as possible. No exploitation is done during this phase. Company information gathering including key personnel Firewall, IDS, IPS identification and evasion Servers in the DMZ including Routers, DNS, SMTP and more Identification of running operating systems, services and associated exploits Web and mobile application vulnerability identification Physical location entry points and wireless identification. Acumen Innovations Information Security Services 3

5 VULNERABILITY TESTING AND EXPLOITATION: During this stage, our staff will use all the information gathered during the reconnaissance phase in order to come up with attack vectors. This will include: Creating custom password lists to brute force password authenticated systems. Conducting strategic social engineering attacks such as targeted phishing to compromise an internal user. Creating custom exploits where required for discovered flaws. Conducting wireless attacks such as evil twins, Man in the middle, exploiting outdated encryption standards and carrying out attacks against new encryptions. Conducting client side attacks PRIVILEGE ESCALATION: Once inside the network, the next step is to move around and escalate to more privilege user accounts in order to have unrestricted access to the systems. At this stage in the test the systems have been compromised, and the next step is to seek out sensitive information. This is done by: Monitoring network traffic packets. Pivoting inside the network, looking for different systems. Exploiting OS and software flaws CLEANUP AND REPORTING: The final stage of the penetration test includes removing any files including shells, key loggers and other tools used by our staff during the attack. Finally, the most important part of the assessment is carried out: the Audit Report. This report will include: A detailed step-by-step guide on how the attack was carried out The vulnerabilities identified and exploited, along with Proof of Concept exploit code where applicable. A complete risk and threat rating for each vulnerability identified and exploit carried out, taking into account exploit complexity. A list of improvements and recommended security updates, including account and password policy review, recommended OS/Software update patches with a priority ranking, and more. Regulatory Compliance Regulatory compliance is a cumbersome endeavor that seriously affects a business operations. Protecting corporate and customer information is critical in order to meet the regulatory compliance requirements in place today. Increasing penalties and reputational damage due to non-compliance have turned this task into a major issue for many organizations. Pressures from regulators loom over businesses of all sizes. Corporate regulatory compliance issues can be complex and highly time-consuming. The substantial penalties imposed for noncompliance mean avoiding the issue is not a feasible option for a business. Therefore, addressing the issue effectively is critical. Acumen Innovations Information Security Services 4

6 We provide our clients with expertise in dealing with regulatory compliance requirements. We will identify regulations applicable to your organization and manage the process of achieving compliance. In addition, our team will provide insights on the regulatory process, and the best methods to ensure to do not fall into non-compliance at a later date. We can assist you in achieving regulatory compliance in the following areas: Sarbanes Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Information Security Program Development Most organizations are not adequately prepared to respond to incidents that threaten the unimpeded operations of their business. Security breaches that lead to the loss of critical systems, processes, or data can send an organization in a rapid downward spiral. In the current threat landscape, a plan that enables a business to rapidly and effectively recover from downtime and assist in avoiding disaster is not a luxury but rather a critical success factor for business continuity. We provide information security program development consulting services that assist organizations in developing flexible and comprehensive solutions that maintain the availability of their information system infrastructure, critical data and core business processes in the event of a security incident. The purpose of an information security program is the management and governance of IT security architecture in order to reduce security risk so organizations are able to fulfill their core business functions without hindrance. Proper governance must be implemented to ensure that proactive controls are implemented in a cost-efficient manner. Program management will identify and assign key security roles and responsibilities. This extends to policy development, oversight, and monitoring activities. Throughout the process, new and evolving IT security risks and threats must also be addressed. We will help your organization establish and maintain a framework with a concomitant management structure and clear roles and responsibilities. We work with you to develop information security strategies that are in alignment with your business objectives and any applicable laws and regulations in order to optimize risk management. In establishing a formal governance and management structure, we ensure that your organization s board members and senior management value the importance of an information security program as an integral component to your organization s overall strategic plan. Incident Response Effective security breaches are usually targeted and damaging, resulting in a victim organization that finds itself in complete disorder. Security incidents are planned attacks on the communications or information processing systems of an organization and could be perpetrated by a variety of actors, from an angry employee to a hacker who has found valuable information to obtain. Therefore, an effective incident response program is a crucial aspect of an organization s Acumen Innovations Information Security Services 5

7 information security program. A serious data breach can place an entire organization in crisis mode. The IT department comes under extreme pressure during a major security incident. In implementing a comprehensive incident response plan, roles and responsibilities are defined, procedures are established, and communication is clear. We will provide you with access to a team of professionals with expertise in security, forensics, and regulatory compliance. Preparation is the most important component to consider in an incident response plan, but once a breach occurs, our emergency team will work to rapidly identify and contain security incidents, eliminate all threats, and minimize the impact and duration of the data breach. We can help your organization make optimal decisions when it matters most, leading to damage control and recovery from even the worst incidents. Incident Response Team- On Retainer Suffering a data breach is an alarming scenario for any organization. Our response team will act decisively to protect your organization with urgency and expertise. They will be available on call at any hour of the day until the incident has been conclusively resolved. The team will work to minimize disruption, data loss, and the duration of the incident. The response team will possess detailed knowledge of your systems architecture which allows for the most effective response possible. A member of the response team will also be onsite fighting the incident in a familiar environment within no more than 24 hours. When it comes to averting a potential data breach, we provide a thorough response until threats are definitively eliminated and normal operations can resume. Our Incident Response Retainer results in a lower cost for your organization in the event of requiring an incident response team to eliminate a security incident. Surplus hours will go towards improving your incident response program and capabilities. For more information about our services, please contact us at or info@acumeninnovations.com to schedule a free consultation. Acumen Innovations Information Security Services 6