locuz.com Professional Services Security Audit Services

Transcription

1 locuz.com Professional Services Security Audit Services

2 Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer. Immunity against security threats is becoming one of the leading challenges for Enterprise community. The race to go online and develop competitive services are enabling enterprise communities to launch web applications rapidly with less attention to security risk s making the sites vulnerable. Interestingly many corporate sites are vulnerable to hackers in touch of a button. Locuz follows complete, established and highly effective methodology to help organizations across various verticals address the vulnerabilities and improve their security posture. Locuz is CERT-In empanelled IT Security Auditor Today's security challenges require a fresh look at connectivity and its related security from a fundamental, architectural, perspective. Regulations / Compliance Base II, Sarbanes-Oxiey, HIPAA, SEC, PCI DSS etc Shareholder Value Brand and Reputation Dynamic Threat Environment Internal and external threat environment not improving Attacks becoming more targeted and financially motivated Attacks becoming more sophisticated, targeting applications as well as networks Organized criminal gangs taking over from teenage hackers and "script kiddies"

3 Security Services Framework Our security services comprises of processes and technologies that provide secure access to your business applications and new endpoints. BUSINESS GOALS & OBJECTIVES Risk Assessment SECURITY POLICY Security Operations VISIBILITY CONTROL Identity & Access Mgmt Active Monitoring Corelation & Analysis Hardening Isolation & Remediation Policy Enforceme nt CONFIDENTIALITY INTEGRITY AVAILABILITY Security Services Portfolio Governance, Risk & Compliance BCP Mobile Security Infrastructure & Network Security Cloud Security Security Information & Event Management (SIEM) Identity & Access Management / Single Sign-On Security Posture Assessment (VA / PT) Security Operations Center (SOC) End Point Security Data Loss Prevention (DLP) Web Security & Mail Security

4 Security Audit Methodology We indeed integrate the best security testing practices of the industry conforming to Information Security compliance standards and our commitment to ensure the highest possible confidentiality. Every activity is performed only after identifying the complete architecture of the network and its complexity. Preparation 1 Scanning 2 5 Documentation Enumeration 3 4 Vulnerability Analysis The steps followed in the Audit process are given below: Preparation: Identifying critical areas to perform the audit Scanning: Understand the organizational processes, complexity and technical configurations of the Infrastructure Enumeration: Collection of network resources and understand the active connections to systems and direct queries Vulnerability Analysis: Understand the vulnerabilities and impact on information such as web applications variables, etc Documentation: Documentation of information and provide scanned reports on the vulnerabilities and impact. Value Proposition CERT-In Empaneled Auditor Best of class Certified Ethical Hackers & Security Specialists Combination of State-of-the-art tools Insightful Reports Deep Domain knowledge (Industry Regulations, Compliance needs etc) Field tested methodologies based on standards and proven frameworks Strategic Technology Alliances with Security Vendors End-to-End Security Consulting, Deployment & Management SOC Service Provider

5 What we do? Vulnerability Assessment & Penetration Testing Testing Scope Vulnerability Relevance Usefulness of Test Results Network Connection Testing Remediation Assistance Testing of Other Security Investments Security Risk Assessment Vulnerability Assessment Scans for all potential network vulnerabilities. Categorizes vulnerabilities based on standardized, theoretical information - not customized to the tested network. Provides false positives, identifying vulnerabilities that cannot be exploited. Does not address connections between network components. Delivers long lists of vulnerabilities, limiting remediation options to widespread patching. Does not simulate attacks to test IDS, IPS or other security technologies. Only identifies missing patches, making it impossible to truly assess security risks. Penetration Testing Identifies vulnerabilities and determines if they can actually be exploited. Tests vulnerabilities on specific network resources, enabling prioritization of remediation efforts. Exploits vulnerabilities, identifying only those that pose actual threats to network resources. Exploits trust relationships between network components to demonstrate actual attack paths. Assesses the potential risks of specific vulnerabilities, allowing users to patch only what is necessary and to test the effectiveness of patches and other mitigation strategies, such as intrusion prevention. Launches real-world attacks to determine if other security investments are functioning properly. Safely mimics the actions of a hackers and worms, providing risk evaluations based on tangible network threats.

6 Web Application Testing Test Category Test Types Web App Testing Authentication Authorization Logical Attacks Client- Side Attacks Command Execution Information Disclosure System Vulnerability Check Brute Force Insufficient Authentication Weak Password Recovery Validation Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Abuse of Functionality Denial of Service Insufficient Anti-Automation Insufficient Process Validation Content Spoofing Cross Site Scripting CGI Scripting Buffer Overflow Format String LDAP Injection OS Commanding SQL Injection SSI injection Directory Indexing Path Traversal Predictable Resource Location Information Leakage ICMP Checks Windows NT Checks TCP & UDP Port Tests Stealth testing DNS Spoofing RPC testing Initial Sequence Number Prediction FTP abuse checks SMTP relay checks (spam) LDAP checks SNMP checks DNS and bind checks SMB/ NetBIOS checks NFS checks NIS checks WHOIS checks Domain checks Spoofing checks Extensive, Including application specific

7 Partial Clientele List

8 locuz.com About Locuz Locuz is an IT Infrastructure Solutions and Services company focused on helping enterprises transform their businesses thru innovative and optimal use of technology. Our strong team of specialists, help address the challenge of deploying & managing complex IT Infrastructure in the face of rapid technological change. Apart from providing a wide range of advisory, implementation & managed IT services, Locuz has built innovative platforms in the area of Hybrid Cloud Orchestration, High Performance Computing & Software Asset Analytics. These products have been successfully deployed in leading enterprises and we are helping customers extract greater RoI from their IT Infrastructure assets & investments. Security Audit Services Locuz Enterprise Solutions 401, Krishe Sapphire, Main Road, Madhapur, Hyderabad , Telangana, India