IT Security Testing Services

Transcription

1 Context Information Security T +44 (0) W E gcloud@contextis.co.uk IT Security Testing Services Context Information Security

2 Contents 1 Introduction to Context Information Security 2 2 Introduction to IT Security Testing Services (Assurance) 3 3 CESG CHECK ITHC 4 4 Application Security Assessment 5 5 External Infrastructure Testing 6 6 Internal Infrastructure Testing 7 7 Build and Configuration Review 8 8 Firewall Rule-Base Reviews 9 9 Code Review Mobile Device Security Mobile Application Security MDM Configuration Reviews Wireless Testing Bespoke Training Courses Cloud Security Assessment Service Managed Phishing Service Product Evaluation CESG Product Assurance (CPA) CESG Tailored Assurance Service (CTAS) Red Teaming, STAR and CBEST Automated Vulnerability Assessment (AVA) Why work with Context? 23

3 1 Introduction to Context Information Security Context is a highly skilled consultancy that supports organisations to meet their ever evolving cyber-security challenges. Context s services include Penetration Testing, Cyber Incident Response, Digital Forensics and Vulnerability Research. Key facts: Context has one of the largest penetration testing teams in Europe The research team regularly features in both the global and national press including the BBC, The Telegraph and CBS New York Context is certified by CESG and CPNI for the Cyber Incident Response scheme to help organisations respond effectively to sophisticated cyber security attacks Context s response team investigate and resolve breaches on a daily basis Context assisted in the development of CREST and its associated standards, and has been a Green Light CESG (CHECK) service provider for over 10 years A significant number of our consultants hold CREST or CESG CHECK accreditations Context is actively involved in the UK Security Researchers Information Exchange (SRIE), OWASP, and regularly presents at industry events such as Black Hat, Hack in the Box, and CanSec West Context is an early adopter to the CBEST and CREST STAR schemes and regularly presents at industry events such as Black Hat, Hack in the Box, and CanSec West Page 2

4 2 Introduction to IT Security Testing Services Context offers several world class services under the category of assurance, these include but are not limited to: penetration testing, security assurance, design assurance and software engineering security assurance. Within each of these categories Context employs world class security consultants who are trusted by Government clients working within a wide range of governmental departments. Context holds strong levels of accreditation and boasts one of the UK s largest pools of CHECK/CREST resource. In order to ensure your penetration test is sufficiently rigorous you should insist upon utilising a CHECK Green Light Consultancy and CHECK resource. The main aim of penetration testing is to identify known technical vulnerabilities that a potential attacker might exploit in a system or environment. Once identified, Context establishes the relevant impact and weighs this against the skills needed to leverage the vulnerabilities. This in turn allows Context to assign a risk rating and thereafter provide remediation advice for the identified vulnerabilities. The main aim of security assurance and design assurance is to baseline the configuration of our clients devices. Context review configurations against industry best standards (defined by government or industry related bodies). Clients choose to undertake this service to harden their defences against malicious users and provide a heightened level of security. The main aim of software engineering security assurance is to provide a mature understanding of the potential risks posed to environments and systems. These services are based on a range of secure development principles. Page 3

5 3 CESG CHECK ITHC A CHECK IT Health Check (ITHC) identifies vulnerabilities in HMG IT systems and networks to assure the confidentiality, integrity and availability of information. Using certified, security cleared testers, an ITHC is as much about risk assessment as it is penetration testing, and assesses the security posture of the environment as well as the data stored within. Pre-engagement scoping services to ensure both coverage and value for money Large resource pool of CHECK and CREST penetration testers Security cleared consultants Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on research and response experience) Ability to report using many common vulnerability metrics Identification of vulnerabilities affecting critical infrastructure Assurance to support accreditation of IT systems Accurate threat ratings to assess vulnerability risk Recommendations for remedial actions and strategic management of vulnerabilities Page 4

6 4 Application Security Assessment Application Security Assessments identify security weaknesses in applications and provide recommendations for their mitigation. They provide assurance that an application is safe, secure and adheres to security best practices. Context draws on years of experience and a tried-and-tested, constantly evolving methodology covering all major and emerging application technologies. Pre-engagement scoping services to ensure both coverage and value for money Assessment of web-based and thick-client applications Large resource pool of CHECK and CREST penetration testers Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Global presence Ability to report using many common vulnerability metrics Identification of vulnerabilities affecting bespoke and COTS applications Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Page 5

7 5 External Infrastructure Testing External infrastructure assessments aim to answer the question, could an attacker compromise our internet-facing resources?. External infrastructure testing explores the consequences of a hacker carrying out malicious activities from across the internet. It involves surveying available network services, interrogating them for weaknesses, and trying to exploit them to extract information or compromise the network. Pre-engagement scoping services to ensure both coverage and value for money Identification of Internet-facing footprint and attack surface Identification of vulnerabilities affecting Internet-facing systems Large resource pool of CHECK and CREST penetration testers Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Ability to report using many common vulnerability metrics Assurance that critical Internet-facing systems are secure Identification of vulnerabilities and accurate threat rating to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Page 6

8 6 Internal Infrastructure Testing Internal infrastructure assessments aim to identify what could an attacker do if they had access to an organisations internal network? Internal infrastructure testing is usually conducted at a client s premises and is often scenario and risk-based. An assessment could explore the consequences of a rogue employer or contractor carrying out malicious activities. Pre-engagement scoping services to identify useful attack scenarios, providing coverage and value for money Large resource pool of CHECK and CREST penetration testers Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Ability to report using many common vulnerability metrics Identification of vulnerabilities affecting critical infrastructure Assurance that the risk of internal attack is mitigated Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Page 7

9 7 Build and Configuration Review Build and configuration reviews ensure that laptops, workstations and servers are configured securely. Insecurely configured environments can allow malicious users to obtain unauthorised access, and if a standard build containing weaknesses is deployed across hundreds or thousands of servers, the impact can be significant. All mainstream operating systems covered (Unix, Linux, Windows etc.) Large resource pool of CHECK and CREST penetration testers Engagements carried out either on-host, or remotely via a delivered script Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Ability to report using many common vulnerability metrics Assurance that specific business-critical systems are configured in a secure manner Provides defence-in-depth assurance that systems are not only secure from a network perspective, but also from on-host threats (e.g. phishing attacks, privilege escalation) Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Page 8

10 8 Firewall Rule-Base Reviews Many organisations have come to rely on firewalls as a keystone of their network defences, so it is important to ensure that they are fit for purpose and delivering optimum performance. Tried-and-tested methodology covering all firewall vendors Both rule sets and device configuration are assessed (e.g. secure management interfaces, firmware versions) Large resource pool of CHECK and CREST penetration testers Ability to report using many common vulnerability metrics Assurance that perimeter and internal devices are fit for purpose and configured in line with industry best-practice Assurance that firewall implementation adheres to design Recommendations for remedial actions to ensure bare minimum security exposure Page 9

11 9 Code Review Code reviews aim to provide assurance of complex software where coverage from a black box perspective cannot be guaranteed. During a code review a consultant will combine targeted manual code inspection and automated analysis to identify security risks in software. Code review is often undertaken in support of application security assessments. Expertise in review of code in all major languages, both compiled and interpreted Assessments carried out by experts with extensive industry experience in finding and exploiting flaws in code Identification of critical areas of code Large resource pool of CHECK and CREST penetration testers Assurance that software is free from vulnerabilities arising from coding mistakes, oversights (e.g. buffer overflows), and insecure design Assurance that secure code principles are being adhered to during development An extra level of assurance alongside black box application security assessments Recommendations for remediating code problems and ensuring they are not repeated long-term Threat ratings based on impact and ease of exploitation Page 10

12 10 Mobile Device Security Mobile Device Security Assessments provide assurance that a device is safe to use in the home or workspace, and provide recommendations on how to configure them in a secure way. Context has a proven track record in performing these assessments for government, telecommunications companies and large businesses. Experience and expertise in assessing all major mobile device platforms (Apple ios, Google Android, Windows, Blackberry etc.) Methodology based upon contributions made towards CESG guidance material supplied to public sector organisations when deploying end user devices for remote working Advances in MDM security features and technologies feedback into mobile device security assessment methodologies Threat ratings based on impact and ease of exploitation Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Advice on secure deployment of mobile devices in the workplace Assurance that risks relating to lost/stolen devices and data are mitigated Analysis of the risks presented to mobile devices from emerging threats including malware Advisory for the practices and policies relating to the integration of mobile devices within the workplace such as for Bring Your Own Device (BYOD). Page 11

13 11 Mobile Application Security Mobile Application Security Assessments identify security weaknesses in applications running on mobile devices (e.g. smartphones, tablets). Modern mobile applications often re-implement the functionality of traditional web-based applications, which can lead to many security mistakes being repeated. Additionally, modern mobile operating systems open new attack vectors, including cross-application attacks, and accidental disclosure of sensitive data. Experience and expertise in assessing applications on all major mobile device platforms (Apple ios, Google Android, Windows, Blackberry etc.) Modern testing toolset results in time-efficient mobile application security assessments Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on Research and Response experience) Ability to report using many common vulnerability metrics Identification of vulnerabilities affecting bespoke and off the shelf mobile applications Assurance that sensitive application data is securely stored on-device Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Knowledge transfer from mature web application testing pedigree and methodology allows for the identification of often overlooked, traditional threats applied to mobile applications. Page 12

14 12 MDM Configuration Reviews As mobile devices are increasingly used to access sensitive enterprise data, the security of these devices is of increasing concern. In performing MDM solution security reviews, Context assesses the deployed MDM solution configuration, the supporting network architecture as well as the mobile device security policies and management processes. The assessment is performed via hands-on reviews of the MDM configuration, paper-based review of the design documentation and policy documents as required, as well as conversations with key technical operators. A pre-testing consultancy focused on establishing which personnel to interview and which documents to review Audit review of any documents related to the running of the MDM solution, including security and device policies A review of MDM server configurations, whether it aligns to both security best practices and documented policies Testing the relevant mobile devices to verify the policy and configuration options provide expected device security Assurance that corporate MDM systems and BYOD set-ups are securely Assurance that risks relating to lost or stolen devices and data are mitigated Advisory for the adequate integration of the MDM system into the wider client infrastructure Page 13

15 13 Wireless Testing Wireless connectivity is now an expectation for many: in the home, in public places and in the workplace. This has long been an area where Context has focused its efforts, in research and development of best practice in the field. Extensive experience in all types of wireless, RF-enabled technologies Identification of rogue devices on wireless networks Analysis of wireless network segregation and passive information leakage. Threat ratings based on impact and ease of exploitation Proven testing methodology to ensure both coverage and depth Cross-discipline expertise to provide assurance against emerging threats (drawing on research and response experience) Ability to report using many common vulnerability metrics Identification of threats affecting corporate and guest wireless networks Assurance that wireless networks are appropriately segregated Assurance that sensitive wireless data is appropriately encrypted Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of vulnerabilities Page 14

16 14 Bespoke Training Courses Context run a number of training courses for individuals looking to enhance their specialist skills. We also provide courses aimed at non-security specialists, such as training to help organisations cope in the aftermath of a security incident, or raise awareness of security issues. Hands on courses delivered by subject matter experts with industry experience Hosted in a dedicated training suite capable of holding 20 delegates Courses containing industry insight that s not available from other vendors Upskills security teams Reduced development costs in the future Helps security officers drive up best-practice across the estate Certification recognizing completion of training Page 15

17 15 Cloud Security Assessment Service As a result of the increasing popularity of Cloud computing, clients have frequently requested our support in helping to improve the security posture of their Cloud-based systems. Our Cloud Security Assessment Service analyses the security of the client s Cloud system from multiple perspectives, drawing on expertise from our Assurance team as well as research conducted by Context against several cloud providers. External application and infrastructure penetration testing of cloud environments Scenario testing of cloud node segregation Architecture review Cloud VM hardening assessment Remote administration review Vulnerability Scanning Gain assurance over cloud environment security Multi-perspective assessments covering a range of potential attacks Context have significant experience in this space, for more information see Page 16

18 16 Managed Phishing Service Context s managed phishing service allows an organisation to send simulated phishing s to their users in a controlled manner. User actions are tracked safely, user awareness is benchmarked and trends can be analysed across regular assessments. This assesses an organisation s resilience to these attacks, both from a technical and staff awareness perspective. Customized phishing assessments ranging from single users to company-wide assessments Assess technical controls to mitigate phishing attacks Measure and track employee awareness of common phishing attacks Educate users to identify and report suspicious s Assessments tailored to customer environment Benchmark the effectiveness of controls to prevent phishing attacks Approach can include technical assessment and simulated phishing exercise Page 17

19 17 Product Evaluation Context consultants also conduct comprehensive product security evaluation exercises. These may cover hardware and software products of all types, including, for example, firewalls, telecoms equipment, anti-malware technologies used in the banking sector, voice biometric systems and a range of mobile and wireless devices and technologies. Bespoke tools and methodologies are designed specifically for the device(s) under review Product evaluation approaches are aligned to methodologies and activities conducted by Context s state-of-the-art research team Assess the security stature of the product for its ability to operate safely in specified environments Ability to assess devices for compliance against a variety of evaluation schemes and sensitivity criteria such as CPA Page 18

20 18 CESG Product Assurance (CPA) Context is qualified to evaluate products on behalf of CESG under the CESG Product Assurance (CPA) service. CPA certification provides a product with entry into an approved list from which government departments and industry partners may purchase. CPA is essentially a certificated accreditation process for products to be used by government, public sector and any industries requiring access to UK government accredited networks. CPA certification enables product vendors to sell their products into government and public sector departments, the wider public sector and associated industry for use in communications networks requiring IL2 and IL3 accreditation. Experience certifying products across a wide-variety of security characteristics CPA provides products with entry into an Government approved list CPA scheme evaluates commercial off the shelf (COTS) products CPA assists COTS developers with published security and development standards CPA consolidates previous schemes to provide simplified, certificate-based assurance One of the first companies on the scheme with CPA lab onsite Provide end-to-end service from producing assurance plans for defined security characteristics to submission to CESG Page 19

21 19 CESG Tailored Assurance Service (CTAS) The CTAS scheme provides tailored accreditation of customer environments to government standards. Context is a CESG Tailored Assurance Scheme (CTAS) company and has a wealth of experience providing CTAS services on behalf of CESG. Context utilize their CLAS and CHECK teams to deliver an unrivalled breadth of CTAS services. These may range from minor software components to national infrastructure networks. Large pool of CREST and CHECK accredited testers Pre-engagement assistance as needed Creation and implementation of security targets, evaluation work plans and audit maintenance plans Performance of CTAS testing to CESG standards. Highly skilled consultants with experience working within government Bespoke, highly skilled assessment of novel technologies and systems Government accreditation of a system, product or environment Context take a cost effective approach to CTAS environments Project managed by experience personnel Page 20

22 19 CESG Tailored Assurance Service (CTAS) Page 21

23 20 Red Teaming, STAR and CBEST Assessments Context s red team engagements emulate real world attacks in a controlled manner. From phishing campaigns to exfiltration of information, they are an end-to-end simulation of the sophisticated real world threats Context defends against daily. Combining expertise in information security, social engineering, malware and targeted attack analysis, Context is uniquely positioned to perform sophisticated attacks against organisations. Certified to deliver under the CREST STAR scheme and the UK government CBEST Scheme with the largest number of CCSAM and CCSAS testers in the UK Highly specialised and customised engagements, according to customer requirements Attacks based on real world threat scenarios, tailored to the attacks faced by each client Cross-discipline engagements involving attacks on IT systems, physical locations and social engineering of employees Mature risk management and delivery approach drawing from experience delivering red team, STAR and CBEST engagements for over five years. : An assessment of the business mitigations in place against tailored, real-world threat scenarios Identification of weaknesses arising from publicly-available information, staff usage of social media, and security vulnerabilities in IT systems and physical locations Accurate threat ratings to assess vulnerability risk to the business Recommendations for remedial actions and strategic management of weaknesses and vulnerabilities Page 21

24 21 Automated Vulnerability Assessment (AVA) Context s Automated Vulnerability Assessment (AVA) is designed to analyse an organisation s entire internet facing estate to automatically and regularly detect vulnerabilities and provide remediation advice. Identify new services as they become live, and provide statistical trends on the security posture of the organisation s Internet footprint. Flexible service levels to meet customer requirements Reconnaissance & Network Mapping Vulnerability assessment scanning Vulnerabilities mapped by Context consultants in a handwritten report Manual verification of high and critical impact issues Bespoke, weekly, monthly or quarterly frequency of scans Bespoke Scan algorithms and vulnerability detection mechanisms detect emerging vulnerabilities Ad-hoc scanning available AVA provides statistical reporting on external facing infrastructure All remediation advice is written by senior consultants Frequently provide visibility into technical risk for stakeholders Cost effective entry to security testing Page 22

25 Why work with Context? Our highly skilled consultants are leaders in their field; their breadth of skills and knowledge enable us to meet the most complex technical requirements Our research has led to the identification and remediation of new vulnerabilities in critical systems We have a large and diverse team strategically situated to work with clients worldwide We are independently operated with the financial backing of a FTSE 100 company We have ample technical resource and the flexibility to schedule complex engagements according to our clients rapidly changing needs We are actively engaged with security industry bodies such as CREST and CESG and regularly hold and speak at key industry events For more information please contact us on +44 (0) or gcloud@contextis.co.uk or visit our website