Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Transcription

1 Security-as-a-Service (Sec-aaS) Framework Service Introduction

2 Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency has both positive and Negative impact on underlying core asset of any organization i.e. Data or Information. To worry about Information Security is vital as value of any business depends completely on value of its information and any compromise to it, will have direct impact on business. Every organization needs to have up-to-date and continuous Security Program to handle any such unwanted concern. A Security Program provides framework for keeping company at desired Security level by assessing risk, their impact on operations and business, mitigation methods and plans to keep them updated. It is composed of number of Information Security Services, as collection of technologies, standards, procedures and practices. Its main purpose is to ensure Business Continuity and reduce or manage risk of Damage by preventing or minimizing impact due to security incidents. Every industry have unique set of Security Requirements and have to follow specific security guidelines and compliances. Even teams within an organization vary from each other in terms of their work profile, skill-sets and duties. Security Program needs to address each of these unique requirements and underlying security services should be chosen accordingly.

3 Security as-a-service (Sec-aaS) Framework Integrate & Implement Security as per your Need Security-as-a-service is a unique framework which act as a mould to address most of the Information Security service requirements for any organization, irrespective of Industry type and working domains. Its fully customizable modules based on environment and scenarios, addresses most of Security Service needs in the field of Training, Application Testing, Development and Analysis. Security Training as-a-service (STr-aaS) This module caters all Security Training Requirements at various Levels of expertise and act as an invaluable tool to gain insight into various information security concepts and a knowledge of real-time attack scenarios. Application Security as-a-service (AS-aaS) This module helps in ensuring both Secure Software Design and Testing using our Threat Modeling and professional Application Security Testing Service Application Security Testing as-a-service (ASTe-aaS) Threat Modeling as-a-service (TMo-aaS) Security Testing as-a-service (STe-aaS) This module services ensure professional Security Analysing for People, Data and Infrastructure. Recon Pentest as-a-service (RPen-aaS) Vulnerability Assessment & Penetration Testing as-a-service (VAPT-aaS)

4 Security Training as-a-service (STr-aaS) We understand that every type of industry and product team have their own and unique requirement of Security Training. Some need security training from scratch like ensuring awareness amongst employees to implant seeds of security sense, while some need assistance from security point based on their existing process and technologies, while some need to deep-dive on specific tools. STr-aaS can assist in every cause using its unique fully customizable feature, which fulfils your exact security training requirement based on your working domain and technologies. Wide Range of Security topics across domains Customizable as per your business model, requirement and industry type Multiple Training Levels o Awareness, to implant seed of Security Thought process o Beginner, to provide security prospect on working technologies o Intermediate, to fuel integration of security with existing processes o Tools & Techniques, to deep-dive into specific security methods and measures o Advanced, to deep dive into security processes and techniques Multiple Delivery Modes: o Live Online, Classroom delivered via webinars o Onsite, Classroom based delivery o On-Demand, via pre-recorded, self-paced, 24x7 accessible videos* (* Limited Topics) Cost Effective

5 STr-aaS: Wide Range of Topics & Levels Level 1: Awareness Target Audience: Anyone Topics: Internet & Computer Security Information Security Fundamentals Level 2: Beginner Target Audience: Anyone involved in Technical Domain Topics: Web Security: Analysing OWASP Top10 Security Risk Network Security: Common Vulnerabilities & Attack Scenarios Cloud Security: Existing Risk & Vulnerabilities TLS/SSL: Protocol Overview & Testing Methods Introduction to Cryptography Level 3: Intermediate Target Audience: Anyone involved in Security Domain Topics: Reconnaissance & Google Hacking Buffer Overflow: Attacks & Countermeasures Secure SDLC: Integrating Security in Software Development Life Cycle Essential Checks for Application Security Common Causes of Security Defects Level 4: Tools & Techniques Target Audience: Anyone involved in Security Testing Topics: Using NMAP Effectively Network Packet Crafting with SCAPY Web Application Security with BURP SUITE Network Packet & Traffic Analysis with WIRESHARK Using NESSUS for Vulnerability Scanning Attacking Systems with METASPLOIT FRAMEWORK Level 5: Advanced Target Audience: Anyone, who wants to dig-deep in Security Methodologies Topics: Threat Modeling for Application Security Breaking Web Application Security Introducing Product Security Policy (PSP) Security Attacks & Incident Handling

6 Application Security as-a-service (AS-aaS) With increase in concise on Security, Secure SDLC (Sec-SDLC) has now become a Selling Point for any Application. Organizations have now realized that the consequences of not following Sec-SDLC can be disastrous and may lead to both Direct (like Financial & Data Loss) and Indirect Losses (like Reputation & Trust) to an organization. AS-aaS provides customizable measures as per your product requirement and assist in integrating Security in different phases of Software Development Life Cycle (Sec-SDLC). These application security services not only ensure secure Product from design point of view, but also helps in avoiding last minute security fixes in a product, along with professional touch to your Security Testing process. Currently, AS-aaS supports below two security services to fulfil Secure Design and Testing requirements. Application Security Testing as-a-service (ASTe-aaS) Security Testing service to assist in implementing Security in Requirement & Testing phases of SDLC Threat Modeling as-a-service (TMo-aaS) Our unique Threat Modeling service ensures Secure Product Architecture, and assist in implementing Security in Design phase of SDLC

7 Application Security Testing as-a-service (ASTe-aaS) Every Software has its own unique requirement in terms of applicable Security threats and Compliance. A Security flaw and corresponding test varies with application, its backend and environment. A Security test effective in one scenario may or may not be applicable in another. ASTe-aaS provides a unique approach of Risk based and Grey Box testing to ensure every feature, component and functionality of an application is treated separately and test are developed around them. Security always comes at expense of Functionality and most often consideration of Security introduces complexity and limitations in code and application feature. ASTe-aaS provides a process to ensure Security in design phase itself to addresses this concern, this helps developers to foresee applicable security threats and ensure balance between functional complexity and Security Unique Features Risk Based Testing (RBT) Grey Box Approach: Thinking out of box Testing throughout Software Development Life Cycle (SDLC) Compliance based Threat Model based Integrated Vulnerability Analysis Working Model Optimize per Industry and Business Policies Time-bound Testing Minimum Onsite Multiple modes of involvement o Consultation only o Assistance mode o Full Ownership

8 Threat Modeling as-a-service (TMo-aaS) Typically, Threat Modeling process is conducted during product design phase and is used to identify reasons and methods that an attacker might use to identify vulnerabilities or threats in the system. It also provides a set of documents that can be used to create security specifications and security testing. These documents includes security objectives, identification of relevant threats and corresponding countermeasures. TMo-aaS is one of its kind, unique and dedicated security service, where we assist organization to design, detect and analyse application architecture and design flaws. This service can be used across application types irrespective of its backend technologies used, usage and deployment scenario. Unique Features Helps in analysing Security Threats in an application in Software Development Design phase Assist developers to address possible security threats in early product development stage Assist QA or testers to design and test applicable threats and respective scenarios based on identified vulnerabilities Vendor independent design, based typically on product functionality, protocols used and workflow Can be done for specific component or feature or product as a Whole Working Model Work with Developers or Product architect to draft product/feature process flow and communication blueprint Provide a Systematic Threat Chart based on functional attributes of each product entity Assist in analysis of all applicable threats, their impacts and possible countermeasures Assist Testing Team to analyse threats and possible testing scenarios, tools and techniques for same

9 Security Testing as-a-service (STe-aaS) Security Analysis and Testing helps an organization to realistically evaluate the strength of its security processes and technology against alarming growth of security attacks and malicious actions. This type of analysis is necessary not only from compliance point of view but also to test effectiveness of defense systems and evaluate risk associated with possible entry points in infrastructure. We provide flexible and tailored made Security Analysis and Testing services modelled as per well-known industry models and standards to meet specific client requirements. STe-aaS provides customizable Security Testing services for two core assets of any organization, viz People and Data. Reconnaissance Penetration Test as-a-service (RPen-aaS) Specialized and dedicated reconnaissance service, providing in-detail scrutiny of your infrastructure, Systems, Data and People in Public world. Vulnerability Assessment & Penetration Testing as-a-service (VAPT-aaS) Professional Vulnerability Assessment and Penetration Testing service to evaluate security of a Computer System, Network or an Application by identifying and prioritising Security Threats accordingly.

10 Reconnaissance Penetration Test as-a-service (RPen-aaS) Information gathering or Reconnaissance process helps in understanding of target in better way by revealing scope of testing and areas which needs focus from vulnerabilities point of view. Traditionally, in security testing Reconnaissance process is limited to discovery of IP address/range, Server types, ports and services. RPen-aaS provides a unique and dedicated Reconnaissance Penetration Testing (Recon Pentest) service, which is a combination of both Active and Passive security testing tools and methodology. Here, we take liberty of performing some in-depth and careful examination of gathered facts (especially publically available) and details to reveal data in form of internal corporate structure, management and process details, domain directory structures, sensitive files, configurations, databases, internal zero-day errors, contact information, application insights, vendor and client details and many more. Methodologies Adopted OSINT (Open Source Intelligence) Open Source Automated Tools Manual Analysis Testing Scope Passive Reconnaissance o From Search Engines, Google Hacking o Website/Webpage Analysis o Social Network Analysis o Other Public Sources like Blogs, Forums, Job Portals etc Active Reconnaissance o Host/Server Information o Web Mirroring o Basic Network Fuzzing To discover ideal Device/Server response To discover coding errors Not in Scope Social Engineering Execution of potential Exploits Web/Network/Server Security Attack

11 Vulnerability Assessment & Penetration Test as-a-service (VAPT-aaS) Vulnerability assessment is a process which identifies the threats or vulnerabilities present in the resources of a system. This pro-active method can be helpful for organisations to evaluate their security position and decide upon elimination or remediation policies which can mitigate the level of associated risks. Quantifying the resources based on their importance and prioritizing the vulnerabilities accordingly can help improve the security posture of the environment in an organized and effective manner. Pentest, or Penetration Testing, aims to exploit the vulnerabilities discovered in any system. It helps to assess the security policies and defensive mechanisms and their effectiveness in safeguarding against attacks. Pen- Testing typically involves identifying the weak spots, trying to exploit systems or gain access to sensitive data through identified entry points and finally, reporting them to the concerned teams to effectively design the remediation measures. VAPT-aaS incorporates professional VA-PT Security Testing process customizable enough to effectively evaluate Application, Systems and Infrastructure, along with People (Employee) from Security Awareness prospect. It modulates traditional Security Testing (Ethical Hacking) Steps according to target, business requirements and domain. Specific compliance based test are also included to ensure industrial Security requirements. Unique Features Customizable according to Business Requirements Evaluated Security Awareness of Employee in Public Domain (RPen-aaS) Compliance Security Test as per Industry requirements Unique Threat Model with Infrastructure and System/Server evaluation Assistance in Vulnerability assessment and Patch Evaluation Detailed Reporting structure

12 About Hack2Secure The IT Industry has evolved from a standalone desktop and independent applications to a Complex Cloud environment. Today technology have become so advanced to reduce costs in terms of hardware, software, development and maintenance, however this has created an increased risk to SECURITY. Hack2Secure excels in Information Security Domain and offers customised IT Security programs, including Training, Services and Solutions. Our programs are designed by industry experts and tailored as per specific needs. We strive to serve with quality, efficiency, and timely delivery through our team of experienced and certified professionals in Information Security. We help students, professionals and companies with knowledge, tools and guidance required to be at forefront of a vital and rapidly changing IT industry. Security Training Hack2Secure excels in delivering intensive, immersion training sessions designed to master practical steps necessary for defending systems against the dangerous security threats like identity theft, phishing scams, virus and backdoors, loss of confidential information, hacking attacks etc. Our wide range of fully customizable training courses delivered via multiple modes allow individual to master different aspects of Information Security as per their industry requirement and convenience. These theoretical sessions incorporated with real time examples along with unique hands-on lab allows an individual to easily get ready for practice. Security Services Hack2Secure offers IT Security Professional Services to provide ways to stay ahead of Security Threats through proactive Software or Application Security Testing, Vulnerability Assessment, Penetration Testing, Threat Modeling and Consultation services. Our Services help clients to view IT Security from Attacker s prospect, leveraging real-time techniques to showcase risk, Vulnerabilities and Threats in their environment and also assess their implications on the business. Our unique Risk-based, Grey-box Security Testing Services by our team of expert, creative and experienced Subject Matter Experts, ensures costeffective, on-demand and thorough dynamic services to ensure security of product of an infrastructure using both Automated and Manual Security Testing processes.

13 Security as-a-service (Sec-aaS) Framework Security Training as-a-service (STr-aaS) Application Security Testing as-a-service (ASTe-aaS) Threat Modeling as-a-service (TMo-aaS) Recon Pentest as-a-service (RPen-aaS) Vulnerability Assessment & Penetration Testing as-a-service (VAPT-aaS) For any Enquiry related with Contact Us Security as-a-service (SaaS) Framework: General Enquiry: /Hack2Secure.India hack2secure