INFORMATION SECURITY TESTING

Transcription

1 INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure. SRM performs penetration testing within the framework provided by our penetration testing methodology. This methodology has been developed in line with a range of recognised standards (such as the CESG CHECK scheme). SRM undertake all penetration testing on the basis of vulnerability identification prior to exploitation. Where an exploit is potentially harmful to the system (such as buffer overflow exploits) permission would be sought prior to the exploitation of this. SRM does not exploit denial of service attacks; introduce Trojans or viruses; or undertake social engineering unless these are specifically included in the scope of a test. Following completion of the testing, SRM will provide a technical report including a contextualised executive summary and specific vulnerability details on issues identified, including clear remediation recommendations. Methodology SRM s consultants work against a proven methodology. This can be summarised in the following steps: Footprinting Network mapping Scanning Enumeration Vulnerability scanning Exploitation Testing Elements Network Discovery and Reconnaissance SRM begins testing of in scope ICT services by identifying the servers and services available on the Internet connection and where appropriate on internal network segments. This includes basic enumeration of services in order to identify any information that may be useful to an attacker. The reconnaissance is focused on ensuring that the service is only providing the access that is necessary for the provision of the services required. Server Vulnerability Assessment Using the information gained in network discovery, SRM undertakes automated and manual vulnerability assessments of the servers hosting the in scope services. This testing identifies current security issues in the systems and services. Testing includes checks for incorrect or default configuration and checks for vulnerable versions of software, including browsers and operating systems. Where it is safe to do so, as part of the vulnerability identification, SRM assesses the services and version of those services to identify any possible denial of service vulnerabilities. It may not be

2 possible to confirm positively the presence of these vulnerabilities and in this case SRM provides information on the vulnerability and where possible, locations of patches to resolve the issue. No exploitation of vulnerabilities identified or attempts to gain access further into the system is ever made by SRM as part of this testing. Provided below is a list of tools commonly employed by SRM on vulnerability assessments: nmap, fscan and SuperScan port scanners; Typhon, Nikto and Nessus vulnerability assessment tools; Standard operating system tools (e.g. mount and net); Windows enumeration tools (such as DumpACL); Specific vulnerability testing tools and scripts as necessary. Web Application Testing SRM will undertake vulnerability assessment testing on the web application itself. This will include: Identification of the website structure and active code (i.e. web pages either providing functions or provided by functions); Identification of inputs to the web functions; Testing on the functions to identify any possible issues in the implementation of the functions that could lead to a security issue. This testing will include testing for common website security issues such as SQL injection attacks (should this be applicable). This testing will also include attempts to execute commands on the web server through the website itself. Penetration Testing Following the vulnerability assessment SRM assesses the issues identified and any potential exploit routes to gain access to the systems within scope. SRM performs basic, non-destructive testing of systems for any typical vulnerabilities, for example exploiting information gathering from systems and basic password guessing based on default settings. Should SRM identify any exploits that present a risk to the end systems, SRM works with our client to ascertain a course of action for exploiting these and hence testing further or working through exploit scenarios further. As part of the penetration testing SRM will not introduce viruses or Trojan applications or operating system components, we will exploit no identified vulnerabilities or carry out any unauthorised action of any sort that could be construed as misuse of our customer s ICT facilities. Any accounts created and tools used during the course of an engagement are removed upon completion of the exercise unless specific provision has been made to leave specific tools installed for future use by our customer. REPORTING The SECURITY TEST report will provide a current snapshot of the state of security for the target systems in relation to the vulnerability information available at the time of testing. Where possible, the vulnerabilities will be listed with links to online vulnerability databases (CVE, NVD, OSVDB, etc) to provide further information. The SRM report will provide distinct sections for the expected audiences of the report. This includes an Executive Summary that describes the risks present in a non-technical manner and therefore providing overall context in a business sense. The Technical Summary provides an abbreviated tabular format targeted at the technical managers that could be utilised as a checklist during remedial efforts. Finally, the detailed technical sections provide more insight in to the vulnerabilities, the technical risk, and recommendations on how to mitigate the effects.

3 The results of the report will also form the basis for a presentation that can be delivered to our customer personnel provoking further discussions on security improvements for the organisation. Laboratory Facilities As a registered Forensic Investigator and professional penetration testing organisation, SRM is continually investing in tools and facilities to enable our consultants to both conduct effective security tests but also keep up with the latest developments through research and development of payload-free malware for use by our customers. ON-BOARDING Each client has a unique requirement, and as such, SRM will undertake a detailed scoping exercise before providing a proposed approach and cost. Day-rates are detailed in the accompanying pricing document. Contact our specialist team to discuss your requirement on or on sales@srmsolutions.com

4 ABOUT SECURITY RISK MANAGEMENT LIMITED SRM SRM s specialists cover the full scope of the Governance, Risk and Compliance agenda such as information assurance to UK Government, NATO, PCI DSS, N3 and ISO standards, business continuity, operational risk management and computer & network forensics. This broad portfolio allows SRM to provide a more efficient and effective service, making the most of consultants' skills and offering you better value for money. Having one service provider also improves project flow and delivery by minimising any potential disruption to operations: whereas having multiple service providers on site could result in a duplication of effort, investment inefficiencies and conflicts of interest. SRM experts, drawn from the private sector, police service, armed forces and government agencies, offer an exceptional skill-set and depth of experience, all delivered to a first-class level of service. SRM s existing clients, who range from small and medium size businesses to government departments, charities and other non-commercial institutions, trust SRM because we deliver what we promise. SRM have specific and significant experience relating to this project requirement, with current clients including Thomas Cook Group, Eurostar International, Greene King, and Booking.com. References and case studies are available upon request. Testimonials are available to view on the SRM website Why choose SRM? SRM was founded by experts formerly within the private sector, Police service, and government agencies. SRM offers an exceptional skill-set and depth of experience, all delivered with a firstclass level of service which our clients welcome, have come to depend upon, and value greatly. SRM have been accredited by the PCI SSC as a Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA QSA) and PCI Forensic Investigator (PFI) since Our team of consultants are all Information Security experts in the field of Digital Forensic, Penetration Testing and Vulnerability Scanning, PCI DSS Compliance Auditing, ISO Compliance, and Information Security policy development and awareness. SRM s forensic laboratories are centrally located in the UK in Rugby and Newcastle and we have offices the length and breadth of the country: London, Rugby, and Newcastle. Our experts are generally within easy reach of you. SRM have established links with the Police High Tech Crime Units and the Centre for Cyber Crime and Computer Security based at Newcastle University. We will assist you in any required crime reporting issues and will assist you to preserve integrity and reduce or minimise reputational damage. SRM have a wealth of experience of Information Security - we have undertaken numerous projects to implement Information Security and governance for organisations in the public, private and third sectors. Our consultants are able to hit the ground running Our consultants have the experience and understanding of the issues which this project presents, and can start work with a minimum of delay in working themselves into the project. Our business is run in the interests of the client - SRM is a profitable professional consulting organisation; any profit generated by the business is currently re-invested in further services, skilled personnel and compliance research and development for the benefit of clients.

5 We are ethical and open in all our working; we are honest in our approach and diligent in our work. We are entirely independent of any suppliers of systems, software or equipment, which means that we offer objective and independent advice that can be relied upon. For this reason, we are frequently invited to mediate in disputes on value, advice on best practice, and to advise in the selection of services or suppliers. ADDITIONAL SERVICES Other services offered by SRM include: PCI DSS Compliance & Remediation If your organisation process, transmit or store payment card data then you must comply with the PCI DSS. We can assess your organisation, advise you on how to implement the requirements needed to achieve compliance, and as PCI QSA s we can complete the audit against the PCI DSS. ISO ISO is the international standard defining best practice for information assurance and cyber security. We can help your organisation implement the standard and improve how you manage and protect your information assets. SRM can assist your organisation regardless of what stage of ISO you are at. Forensic and Incident Response If you believe your organisation is suffering from a breach, SRM can put take appropriate actions to stop any further information/ data to be stolen by temporality shutting down networks and computer ports, ensuring loss is minimal. ASV Scanning and Data Recovery SRM offer ASV scanning to ensure compliance with certain PCI DSS requirements. This scan includes vulnerability scans of aspects of a computer network. We also provide a data recovery service for lost or stolen data/information. Forensic Investigation With malicious online behaviour increasing, forensic investigations are compulsory for merchants who suffer a computer breach. SRM are accredited PCI Forensic Investigators, and have extensive knowledge and experience in the subject. Business Continuity Many organisations rely on ICT systems. When they fail it causes mass disruption. SRM can show you how to establish business continuity across your organisation that delivers not only resilience in times of disruption, but also improves efficiency in business operations. Training People without the proper guidance, education, training and support can do enormous damage to systems, information and reputation whether they intend to or not. SRM has extensive experience in running long and short term educational and awareness raising programmes for organisations large and small.