How To Perform An External Security Vulnerability Assessment Of An External Computer System



Similar documents
External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web App Security Audit Services

External Supplier Control Requirements

Passing PCI Compliance How to Address the Application Security Mandates

locuz.com Professional Services Security Audit Services

Integrigy Corporate Overview

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

05.0 Application Development

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Penetration Testing. University of Sunderland CSEM02 Harry R Erwin, PhD

ensuring security the way how we do it

Adobe Systems Incorporated

How To Audit The Mint'S Information Technology

SERENA SOFTWARE Serena Service Manager Security

Hackers are here. Where are you?

Reducing Application Vulnerabilities by Security Engineering

Information Security Organizations trends are becoming increasingly reliant upon information technology in

IQware's Approach to Software and IT security Issues

Guidelines for Web applications protection with dedicated Web Application Firewall

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Preliminary Course Syllabus

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Information Technology Solutions

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Penetration Testing. Presented by

Symantec Endpoint Protection Analyzer Report

SCOPING QUESTIONNAIRE FOR PENETRATION TESTING

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Network Support. Technical Certificate. Program Outcomes: FOUNDATION COURSES. 1 of 7

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Goals. Understanding security testing

Hosts HARDENING WINDOWS NETWORKS TRAINING

INFORMATION TECHNOLOGY ENGINEER V

Four Top Emagined Security Services

AN OVERVIEW OF VULNERABILITY SCANNERS

NETWORK PENETRATION TESTING

Network Test Labs (NTL) Software Testing Services for igaming

Pentests more than just using the proper tools

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Pentests more than just using the proper tools

White Paper: Consensus Audit Guidelines and Symantec RAS

EC-Council Certified Security Analyst (ECSA)

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Patch Management Policy

Proactive Vulnerability Management Using Rapid7 NeXpose

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

PROMAPP TECHNICAL INFORMATION

Trend Micro. Advanced Security Built for the Cloud

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Put a Firewall in Your JVM Securing Java Applications!

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Keyword: Cloud computing, service model, deployment model, network layer security.

Protecting Your Organisation from Targeted Cyber Intrusion

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

NSFOCUS Web Vulnerability Scanning System

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

STATE OF NEW JERSEY IT CIRCULAR

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Penetration Testing Service. By Comsec Information Security Consulting

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Devising a Server Protection Strategy with Trend Micro

Rational AppScan & Ounce Products

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

A Systems Engineering Approach to Developing Cyber Security Professionals

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Application Security Testing

Devising a Server Protection Strategy with Trend Micro

GFI White Paper PCI-DSS compliance and GFI Software products

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Securing and Accelerating Databases In Minutes using GreenSQL

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

1 Scope of Assessment

Transcription:

External Vulnerability Assessment -Executive Summary- Prepared for: ABC ORGANIZATION On March 9, 2008 Prepared by: AOS Security Solutions 1 of 5

Table of Contents Executive Summary... 3 Immediate Focus Areas (1-4 weeks)... 3 Short term Focus Areas (1-6 months)... 3 Long term Focus Areas (6 months +)... 3 Web Application Assessment Statics... 4 Items of Top Concern:... 4 AOS Recommendations:... 4 Network & Service Vulnerability Assessment... 5 Items of Top Concern:... 5 AOS Recommendation:... 5 2 of 5

Executive Summary Alexander Open Systems (AOS) performed an external security vulnerability assessment of ABC ORGANIZATION. An external assessment looks devices such as firewalls, servers and routers that provide services on the Internet. It also covers application layer assessments on any web based services externally facing. The security assessments performed by Alexander Open Systems, Inc follow a standard assessment methodology beginning with reconnaissance, vulnerability enumeration and penetration testing for validation. AOS performs these assessments with the least possible impact to the organization. This means our assessment tools have been throttled back as to not consume customer Internet bandwidth. Our assessments are also done at a mutually agreeable time which is determined to be least impacting to the organization. The following sections are the findings of AOS s vulnerability assessment services. Immediate Focus Areas (1-4 weeks) ABC ORGANIZATION should take immediate action in the resolution of vulnerabilities found on the web server (http://zero.webappsecurity.com). Security holes on this system have been found that put the organization in direct risk. The AOS recommendation to immediately solve this risk is to layer the web server with an application layer firewall. Short term Focus Areas (1-6 months) ABC ORGANIZATION needs to review the current certified operating system levels and upgrade systems not holding true to that standard. A patch management system (if not currently deployed) should be deployed for all high risk assets in the organization. For systems that cannot be patched or rebooted in a timely manner yet still holding key assets, AOS recommends a host based intrusion prevention system to adequately protect those systems from both known and unknown attacks. Long term Focus Areas (6 months +) ABC ORGANIZATION needs to audit application development. A strong emphasis on application security needs to be stressed and all custom applications should have a vulnerability assessment done prior to implementation into production environments. Ongoing application and network assessments should also be done to ensure current systems don t become vulnerable to new security threats Vulnerabilities found on (http://zero.webappsecurity.com) in regards to application coding should be resolved and tested/verified. 3 of 5

Web Application Assessment Statics The graph below displays the vulnerabilities that were found on http://zero.webappsecurity.com/. These represent the risk to the server, the data it contains and ultimately risk to ABC ORGANIZATION. Items categorized in the below graph show vulnerabilities in the application itself. Items of Top Concern: In the above graph, several critical level vulnerabilities were found. Of the number of vulnerabilities found the three top security risks have to deal with: SQL Injection Cross Site Scripting Information Leakage AOS Recommendations: Due to the quantity and type of vulnerabilities found on the web application, Alexander Open Systems recommends layering the web site with an application layer firewall as well as restricting access to specific areas of the server. 4 of 5

Network & Service Vulnerability Assessment The graph below displays the number of security related vulnerabilities found on the external facing network of ABC ORGANIZATION. These vulnerabilities were found from various tools that were focused at finding security weaknesses in the system or service level security protections. Items of Top Concern: There was one high level security vulnerability on the external network and it can be resolved by a system patch. If exploited, this vulnerability will cause the server to continuously reboot impacting both the availability and integrity of the data contained on the system. AOS Recommendation: System patches are generally the number one security risk we see on internal systems to date. Typically, internal threats come from poor system patch management on internal devices. In addition, system patches are generally not applied until after the system reboots. This makes it difficult to apply patches to production facing systems that must maintain a high level of uptime. AOS generally recommends a combination of good patch management with host based intrusion prevention. HIPS, or host based intrusion prevention, allows system administrators the time they need to effectively test, certify and deploy system patches while not putting business assets at risk. 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information