INFORMATION SECURITY TESTING



Similar documents
External Supplier Control Requirements

The McAfee SECURE TM Standard

93% of large organisations and 76% of small businesses

AN OVERVIEW OF VULNERABILITY SCANNERS

Smart Security. Smart Compliance.

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Procuring Penetration Testing Services

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

How to complete the Secure Internet Site Declaration (SISD) form

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Information Incident Management Policy

Service Definition (Q-D1) Vulnerability Scan (LITE Test) Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

CRYPTUS DIPLOMA IN IT SECURITY

An article on PCI Compliance for the Not-For-Profit Sector

A Decision Maker s Guide to Securing an IT Infrastructure

Spillemyndigheden s Certification Programme Instructions on Vulnerability Scanning

External Supplier Control Requirements

Secure Web Applications. The front line defense

PCI Vulnerability Validation Report

PCI DSS Overview and Solutions. Anwar McEntee

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

developing your potential Cyber Security Training

Payment Security Account Data Compromise (ADC)

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Data Security Standards

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

ESKISP Conduct security testing, under supervision

Service Definition (Q-D1) Penetration Testing. Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

Lot 1 Service Specification MANAGED SECURITY SERVICES

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

WHITE PAPER. An Introduction to Network- Vulnerability Testing

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Certified Ethical Hacker (CEH)

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

How To Audit Health And Care Professions Council Security Arrangements

Overview TECHIS Carry out security testing activities

How To Protect Visa Account Information

Small businesses: What you need to know about cyber security

IT Security Testing Services

THALES. corn

Cyber Essentials Scheme

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

PCI Compliance: How to ensure customer cardholder data is handled with care

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

encription IT Security and Forensic Services

Committees Date: Subject: Public Report of: For Information Summary

Paul Vlissidis Group Technical Director NCC Group plc

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

The Cyber Threat Profiler

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

How To Test For Security On A Network Without Being Hacked

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

How To Protect Your Business From A Hacker Attack

Payment Card Industry (PCI) Data Security Standard

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

Digital Forensics G-Cloud Service Definition

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Data Security for the Hospitality

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

ESKISP Manage security testing

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Cyber Essentials Scheme

Positioning of Penetration Testing and IT Risk Management Frameworks investigated

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Reducing the Cyber Risk in 10 Critical Areas

Small businesses: What you need to know about cyber security

PCI DSS Compliance Information Pack for Merchants

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Western Australian Auditor General s Report. Information Systems Audit Report

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

UBC Incident Response Plan

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

CYBERTRON NETWORK SOLUTIONS

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

ASV Scan Report Attestation of Scan Compliance

Foundstone ERS remediation System

G-Cloud Definition of Services Security Penetration Testing

Network Security Audit. Vulnerability Assessment (VA)

Information security policy

Transcription:

INFORMATION SECURITY TESTING SERVICE DESCRIPTION Penetration testing identifies potential weaknesses in a technical infrastructure and provides a level of assurance in the security of that infrastructure. SRM performs penetration testing within the framework provided by our penetration testing methodology. This methodology has been developed in line with a range of recognised standards (such as the CESG CHECK scheme). SRM undertake all penetration testing on the basis of vulnerability identification prior to exploitation. Where an exploit is potentially harmful to the system (such as buffer overflow exploits) permission would be sought prior to the exploitation of this. SRM does not exploit denial of service attacks; introduce Trojans or viruses; or undertake social engineering unless these are specifically included in the scope of a test. Following completion of the testing, SRM will provide a technical report including a contextualised executive summary and specific vulnerability details on issues identified, including clear remediation recommendations. Methodology SRM s consultants work against a proven methodology. This can be summarised in the following steps: Footprinting Network mapping Scanning Enumeration Vulnerability scanning Exploitation Testing Elements Network Discovery and Reconnaissance SRM begins testing of in scope ICT services by identifying the servers and services available on the Internet connection and where appropriate on internal network segments. This includes basic enumeration of services in order to identify any information that may be useful to an attacker. The reconnaissance is focused on ensuring that the service is only providing the access that is necessary for the provision of the services required. Server Vulnerability Assessment Using the information gained in network discovery, SRM undertakes automated and manual vulnerability assessments of the servers hosting the in scope services. This testing identifies current security issues in the systems and services. Testing includes checks for incorrect or default configuration and checks for vulnerable versions of software, including browsers and operating systems. Where it is safe to do so, as part of the vulnerability identification, SRM assesses the services and version of those services to identify any possible denial of service vulnerabilities. It may not be

possible to confirm positively the presence of these vulnerabilities and in this case SRM provides information on the vulnerability and where possible, locations of patches to resolve the issue. No exploitation of vulnerabilities identified or attempts to gain access further into the system is ever made by SRM as part of this testing. Provided below is a list of tools commonly employed by SRM on vulnerability assessments: nmap, fscan and SuperScan port scanners; Typhon, Nikto and Nessus vulnerability assessment tools; Standard operating system tools (e.g. mount and net); Windows enumeration tools (such as DumpACL); Specific vulnerability testing tools and scripts as necessary. Web Application Testing SRM will undertake vulnerability assessment testing on the web application itself. This will include: Identification of the website structure and active code (i.e. web pages either providing functions or provided by functions); Identification of inputs to the web functions; Testing on the functions to identify any possible issues in the implementation of the functions that could lead to a security issue. This testing will include testing for common website security issues such as SQL injection attacks (should this be applicable). This testing will also include attempts to execute commands on the web server through the website itself. Penetration Testing Following the vulnerability assessment SRM assesses the issues identified and any potential exploit routes to gain access to the systems within scope. SRM performs basic, non-destructive testing of systems for any typical vulnerabilities, for example exploiting information gathering from systems and basic password guessing based on default settings. Should SRM identify any exploits that present a risk to the end systems, SRM works with our client to ascertain a course of action for exploiting these and hence testing further or working through exploit scenarios further. As part of the penetration testing SRM will not introduce viruses or Trojan applications or operating system components, we will exploit no identified vulnerabilities or carry out any unauthorised action of any sort that could be construed as misuse of our customer s ICT facilities. Any accounts created and tools used during the course of an engagement are removed upon completion of the exercise unless specific provision has been made to leave specific tools installed for future use by our customer. REPORTING The SECURITY TEST report will provide a current snapshot of the state of security for the target systems in relation to the vulnerability information available at the time of testing. Where possible, the vulnerabilities will be listed with links to online vulnerability databases (CVE, NVD, OSVDB, etc) to provide further information. The SRM report will provide distinct sections for the expected audiences of the report. This includes an Executive Summary that describes the risks present in a non-technical manner and therefore providing overall context in a business sense. The Technical Summary provides an abbreviated tabular format targeted at the technical managers that could be utilised as a checklist during remedial efforts. Finally, the detailed technical sections provide more insight in to the vulnerabilities, the technical risk, and recommendations on how to mitigate the effects.

The results of the report will also form the basis for a presentation that can be delivered to our customer personnel provoking further discussions on security improvements for the organisation. Laboratory Facilities As a registered Forensic Investigator and professional penetration testing organisation, SRM is continually investing in tools and facilities to enable our consultants to both conduct effective security tests but also keep up with the latest developments through research and development of payload-free malware for use by our customers. ON-BOARDING Each client has a unique requirement, and as such, SRM will undertake a detailed scoping exercise before providing a proposed approach and cost. Day-rates are detailed in the accompanying pricing document. Contact our specialist team to discuss your requirement on 03450 21 21 51 or email on sales@srmsolutions.com

ABOUT SECURITY RISK MANAGEMENT LIMITED SRM SRM s specialists cover the full scope of the Governance, Risk and Compliance agenda such as information assurance to UK Government, NATO, PCI DSS, N3 and ISO 27001 standards, business continuity, operational risk management and computer & network forensics. This broad portfolio allows SRM to provide a more efficient and effective service, making the most of consultants' skills and offering you better value for money. Having one service provider also improves project flow and delivery by minimising any potential disruption to operations: whereas having multiple service providers on site could result in a duplication of effort, investment inefficiencies and conflicts of interest. SRM experts, drawn from the private sector, police service, armed forces and government agencies, offer an exceptional skill-set and depth of experience, all delivered to a first-class level of service. SRM s existing clients, who range from small and medium size businesses to government departments, charities and other non-commercial institutions, trust SRM because we deliver what we promise. SRM have specific and significant experience relating to this project requirement, with current clients including Thomas Cook Group, Eurostar International, Greene King, and Booking.com. References and case studies are available upon request. Testimonials are available to view on the SRM website www.srm-solutions.com. Why choose SRM? SRM was founded by experts formerly within the private sector, Police service, and government agencies. SRM offers an exceptional skill-set and depth of experience, all delivered with a firstclass level of service which our clients welcome, have come to depend upon, and value greatly. SRM have been accredited by the PCI SSC as a Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA QSA) and PCI Forensic Investigator (PFI) since 2008. Our team of consultants are all Information Security experts in the field of Digital Forensic, Penetration Testing and Vulnerability Scanning, PCI DSS Compliance Auditing, ISO 27001 Compliance, and Information Security policy development and awareness. SRM s forensic laboratories are centrally located in the UK in Rugby and Newcastle and we have offices the length and breadth of the country: London, Rugby, and Newcastle. Our experts are generally within easy reach of you. SRM have established links with the Police High Tech Crime Units and the Centre for Cyber Crime and Computer Security based at Newcastle University. We will assist you in any required crime reporting issues and will assist you to preserve integrity and reduce or minimise reputational damage. SRM have a wealth of experience of Information Security - we have undertaken numerous projects to implement Information Security and governance for organisations in the public, private and third sectors. Our consultants are able to hit the ground running Our consultants have the experience and understanding of the issues which this project presents, and can start work with a minimum of delay in working themselves into the project. Our business is run in the interests of the client - SRM is a profitable professional consulting organisation; any profit generated by the business is currently re-invested in further services, skilled personnel and compliance research and development for the benefit of clients.

We are ethical and open in all our working; we are honest in our approach and diligent in our work. We are entirely independent of any suppliers of systems, software or equipment, which means that we offer objective and independent advice that can be relied upon. For this reason, we are frequently invited to mediate in disputes on value, advice on best practice, and to advise in the selection of services or suppliers. ADDITIONAL SERVICES Other services offered by SRM include: PCI DSS Compliance & Remediation If your organisation process, transmit or store payment card data then you must comply with the PCI DSS. We can assess your organisation, advise you on how to implement the requirements needed to achieve compliance, and as PCI QSA s we can complete the audit against the PCI DSS. ISO 27001 ISO 27001 is the international standard defining best practice for information assurance and cyber security. We can help your organisation implement the standard and improve how you manage and protect your information assets. SRM can assist your organisation regardless of what stage of ISO 27001 you are at. Forensic and Incident Response If you believe your organisation is suffering from a breach, SRM can put take appropriate actions to stop any further information/ data to be stolen by temporality shutting down networks and computer ports, ensuring loss is minimal. ASV Scanning and Data Recovery SRM offer ASV scanning to ensure compliance with certain PCI DSS requirements. This scan includes vulnerability scans of aspects of a computer network. We also provide a data recovery service for lost or stolen data/information. Forensic Investigation With malicious online behaviour increasing, forensic investigations are compulsory for merchants who suffer a computer breach. SRM are accredited PCI Forensic Investigators, and have extensive knowledge and experience in the subject. Business Continuity Many organisations rely on ICT systems. When they fail it causes mass disruption. SRM can show you how to establish business continuity across your organisation that delivers not only resilience in times of disruption, but also improves efficiency in business operations. Training People without the proper guidance, education, training and support can do enormous damage to systems, information and reputation whether they intend to or not. SRM has extensive experience in running long and short term educational and awareness raising programmes for organisations large and small.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information