.: services

  

.: enterprise security assessment

An enterprise security assessments is a test of the overall security posture in an organization. The testing consists of the following:

  • External Penetration Test
  • Internal Vulnerability Assessment
  • Incident Response Readiness Assessment
  • Social Engineering
  • Physical Security Evaluation
  • Dumpster Diving
  • Access Control Evaluation

Our deliverable will be a comprehensive report of the tests we performed and the results. Raw scans, screenshots, reports, interview notes, etc. will be provided as evidence on encrypted USB key.

.: elements of the enterprise security assessment

External Penetration Test
There are several variations of the external penetration test. We classify them as white box, gray box, and black box.
A white box test consists of testing where all applicable information is known about the system or systems we are testing. Things such as IP addresses, applications, service versions, etc. are shared with us up front. Typically this is the least costly type of penetration test. However, it does not give an accurate representation of a real world attack.
A gray box test consists of testing where limited information about the systems being tested is shared such as IP addresses, target locations, etc. This is probably the most cost effective type of test
A black box test consists of testing that most accurately reflects a real world targeted attack by an external threat source. This is a gloves off approach to testing. Virus’, physical penetration, application penetration, wireless attacks, and social engineering are some of the attack vectors that can and will be utilized in a black box test. This is a true life test of incident preparedness and response.

Incident Response Readiness Assessment
We evaluate the incident response plan and perform a gap analysis. We then perform walkthroughs of various scenarios requiring multiple levels of response by individuals and management. We then draw conclusions of the organization’s overall incident readiness.

Internal Vulnerability Assessment
Router, firewall, switch, server, and workstation security is evaluated. We use multiple automated tools as well as manual techniques to evaluate these systems.

Social Engineering
We will perform testing of the general security consciousness of the organization’s user base. Commonly known as pretext calling we will make multiple attempts to extract information from the general use base w/ limited knowledge of the internal organization via telephone calls.

Physical Security Evaluation of the building and data center
We will perform walkthroughs and test the controls surrounding physical security of the organization’s buildings and data centers. Key card access, the use of biometrics, and mantraps are just a few of the things we will evaluate.

Dumpster Diving
Every day organization’s throw away tons of trash. Mostly it is paper that may contain sensitive information. Post-it notes with usernames/passwords, reports with account numbers, personally identifiable information. These are all things that can be valuable to a “cyber-criminal”

Access Control Evaluation
Access to programs and data is the backbone of security within an organization. De-perimeterization has made the firewall almost irrelevant in some organizations; wireless can be exploited to gain access to internal networks. But, if access to programs and data is adequately controlled management can be reasonably assured their company crown jewels are secure.



 



















Web site contents © Copyright Northeast Data Security 2008, All rights reserved.