Vulnerability Assessments

Vulnerability assessments proactively identify possible or potential security risks, or vulnerabilities, that may allow access to confidential areas of a network, allow a denial of service to be performed, or obtain information from your network. This exercise will produce a deliverable cataloguing potential vulnerability in the environment and outline a remediation strategy to resolve the issues that have been identified.

External Vulnerability Assessment
Assess the environment from the external or public view to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or obtain sensitive internal information.

Internal Vulnerability Assessment
Assess the environment from the internal view of the network to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or sensitive internal information. Password complexities are also verified, virus protection and patch management are assessed, and a sample number of servers and workstations are reviewed to provide recommendations on how to enhance the organizations security posture.

Penetration Testing
Penetration Testing, also known as ethical hacking, is conducted to confirm the true risk of vulnerabilities identified. Through exploitation of vulnerabilities, engineers will gain root or administrator-level access to the target systems and/or other trusted user account access. During this process, advanced tools and custom utilities will be used to maintain availability of the servers while gaining access to potential vulnerable services. After manual verification of the information from the testing, we provide a mitigation plan to secure the network and prevent the information from being accessed.

Web Application Testing   
With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront— applications. Application security involves checking the security controls of an application, not the operating system or device that hosts the application. The security review is directly related to the applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. For example, for an application developed using Active Server Pages (ASP), and a Microsoft Internet Information Server (IIS) running on a Windows 2000 operating system, the focus of the application security testing would be the ASP application. Neither IIS nor Windows 2000 would be tested.