Focus on Vulnerability

Page 1

February 2016

Focus on Vulnerability

Millions of cyber attacks take place every day globally - it is estimated that the annual cost to the world economy is £238 billion Source: Intel Security – McAfee: Centre for Strategic and International Studies - June 2014

“Our organisation and customers rely increasingly on intranet and internet accessible systems and communications links – but how secure are they?” Many organisations have realised and invested in the opportunities and efficiencies that e-commerce and web based technologies have enabled.

Consider the business and reputational impacts if your organisations systems or communications infrastructure became compromised by either a mischievous or malicious third party or employee – how do you manage the risk today?

However, these enabling technologies have also attracted a range of mischievous individuals, opportunist thieves and organised criminals who are capable of actions leading to a range of outcomes from disruption and embarrassment to the theft of private client data and even large scale financial large loss. In order to actively manage the organisations risks, and satisfy regulatory and compliance requirements organisations are required to protect access to its systems, networks and data. Some organisations have been more proactive than others and sought to protect themselves and their customers from these risks by adhering to standards set down within e.g.: PCI (payment card industry)  ISO/IEC 27001 Information Security management  Cyber Essentials (standard and plus) The only way to truly test your defences and expose any vulnerabilities to both internal and external attacks is to simulate a real attack through comprehensive penetration testing; (also known as PEN testing). When undertaken with scheduled frequency appropriate for the organisations risk exposure and tolerance, it can provide management with assurance of adequate and up to date protection from the latest cyber attack methods.

Copyright © Gateway Assure 2015 registered in England and Wales - MCH House, Bailey Drive, Gillingham, ME8 0PZ - Company number: 08232033

It is also appropriate to consider not only the technology vulnerabilities but also the process ones which can facilitate easy unwanted access; e.g. When are system accesses removed from leavers? Do you have role based access controls? Also is your BCP adequate for managing a denial of service attack?

CREST Accredited Penetration and Vulnerability Testing We are able to offer a broad range of penetration and vulnerability services, accredited by CREST, OWASP, CBEST and OSSTMM consultants. The penetration and application testing services can cover any or all of the following:-

Internal Infrastructure and Application Penetration Testing The fundamental difference to the above is the testing is conducted at the customer site rather than over the internet. The scope can cover infrastructure penetration testing, application penetration testing, source code review, and application threat modelling. The approach typically follows three steps:Black Box - Blind RJ45 socket testing from the perspective of an attacker with no network privileges. This phase will attempt to establish what level of access can be achieved when connecting to the network with zero privileges or knowledge; White Box - Privilege escalation and further access. This phase will examine the network from the perspective of a low level user, and will demonstrate what could be achievable by a determined internal attacker with some knowledge; Containment measures exercise - a review of the resilience of the network to typical worm, Trojan or virus born attacks. This phase looks at the general status of the network from the perspective of the typical vulnerabilities that malicious software frequently utilised. Patch level, configuration, policy implementation and general network design will be taken into account. As mentioned previously even the best technology security controls can be bypassed by poor control processes, so we would recommend this also factors into your risk assessment, and the scoping of any potential engagement.

External Infrastructure and Application Penetration Testing

Next steps?

An external penetration test is a structured approach that emulates an attacker looking to gain unauthorised access to the targeted infrastructure from outside the organisation, typically from the Internet. The test would be conducted from a zero knowledge ‘Black Box’ perspective – which in business language means no initial information (e.g. IP addresses etc.) are required from the customer. It can also incorporate wireless, firewall rules, virtual private network (VPN) and other areas such as patching assessment.

Gateway Assure would welcome the opportunity to become part of your team, and to work towards becoming your trusted advisor. Please email or telephone us to arrange an initial meeting, and together we can establish what value we can add to your organisation.

External application penetration testing can cover web application penetration testing, mobile application penetration testing, and protocol fuzzing.

We also offer a range of professional services covering Assurance, Risk Management, Governance and Board facilitation, Transformation and Transition Management and Training.

For more information on Gateway Assure consulting services please contact: Phil, Director of Business Consulting - phil.jennings@gatewayassure.com Copyright © Gateway Assure 2015 registered in England and Wales - MCH House, Bailey Drive, Gillingham, ME8 0PZ - Company number: 08232033

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.