Internal Vulnerability Assessment - IVA
Our technical vulnerability assessment provides your organization with an understanding of technical risks present on your internal network. Many organizations face a number of threats from internal sources including disgruntled, careless, or bored employees. Or threats that originate from external sources that exploit weaknesses in internal network controls such as weak, poor or misconfigured systems and applications. It is important for each organization to understand these risks within the organization. E3 can provide clear understanding by carefully analyzing and testing internal systems to determine any weaknesses.
Our vulnerability assessments consist of automated scans as well as hand testing and validation. Examples of areas to be tested are:
Router / Infrastructure Security
Routers, switches, hubs, and other supporting devices will be examined for security, proper storage of passwords, account access logging, and correct configuration.
Our review includes all operating system, application, and utility patches, security settings, and audit tracking. We evaluate the current level of password storage security, segregation of duties, and compensating controls. The servers' position in the network topology is also evaluated and our recommendations are both technical and specific in nature.
Application Account Policies
We will determine whether account policies conform to corporate standards and industry best practices. Account policies determine what restrictions are placed upon valid users. These include options such as the following: password length, password effective life, location users may login from, any time restrictions that are applied to users, etc. With security restrictions, it is important to remember that an effective security restriction allows authenticated users the minimum amount of freedom and still allows all necessary work to be completed without restriction.
E3 will determine whether user account passwords conform to corporate standards and industry best practices regarding strength and composition. We also will review the password policy and its adherence at the domain level, core application and other key application with sensitive member data.
Secure passwords are difficult to maintain in that the very thing that makes a password secure makes it difficult to use. Long, complex, frequently changing passwords are certain to provide both users and administrators with unnecessary technical support incidents. E3 will test the organizations controls to prevent theft of passwords. E3 testers will also run password crack and password brute force attempts where applicable.
We will review the security configuration of the desktops and laptops used across the organizations network. Workstation security guards against two distinct realms of risk. First, a risk exists if authorized users have the ability to inadvertently or maliciously compromise security. The second risk concerns unauthorized users 'piggy-backing' on an existing authorized user's session. This risk exists not only with users sharing passwords, but also in the cases where the business environment allows clients, vendors, and visitor's access to office space