Internal Vulnerability Assessment - IVA

description

Our technical vulnerability assessment provides your organization with an understanding of technical risks present on your internal network. Many organizations face a number of threats from internal sources including disgruntled, careless, or bored employees. There are also threats that originate from external sources that exploit weaknesses in internal network controls such as weak, poor, or misconfigured systems and applications. It is important for each organization to understand these risks within the organization. E3 can provide clear understanding by carefully analyzing and testing internal systems to determine any weaknesses. 

TESTING OBJECTIVES

Our vulnerability assessments consist of automated scans as well as hand testing and validation. Examples of areas to be tested are:

• Router/Infrastructure Security

Routers, switches, hubs, and other supporting devices will be examined for security, proper storage of passwords, account access logging, and correct configuration.

• Server Security

Our review includes all operating systems, applications, utility patches, security settings, and audit tracking. We evaluate the current level of password storage security, segregation of duties, and compensating controls. The servers' position in the network topology is also evaluated and our recommendations are both technical and specific in nature.

• Application Account Policies

We will determine whether account policies conform to corporate standards and industry best practices. Account policies determine what restrictions are placed upon valid users. These include options such as the following: password length, password effective life, location users may log in from, any time restrictions that are applied to users, etc. With security restrictions, it is important to remember that an effective security restriction allows authenticated users the minimum amount of freedom and still allows all necessary work to be completed without restriction.

• Password Security

E3 will determine whether user account passwords conform to corporate standards and industry best practices regarding strength and composition. We also will review the password policy and its adherence at the domain level, core application, and other key application with sensitive member or customer data.

• Secure Passwords

Secure passwords are difficult to maintain in that the very thing that makes a password secure makes it difficult to use. Long, complex, frequently changing passwords are certain to provide both users and administrators with unnecessary technical support incidents. E3 will test the organization’s controls to prevent theft of passwords. E3 testers will also run password crack and password brute force attempts where applicable.

• Workstation Security

We will review the security configuration of the desktops and laptops used across the organization’s network. Workstation security guards against two distinct realms of risk. First, a risk exists if authorized users have the ability to inadvertently or maliciously compromise security. The second risk concerns unauthorized users 'piggy-backing' on an existing authorized user's session. This risk exists not only with users sharing passwords, but also in the cases where the business environment allows clients, vendors, and visitors access to office space