Internal Vulnerability Assessment - IVA

description

Our technical vulnerability assessment provides your organization with an understanding of technical risks present on your internal network. Many organizations face a number of threats from internal sources including disgruntled, careless, or bored employees. There are also threats that originate from external sources that exploit weaknesses in internal network controls such as weak, poor, or misconfigured systems and applications. It is important for each organization to understand these risks within the organization. E3 can provide clear understanding by carefully analyzing and testing internal systems to determine any weaknesses. 

TESTING OBJECTIVES

Our vulnerability assessments consist of automated scans as well as hand testing and validation. Examples of areas to be tested are:

• Router/Infrastructure Security

Routers, switches, hubs, and other supporting devices will be examined for security, proper storage of passwords, account access logging, and correct configuration.

• Server Security

Our review includes all operating systems, applications, utility patches, security settings, and audit tracking. We evaluate the current level of password storage security, segregation of duties, and compensating controls. The servers' position in the network topology is also evaluated and our recommendations are both technical and specific in nature.

• Application Account Policies

We will determine whether account policies conform to corporate standards and industry best practices. Account policies determine what restrictions are placed upon valid users. These include options such as the following: password length, password effective life, location users may log in from, any time restrictions that are applied to users, etc. With security restrictions, it is important to remember that an effective security restriction allows authenticated users the minimum amount of freedom and still allows all necessary work to be completed without restriction.

• Password Security

E3 will determine whether user account passwords conform to corporate standards and industry best practices regarding strength and composition. We also will review the password policy and its adherence at the domain level, core application, and other key application with sensitive member or customer data.

• Secure Passwords

Secure passwords are difficult to maintain in that the very thing that makes a password secure makes it difficult to use. Long, complex, frequently changing passwords are certain to provide both users and administrators with unnecessary technical support incidents. E3 will test the organization’s controls to prevent theft of passwords. E3 testers will also run password crack and password brute force attempts where applicable.

• Workstation Security

We will review the security configuration of the desktops and laptops used across the organization’s network. Workstation security guards against two distinct realms of risk. First, a risk exists if authorized users have the ability to inadvertently or maliciously compromise security. The second risk concerns unauthorized users 'piggy-backing' on an existing authorized user's session. This risk exists not only with users sharing passwords, but also in the cases where the business environment allows clients, vendors, and visitors access to office space

External Vulnerability Assessment - EVA

description

Our External Vulnerability Assessment provides your organization with an understanding of the risks present on your systems with an Internet presence. External threats are those posed by external sources such as hackers, viruses, and trojans to your systems that are accessible via the Internet. Typical systems include firewalls, routers, VPN concentrators, web sites, email, and domain name servers. Testing will enumerate vulnerabilities and identify possible threats that the vulnerabilities pose. A vulnerability assessment does not attempt to exploit identified vulnerabilities.

TESTING OBJECTIVES

External testing includes the same basic stages as the internal penetration testing does:

• Passive and Active information gathering

• Vulnerability identification and ranking

• Threat modeling and exploitation attempts

• Detection avoidance

• Denial-of-service attacks

• Brute force attacks

Active Directory Security Review

DESCRIPTION

In most organizations, Windows Active Directory is a foundational security control. Surprisingly, many companies never bother to check whether their AD environments are properly hardened. Frequently, security features that can be enabled by security groups, file share permissions, group and local policy are missing or inadequate. Our review focuses on how the organization uses AD security and how it compares to recommended best practices.

Password Strength Review

DESCRIPTION

Are your password policies sufficient? Is it possible for a malicious hacker or insider to compromise passwords for sensitive systems or other users? We can perform testing to determine if your systems’ passwords are appropriate and adequately hardened against common attacks.

Wireless Network Assessment - WNA

DESCRIPTION

Wireless networks by their very nature are accessible without needing physical access. Has your organization properly hardened its wireless environment? Have you checked for unauthorized Wi-Fi access points on your environment? Our wireless network assessment focuses on the appropriate security hardening mechanisms that should be employed and tests whether they are configured properly.

TESTING OBJECTIVES

Wireless testing consists of the following areas:

• Wireless heat mapping and identification of wireless access points

• Assess the ability for an unauthorized attacker to gain access to the

  wireless network

• Wi-Fi intrusion testing

• Wi-Fi brute force testing

• Rogue access point analysis

• Review of monitoring/alerting for intrusion attempts