Security Audits
A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT’s, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches. Applications can include Web Services, Databases
Vulnerability Assessment
As documented by SANS, “Vulnerabilities are the gateways by which threats are manifested” . In other words, a system compromise can occur through a weakness found in a system. A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise.
How do these weaknesses occur?
There are two points to consider :
- Many systems are shipped with known and unknown security holes and bugs, and insecure. default settings (passwords, etc.)
- Many vulnerabilities occur as a result of misconfigurations by system administrators.
Ethical Hacking
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of their impact, and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing (after system changes).
Web Application Audits
Web applications are frequently the Achilles heel of a network. A Web application has to be accessible to all of your customers. Ports 80 and 443 have to be open to the world to provide ubiquitous access to the Web application. On the other hand, a full-featured Web application is connected to a corporation’s database storing customer, order, and pricing information. In short: A Web application is the shortest path for an attacker to take to reach the organization’s crown jewels. Securing Web applications is critical and not easy.
Application Code Audits
Application code reviews are key to protecting critical business systems from cyber-attacks and meeting the demands of regulatory compliance. While it may be tempting to rely on tools and internal processes, without the proper training and experience it is easy to misinterpret results, and difficult to create an actionable remediation strategy. TIP consultants have years of code auditing experience, and routinely assist organizations with highly complex and advanced application security challenges. Software development is an evolutionary and iterative process, which is why we work directly with your development team to meet your defined security criteria and functionality requirements. Our approach reflects the structure of your development process, and includes audit checkpoints for each of your major product stages (alpha, beta, release candidate, etc). TIP’s hands-on process goes beyond the limitations of automated vulnerability scanning tools. Our experienced security auditors know how to identify and examine vulnerable points in design, such as legacy interoperability, to uncover flaws that may result in a security compromise. We deliver detailed documentation of the location and nature of each problem we find, and our consultants advise your developers on how to address the immediate problem, and avoid similar problems in the future. Our services include:
- Application Code Review {C/C++, .NET, JEE, Delphi, ASM, Perl}
- Web Application Code Review {ASP.NET, C#, JEE, PHP}
- Black-box Application Penetration Tests
- Product Evaluation and Recommendations {white and black}
- Reverse Engineering Software and Protocols
- DRM Testing
- Fuzz Testing of Applications and Protocols
- M&A Due Diligence