Security Assessment


Security Assessment

In this section, you will find the description of the most common assessment scenarios. These can be customized in many ways to meet a customer’s needs. Each type of assessment takes varying amounts of time and is impacted by the number of targets (applications, servers, networks, etc.). The exact type of assessment should be determined in the “kickoff” meeting.

NETWORK BASED (ATTACK & PENETRATION)

Penetration testing includes components of application vulnerability assessment, host vulnerability assessment, and security best practices. This type of test can be performed with or without detailed prior knowledge of the environment. When it is performed without prior knowledge additional steps will be taken to enumerate hosts and applications and to assess the ease with which any outsider could exploit publicly available information or social engineering to gain unauthorized access.

An attack and penetration test will answer questions like:

  • How vulnerable is the network, host, and application(s) to attacks from the internet or intranet?
  • Can an intruder obtain unauthorized access to critical resources?
  • Are social engineering techniques effective?
  • Are operational controls effective?

This would involve the ATSS acting as an attacker and looking at the system as an outsider. The ATSS would look for:

  • Remotely exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Unnecessary services
  • Weakness of encryption
  • Weakness of authentication
  • Etc

Host Based

This is an assessment of the health and security of given workstation or server. Automated scanning tools (e.g. Nessus) are the primary vehicle for this type of assessment. Additional hands-on inspection may also be necessary to assess conformance to security best practice.

This assessment will answer questions like:

  • Is patching up to date?
  • Are unnecessary services running?
  • Are anti-virus/anti-malware signatures up to date?

This would involve the ATSS acting as a Sys Admin and auditing the system and applications looking for:

  • Locally exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Access rights
  • Security best practices

APPLICATION BASED

This is an assessment of the functionality and resilience of the compiled application to known threats. This assessment focuses on the compiled and installed elements of the entire system: how the application components are deployed, communicate or otherwise interact with both the user and server environments. Application scanning tools as well as manual testing with and without application credentials are used to perform this assessment. Typically some host, network, and general information security practices are assessed as part an application vulnerability assessment.

This assessment will answer questions like:

  • Does the application expose the underlying servers and software to attack
  • Can a malicious user access, modify, or destroy data or services within the system

This would involve the ATSS auditing an application (typically web based) and looking for vulnerabilities like:

  • SQL Injection
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Improper data sanitization
  • Buffer overflows (limited)
  • Mis-configured/weak authentication

PHYSICAL SECURITY ASSESSMENT

This assessment typically involves interviews with key staff, documentation review, and an on-site visit to assess appropriate physical and environmental controls for safeguarding computing resources.

This assessment will answer questions like:

  • Are there appropriate physical access controls in place for securing servers and desktop machines?
  • Are appropriate environmental controls in place to sustain critical computing infrastructure?
  • Are appropriate environmental controls in place to sustain critical computing infrastructure?

ENTERPRISE SECURITY ASSESSMENT

This is a comprehensive study of the hosts, networks, applications, environmental controls, as well as policies and procedures. This service is currently outsourced though ATSS can serve as the engagement manager with a number of preferred suppliers.


To find out more or
Copyright © 2018 Aspire Tech, All rights reserved.